Automated analysis of debugger memory snapshots

[sje]

A time honored technique among the hacker/cracker crowd is to use a debugger with a timer script to dump the data segment of a running program for later analysis. The idea is to feed the monitored program specific data and commands and then let another program determine the location of the interesting data structures via content chance detection.

This would also be useful for clone status determination.

Has anyone tried this on a closed source commercial chess program?

[Zach Wegner]

A time honored technique among the hacker/cracker crowd is to use a debugger with a timer script to dump the data segment of a running program for later analysis. The idea is to feed the monitored program specific data and commands and then let another program determine the location of the interesting data structures via content chance detection.

This would also be useful for clone status determination.

Has anyone tried this on a closed source commercial chess program?

It would be interesting. I don't have any such tools, unfortunately. Anthony Cozzie linked to a product he has been working on, which analyzed the assembly to determine common structures.

I have been able to find a lot of the data structures in Rybka 1.0 just by examining disassembly. It might take longer, but it's not too extremely difficult.

[bob]

A time honored technique among the hacker/cracker crowd is to use a debugger with a timer script to dump the data segment of a running program for later analysis. The idea is to feed the monitored program specific data and commands and then let another program determine the location of the interesting data structures via content chance detection.

This would also be useful for clone status determination.

Has anyone tried this on a closed source commercial chess program?

It would be interesting. I don't have any such tools, unfortunately. Anthony Cozzie linked to a product he has been working on, which analyzed the assembly to determine common structures.

I have been able to find a lot of the data structures in Rybka 1.0 just by examining disassembly. It might take longer, but it's not too extremely difficult.

X86 helps quite a bit compared to other assembly languages as well, since structures are usually accessed as [reg + offset] where reg is a register pointing to the structure, and offset is the number of bytes into the structure where you find the data you want to access. Even arrays buried in a struct are easy to figure out when you see [reg + 4 * reg2 + offset] type things.