As a result, the CPU will fetch something other than the
breakpoint opcode and fail to break properly. Hardware breakpoints could be used on
processors that support them; however, the problem of where to set the breakpoint
remains. Without a correct disassembly, it is not possible to determine where to set a
breakpoint. The only reasonable approach is to use single stepping until some pattern of
execution such as a loop is revealed, then to utilize breakpoints to execute the loop to
completion, at which point you resume single stepping and repeat the process. This can
be very time-consuming if the author of the packer chooses to use many small loops and
self-modifying code sections to frustrate your analysis.
Joe Stewart developed the OllyBonE plug-in for OllyDbg, a windows debugger. The
plug-in is designed to offer Break-on-Execute breakpoint capability. Break-on-Execute
allows a memory location to be read or written as data but causes a breakpoint to trigger
if that memory location is fetched from, meaning the location is being treated as an
Gray Hat Hacking: The Ethical Hacker??™s Handbook
528
Figure 21-1 The LordPE process dumping utility
instruction address. The assumption here is that it is first necessary to modify the packed
program data during the unpacking process before that code can be executed.
Pages:
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917