🔧 Lab 5

Advanced Debugging

Execution tracing, memory modification, and Patching

🎯 Lab Objectives

🔴 Part 1: Types of Breakpoints

Task 1.1 - Software Breakpoint
  1. Open a program in x64dbg
  2. Find the Entry Point (Ctrl+E)
  3. Set a BP on the first line (F2)
  4. Run (F9) - the program will stop at the BP
  5. Check that the first byte of the instruction was replaced with 0xCC (INT 3)
Task 1.2 - Hardware Breakpoint

Hardware BP doesn't modify the code - more "stealthy":

  1. Right-click on an instruction → Breakpoint → Hardware → Execute
  2. Run and verify it stops
  3. Advantage: anti-debug programs are less likely to detect it
Task 1.3 - Memory Breakpoint

Stop on memory access:

  1. In the Dump window, find an interesting address
  2. Right-click → Breakpoint → Memory, Access
  3. Run - will stop when something reads/writes to that address
Task 1.4 - Conditional Breakpoint

Stop only when a condition is met:

  1. Set a regular BP (F2)
  2. Right-click on the BP → Edit
  3. Add condition: eax == 5
  4. Run - will stop only when EAX equals 5

✏️ Part 2: Modifying Values at Runtime

Task 2.1 - Modify Register
  1. Stop on a CMP instruction
  2. In the Registers window, double-click on EAX
  3. Change the value
  4. Continue (F8) and see how it affects the jump
Task 2.2 - Modify Flags

Changing the Zero Flag (ZF) to change a jump:

  1. Stop after a CMP or TEST instruction
  2. In the Registers window, find ZF
  3. Double-click to toggle (0↔1)
  4. JE/JNE will now behave opposite!
Task 2.3 - Modify Memory
  1. In the Dump window, find the address you want to change
  2. Double-click on a byte
  3. Type a new value
  4. Or: Right-click → Binary → Edit

🔧 Part 3: Patching

📝 What is Patching?

Modifying bytes in the code to permanently change behavior.
Common: flipping JE to JNE, or replacing with NOP.

Important Opcodes Table

Instruction    Opcode     Notes
-----------    ------     -----
NOP            90         No Operation - does nothing
JMP short      EB XX      Short jump (127 bytes forward/backward)
JE short       74 XX      Jump if Equal
JNE short      75 XX      Jump if Not Equal
JMP near       E9 XX XX   Long jump (32-bit offset)
CALL           E8 XX XX   Call function
RET            C3         Return
Task 3.1 - Flip JE to JNE
  1. Find a JE instruction (74 XX)
  2. Press Space on the instruction (or right-click → Assemble)
  3. Change to JNE
  4. Or: manually change 74 → 75
Task 3.2 - NOP Out

Replacing instructions with NOP (canceling):

  1. Select the instruction(s) you want to cancel
  2. Right-click → Binary → Fill with NOPs
  3. Or: Ctrl+9
Task 3.3 - Save Patch

To save the changes to the file:

  1. Right-click → Patches (or Ctrl+P)
  2. See the list of all changes
  3. Patch File - saves to a new file

🎯 Part 4: Summary Exercise

Challenge: Bypass Password Check

The following code checks a password. Find 3 ways to bypass:

00401000: push ebp
00401001: mov ebp, esp
00401003: mov eax, [ebp+8]        ; password
00401006: push eax
00401007: call strcmp             ; compare with "secret"
0040100C: add esp, 8
0040100F: test eax, eax
00401011: jne 00401020            ; wrong password
00401013: push "Access Granted"
00401018: call printf
0040101D: jmp 0040102A
00401020: push "Wrong Password"   ; wrong password branch
00401025: call printf
0040102A: leave
0040102B: ret

Method 1 - Modify Register:

  • Set BP on TEST
  • After TEST, change EAX to 0

Method 2 - Modify Flag:

  • Set BP after TEST
  • Change ZF to 1 (Zero)

Method 3 - Patch:

  • Change JNE to JE (75 → 74)
  • Or: change to NOP NOP (75 0D → 90 90)

🛡️ Part 5: Anti-Debug Basics

🔍 Common Anti-Debug Techniques

Programs try to detect debuggers:

  • IsDebuggerPresent() - direct check
  • Checking PEB.BeingDebugged flag
  • Timing measurement - breakpoints slow things down
  • Searching for breakpoints (0xCC)
Task 5.1 - Bypass IsDebuggerPresent
  1. Set BP: bp kernel32.IsDebuggerPresent
  2. Run - when stopped, do F9 or Ctrl+F9 until RET
  3. Before RET, change EAX to 0 (not being debugged)
  4. Or: Patch the function to always return 0

✅ Course Summary

🎉 Congratulations!

You've completed both the theory and practical parts of the course!

Now you have the foundation for:

  • Reading and understanding Assembly code
  • Analyzing PE files
  • Using Ghidra and x64dbg
  • Solving simple Crackmes

📚 Continue Learning

🚀 Next Steps
  • Practice more Crackmes - crackmes.one
  • Learn about Anti-Debug - advanced techniques
  • Malware Analysis - analyzing malicious software (in VM!)
  • CTF Challenges - RE competitions
  • Read code - try to read and understand real programs
📖 Recommended Resources
  • Books:
    • "Practical Malware Analysis" - the classic book
    • "Reversing: Secrets of Reverse Engineering"
    • "The IDA Pro Book"
  • Websites:
    • malware.news - malware analysis news
    • 0xcc.re - RE blog
    • YouTube: OALabs, MalwareAnalysisForHedgehogs
← Lab 4: PE Analysis Back to Main Menu →