Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Following/Tracing a value as it's passed around in different registers / memory locations?

Tags:

c++

assembly

debugging

reverse-engineering

encryption

In Ollydbg I have an instruction address of a program I am debugging that has a specific value. That value is getting passed around in numerous loops. Is there any method in which I can 'follow' that value without manually stepping through each loop and trying to keep track of where the value gets transferred to? I simply can't do that manually for 15000+ instruction loops.

I'm ultimately trying to trace it to an encryption function, at which point it should disappear and I'll know I've reached the encryption in this program. If there's some way I can 'autofollow' it and make the program pause when it disappears totally then it should lead me right to my encryption function.

I have doubts in my head that something like this is possible but I figure it wouldn't hurt to ask.

If needed, my operating system is Windows 7 x86.

like image 387
Scott Grissom Avatar asked Feb 02 '26 05:02

Scott Grissom

2 Answers

No debugger I've used or heard of, lets you "trace" like that.

About the only option would be to write some kind of a debugger plug-in (if supported by the debugger) or a special program to drive execution in the debugger, instruction by instruction, and see where the value goes, to which register, to which other memory locations, etc. And it may not completely "disappear" from memory and registers. And it may be too slow to be practical.

If you had the source code available, which I presume you don't, you'd probably be better off code reviewing, but then you'd know where that function is and wouldn't ask the question.

like image 52
Alexey Frunze Avatar answered Feb 03 '26 20:02

Alexey Frunze

Your task is better handled by static analysis.

On the other hand, there's PaiMei with it's code tracking and data flow analysis modules.

It works by setting thousands and thousands of breakpoints (50k in the Minesweeper example), and then recording when they're hit plus the context if it's set. You'll probably need a few runs, best if you can change the value you're tracing (is it input?) during each execution. And yes, this is very brute-force approach which for large files might get really slow.

like image 22
arul Avatar answered Feb 03 '26 20:02

arul
Sign in to Comment

Related questions

C++ Template argument changes Reference to Pointer
JNI CallObjectMethod screws up the stack frame?
Android OpenGL ES 2.0 : Can a GL_FLOAT texture be assigned to a FBO as a COLOR attachment?
Building an excel like data grid in a windows application in C++
quick find algorithm - union operation - is it same as union in set theory?
Given a pointer to a C++ object what are all the correct ways to call the operator[] function?
Can I know the type of what matched boost::proto::_ in a transform?
Subtle Quicksort Stability Issue
What is the meaning of template parameters in boost::any_range?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!