|
HW breakpoints won't help you if the program performs self-checksums in memory. What you really want to do is diff runtime traces:
1) Record a trace of running the unmodified binary
2) Record a trace of running the modified binary
3) See where they differ. This yields one (possibly many) program location which does "the check(s)".
As for collecting traces, use your favourite debugger (x64dbg, ollydbg, IDA) or dynamic binary instrumentation tool (DynamoRIO, PIN).
|