skynet888
!BEWARE! Deletes post on answer
![]() Reputation: 1
Joined: 12 Apr 2021
Posts: 66
|
 Posted: Sat Jun 22, 2024 10:50 pm Post subject: register "IP" should be recorded every 3 milliseco |
 |
|
When we're debugging a program to find out who jumped to 0x417691 and assigned a value to esi, and the program has countless jumps above 0x417691, and Stacktrace doesn't help. That's right, assuming we can only trust the tracer at this point.
Let's start the "Break and Trace Instruction" at 0x417694 and set the "Stop condition" to "EIP==0x417691" (yes, let's trace the program until it comes back to 0x417691 again, then we'll be 100% sure who jumped to 0x417691, and the original source of the esi value).(as pic shows:00000000.png)
Next, we're going to use the "Break and Trace Instruction"! But unfortunately, for many programs, we can't use "sing step" to trace, otherwise it will take us two weeks and we still won't see results! That's right! In this case we must check "Step over instead of single step". In this way, we get the trace as shown in the picture:11111111111.png
Please see the red text I wrote on the picture. As the red text shows, "Instruction 0x417691 is actually an instruction inside the call 0x422605. You see that my tracer (step over instead of single step) stops at address 0x417691 because I put a breakpoint at 0x417691".(as pic shows:11111111111.png)
As you can see, we still haven't found who jumped to 0x417691! We also haven't found who assigned the value to esi!
All in all, Based on the above facts,I extremely strongly make a feature suggestion to darkbyte. I came up with two ways to improve the CE tracer:
①as Pic shows 2222222.png.
②The value of the register "IP" should be recorded every 3 milliseconds during the trace(Step over instead of single step). In this way, when the tracer reaches 0x417691, we can find out which instruction is 3 milliseconds before 0x417691 (assuming it is 0x444444), and then we can use "Break and trace instruction" at 0x444444 (Stop condition is "EIP==0x417691".This time we can use "single step" trace, because the program runs from 0x444444 to 0x417691 in a very short time, instead of taking us two weeks!)
| Description: |
|
| Filesize: |
45.51 KB |
| Viewed: |
1021 Time(s) |
|
| Description: |
|
| Filesize: |
46.55 KB |
| Viewed: |
1024 Time(s) |
|
| Description: |
|
| Filesize: |
37.13 KB |
| Viewed: |
1027 Time(s) |
|
Last edited by skynet888 on Sun Jun 23, 2024 5:53 am; edited 2 times in total |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Reputation: 471
