How to identify the address where the test is done?

		Exetools > General > General Discussion
How to identify the address where the test is done?

#13

10-24-2016, 15:12

mcp

Friend

Join Date: Dec 2011

Posts: 73

Rept. Given: 4

Rept. Rcvd 12 Times in 11 Posts

Thanks Given: 7

Thanks Rcvd at 47 Times in 35 Posts

HW breakpoints won't help you if the program performs self-checksums in memory. What you really want to do is diff runtime traces:
1) Record a trace of running the unmodified binary
2) Record a trace of running the modified binary
3) See where they differ. This yields one (possibly many) program location which does "the check(s)".

As for collecting traces, use your favourite debugger (x64dbg, ollydbg, IDA) or dynamic binary instrumentation tool (DynamoRIO, PIN).

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is On Smilies are On [IMG] code is Off HTML code is Off Forum Rules

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Identify an unknown 64 bit Packer	Kurapica	General Discussion	1	07-06-2021 01:05
Help identify crypto	The Old Pirate	General Discussion	5	12-27-2014 04:15
Trying to identify crypto algorithm	SiNTAX	General Discussion	4	06-17-2010 03:23

All times are GMT +8. The time now is 10:45.