The situation was the following. The below instruction reads memory.
00400000+006026de mov eax,dword ptr [ebp+4]
What is the
EIPof the instruction that writes
[ebp+4]? This is all I wanted to know that stage.
Note, while looking at the instruction it looks like ebp+4 reads a stack address -- it reads actually a heap address.
First I was looking at the function if I can find the instruction in it that writes
[ebp+4]. It wasn't there so I investigated the caller functions, and their callers, and so on. Again, it wasn't there but noticed something. The functions passed a pointer to a context as a parameter containing many variables including
At this point I had a good reason to believe the situation looked difficult because the context is likely to set by an initializer that may be on a completely different code path to the one I was investigating.
You may ask why I didn't use processor breakpoint too see what instruction writes
[ebp+4]. It was a heap address kept changing on every execution and the address was not known to put breakpoint on.
I could have gone back to the point when the structure is allocated, and I could have set a breakpoint relative to the base address and see what code writes
[ebp+4]. That sounded good and I would have gone to that direction if I hadn't had a better idea.
I thought I could write a PinTool that tracks write and read memory accesses. It adds all instructions writing memory to the list. When the instruction that reads memory is reached the program searches the list for instructions wrote that address. Of course this has to be thread safe.
It took me a day to develop the PinTool and find the
This is how I executed the PinTool from command line.
pin.exe -t TrackDownWrite.dll -ip 0x6026de -s 4 -- c:\work\<redacted>.exe
-ipis the instruction pointer where
-sis the size of read/write to track
The result looked like this.
0bab05dc is read by 006026de
0bab05dc was written by 005ee358 before read
The wanted instruction is below.
00400000+005ee358 mov dword ptr [eax+4],edx
The prototype is available for download. After finished my debugging task I also tested it a bit on Windows x86 and I think it looks useful for similar problems might arise in the future.