0

i am using winappdbg framework to build a debugger in python.

i can set some breakpoints using the event.debug.break_at(event.get_pid(),address) in order to set the breakpoint but after setting certin breakpoints (and not while setting them but once the program hits them!) i get access violation exception.

for exemple i can set an access point at 0x48d1ea or 0x47a001 but if i set one at 0x408020 i get the exception.

the module base address is 0x400000.

0048D0BE: xor esi,eax

0048D0C0: call [winamp!start+0x25c1]

760DCC50: add [ebx],dh

Access Violation

Exception event (00000001) at address 779315DE, process 9172, thread 9616

b.t.w i am taking the address to set the breakpoints on from a pida file generated by IDA. i rebased the file so the address should be aligned

thanks!

user2105183
  • 13
  • 5

2 Answers2

0

My first guess would be you're trying to set the breakpoint in the middle of an instruction. My second guess, you're also modifying the contents of the registers and that's the cause of the access violation when writing to [ebx]. (Also note 0x779315DE is probably at ntdll.dll rather than winamp.exe, so it may be something else entirely).

But I don't know for sure without more information. Could you post the code at those addresses you mention as well? Did you try continuing the exception and seeing what happens? The contents of the registers would also help, as would trying out Microsoft's debugger (ntsd.exe) to see if the problem is specific to WinAppDbg or not.

About the addresses from IDA, you could try using relative addresses instead to avoid trouble with ASLR. For example, if the "winamp" module base was 0x400000 and the breakpoint should be at 0x408020, you could set a breakpoint at "winamp!0x8020" like this:

address = event.get_process().resolve_label("winamp!0x8020")
event.debug.break_at(event.get_pid(), address)

Hope this helps! :)

MarioVilas
  • 912
  • 10
  • 16
  • after checking the PIDA file it looks like the PIDA file have the base address correct when loaded. when i do a rebase to the module address 0x400000 it actually get corrupted. – user2105183 Mar 04 '13 at 22:04
0

Apperently the pida_dump script didn't got the right base address so when i did a rebase the code was like

address - old_base_address + new_base_address

and because the old_base_address was worng it missed up my BP.

thanks any way for the help!

user2105183
  • 13
  • 5