Posted: Fri Aug 26, 2016 9:35 am Post subject: Option for seeing register value before instruction ran?
Hello CEers!
I'm following the tutorial 8 where you have to find chained pointers. I encountered the case
Code:
mov rsi, [rsi]
. I found a 2012 topic about the exact problem (I can't post url's) and I wanted to reply there but the button gets me to CE home.
1. I'd very much like to use the option stated in the tutorial CE codefinder setting with Access Violations. It simplifies things. Nevertheless, I don't want to just complete the tutorials but to learn a bit extra from each one.
That's why I wouldn't be satisfied if I didn't make it through tut 8 in 2-3 ways.
About the mentioned topic I've read it like 20 times, word by word. I've tried both Dark Byte suggestion and Csimbi.
2. Dark Byte way
I struggled to understand what Dark Byte explained but I failed. I even drew schemes.
The way I see it: what `mov rsi, [rsi]` does is it overwrites the source address with the value stored in it (and leaves us with the value). We know that the value is the last address already found in the chain but how to go on from here? We need another address that points to it.
I blindly (w/o understanding) followed Dark Byte and searched for an address that contains the value of rsi. I found one but then I went on with what accesses this address and came up with the same instruction: `mov rsi, [rsi]` same not identical (at the same instruction address - Tutorial + 2D22B). This is the situation:
last successfully found address: 011747F0
What accesses it?...
mov rsi, [rsi] // rsi = 011747F0
Search for addresses containing 011747F0...
01174770
So now 01174770 references 011747F0
What accesses it?...
mov rsi, [rsi] // rsi = 011747F0
TBH, I'd rather not pass the tutorial but understand the mechanisms
3. Csimbi way
Did Break and Trace instructions on the mov rsi, [rsi] and the Tracer window appears and it doesn't do anything. I tried all combinations of check boxes options: all registers stay 0.
Where what you said in point 1 is concerned, here's a tutorial I did on coming up with multiple solutions for any given problem, and I used one of the CE tutorial steps as an example. It should help you take away a lot:
Go to that instruction in the disassembler, set a breakpoint on it, and make it run. RSI will be the address that instruction is reading from. Instruction breakpoints are faults (i.e. state is prior to execution of the instruction) and data breakpoints are traps (i.e. state is after the instruction has been executed).
Alternatively, there should be another instruction that accesses that address which doesn't modify the register it's reading from. _________________
I don't know where I'm going, but I'll figure it out when I get there.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum