Nick Collisson, the author of Pointer Sequence Reverser (PSR), occasionally found himself with the need to write software that integrates deeply into an existing closed-source Windows binary and alters, or enhances, its behaviour. Such software must be able to access the data within the running process for reading and writing. From a permissions standpoint, accessing the data is easy. Figuring out where the data is actually located in memory at any given time can be a bit more complicated.
Nick wrote PSR in order to help tackle this problem. PSR watches the instructions executed while the target application accesses its own data, and then reports to the user the set of steps taken by the application. This enables the user to write their own code that follows the same set of steps to get to the data of interest. PSR is written in C++ and leverages the Win32 debugging APIs and the Capstone Engine.
At a high-level, PSR works like this:
- PSR takes the process ID of the target application and the temporary memory address of some data of interest.
- PSR sets a memory breakpoint on the memory address which will cause execution of the application to pause whenever the data is accessed.
- Every instruction executed by the application is recorded until the memory breakpoint is hit.
- PSR analyses the previously recorded instructions to determine which were used to access the data.
- Additional processing is performed on the relevant subset of instructions to improve the clarity of the results.
- PSR prints out the relevant instructions along with some other contextual data.
PSR improves upon the accuracy and performance of existing solutions, including manual reverse engineering and Cheat Engine’s pointer scanner. I have personally used PSR with success against PC games written in C++, and it may have utility in other scenarios. The code for PSR can be found at https://github.com/nccgroup/psr and a whitepaper explaining more of the theory and tool implementation details can be found at the link below.