Sorry for my bad english, i try to explain.

When i question to OLEH, the author of OLLYDBG, why OLLYDBG not have the posibility of put a MEMORY BREAKPOINT in EXECUTION ONLY, in a section to easy reach the OEP, with no stop in read and write access to the section, he tell me this possiblity is only for XP, and he not want more differences between version of 98/ ME and NT/2000/XP.

I try investigate this posibility of memory breakpoint on execution only in a section, and in all web pages i see, tell if a program has READ permision is imposible NOT HAVE EXECUTION PERMISSION TOO.

But in armadillo without copymem2 if you put a breakpoint memory on acess, the program not stop in read or write access and stop in the OEP when execute acess is triggered.

How is possible armadillo make this if WEB PAGES SAY IS IMPOSSIBLE,
i think maybe is possible use this for make a plugin for ollydbg for make memory breakpoint on execution only?
Anybody know more of this topic?

Ricardo Narvaja

Are you about DRx registers execution break,
Or about page_guard acess?

if you go to VIEW-MEMORY in the sections you can pu a MEMORY BREAKPOINT ON ACCESS, MEMORY BREAKPOINT ON WRITE, but yo cannot put a MEMORY BREAKPOINT ON EXECUTION ONLY in a section, for reach the OEP and stop without stop in read and write access.

I'm NOT talking about hardware breakpoints (DRX), only the possibility of MEMORY BREAKPOINTS ON EXECUTION.

Bah my english is terrible forget the question :-(

Ricardo







xp://ftp.ti.com/pub/graph-ti/sw-apps/derive/setup.exefxp://ftp.ti.com/pub/graph-ti/sw-apps/derive/setup.exe

As I know, you are NT-based_OS user.
If you take time, look, how works BPR on W9x;
it can help you.

evaluator

I guess, it won't be THAT easy to help. As far as I know Intel Architecture, there is no such bit as EXECUTE in PTE. Only read or write. The execution option can only be set for the whole segment using GDT. Which is NOT acceptable! So, seems there is no way.

Thanks

Ricardo

Ricardo, read this
http://www.anticracking.sk/EliCZ/import/Vx86.txt

Yes seems very interesting thanks.

Ricardo

What I think evaluator might be meaning is to use a page guard on the entire page of the desired execution breakpoint, and then in the page fault handler check if the EIP is on the breakpoint position. If it's not, just reset the page guard and continue as if nothing happened, but if it is, break. You will effectively be tracing every instruction in the 4k page of the breakpointed instruction, but if it does not contain any heavy loops you should not notice the slowdown very much.

Am I wrong?

There is a lot of information about it. I would advise to study the source code of IceExt developed by Sten. You all are, perhaps, still using icedump. So IceExt is better. Try.
It contains experimental bpr command.
As to your remarks, dELTA. Intel Manual #3. Chapter "PAGE-LEVEL PROTECTION". For example, WinXP uses CR to prevent the access to SDT/SST tables. It is possible to get rid of the protection, using

mov ebx,cr0
push ebx
and ebx, not 010000h
mov сr0,ebx
;
;here we do what we need
;
pop ebx
mov cr0,ebx

It is also possible to watch the content of the CR-register from ring-3 using smsw assembly command. Here I'm attaching THE SVIN's program which explains you the content of the CR0 register