fred26 Posted March 19, 2017 Posted March 19, 2017 Could someone provide me a step by step on how to trace? Can you log the output to a file like OllyDbg does ? thanks
mrexodia Posted March 19, 2017 Posted March 19, 2017 Relevant sections of the manual: http://help.x64dbg.com/en/latest/introduction/ConditionalTracing.html http://help.x64dbg.com/en/latest/introduction/ConditionalTracing.html#logging http://help.x64dbg.com/en/latest/introduction/Formatting.html http://help.x64dbg.com/en/latest/commands/tracing/TraceSetLogFile.html Without writing a plugin you cannot output the same format as ollydbg does, but you can output data of your choice (EIP + instruction text + some registers) 2
fred26 Posted March 19, 2017 Author Posted March 19, 2017 (edited) Thanks. It seems you need a plugin and not a default command in the current builds? How can you do a trace via the GUI? Edited March 19, 2017 by fred26
mrexodia Posted March 19, 2017 Posted March 19, 2017 Debug -> Trace into? What version are you using?
fred26 Posted March 19, 2017 Author Posted March 19, 2017 (edited) I downloaded the latest version and now it works. But, after setting the txt file and when the trace finishes after 50000 steps the file is empty - it was created though. What can I do to see the content of the trace or make the debugger dump to the txt file? Also, can I do an indefinite trace ? Thanks! Edited March 19, 2017 by fred26
mrexodia Posted March 19, 2017 Posted March 19, 2017 The file will only have the contents you tell it to have. My guess is that you didn't read any of the resources I pointed you to because one of them clearly answers your question.
fred26 Posted March 19, 2017 Author Posted March 19, 2017 (edited) 23 minutes ago, mrexodia said: The file will only have the contents you tell it to have. My guess is that you didn't read any of the resources I pointed you to because one of them clearly answers your question. Thanks. Ok, I understand that you need to tell the debugger what to write. I added {p:cip} {i:cip} to the Log Text and I see the counter and instruction. How can I output all register values ? Can I add a break line between each instruction? Thanks again Edited March 19, 2017 by fred26
fred26 Posted March 19, 2017 Author Posted March 19, 2017 I could create a trace such as {p:cip} {i:cip} rax: {rax} rcx: {rcx}, which logs the RAX and RCX registers together with the current rip address and instruction. However, I can't make line breaks in the text file, any hints how to? Also, how can I write the content of let's say [rsp+0x24] ? E.g. [rsp+0x24] = 0x0000000000000001 ? Thanks
Kurapica Posted March 20, 2017 Posted March 20, 2017 Check this plugin, you can modify the code to suit your needs. https://github.com/KurapicaBS/x64_tracer/tree/KurapicaBS-patch-1 1
mrexodia Posted March 20, 2017 Posted March 20, 2017 (edited) @fred26 The text file uses line breaks in the form of \n, which notepad.exe won't properly display. See http://utf8everywhere.org/#faq.crlf for the reason. If you want UTF16+\r\n you can use the option Misc -> UTF-16 Log Redirect (I added this a minute ago so you might have to wait a little for the snapshot to be updated). You can display the contents of [rsp+0x24] with something like "[rsp+0x24] = {[rsp+0x24]}" See http://help.x64dbg.com/en/latest/introduction/Input.html and http://help.x64dbg.com/en/latest/introduction/Expressions.html for what things you can use as an expression (the format string takes "{expression}"). If you want to display something similar to what is shown in the registers view (string/symbol if found) you can use "[rsp+0x24] = {a:[rsp+0x24]}" If you know how to program, you can use CB_TRACEEXECUTE to do things fully manually. You can also use a trace command (_plugin_registercommand) or add your own custom format function (_plugin_registerformatfunction) to do more custom-things. Edited March 20, 2017 by mrexodia 3
mrexodia Posted March 20, 2017 Posted March 20, 2017 (edited) @Kurapica you should take a look at CB_TRACEEXECUTE. This function allows you to work in full tracing performance without all these nasty timer hacks. It also allows you to use x64dbg's trace condition and log functionality. Also to log all jumps/calls with the native tracing functionality, you can use "dis.isbranch()" as log condition. Edited March 20, 2017 by mrexodia
Kurapica Posted March 20, 2017 Posted March 20, 2017 Interesting ! I was too lazy to study the APIs updates Thanks.
fred26 Posted March 20, 2017 Author Posted March 20, 2017 (edited) Thanks both. @mrexodia thanks for the insights. I will try the plugin as well. Just a last question; can you text out the value addressed by the operands? Let's say you have: mov rax, [rsp+20], can you do something to read the memory addressed in the instruction ? Thanks Edited March 20, 2017 by fred26
mrexodia Posted March 20, 2017 Posted March 20, 2017 @fred26 No, but you could write your own expression function that does this.
fred26 Posted March 20, 2017 Author Posted March 20, 2017 (edited) @mrexodiathanks so much Edited March 20, 2017 by fred26
fred26 Posted March 20, 2017 Author Posted March 20, 2017 (edited) Last question. How about a really large trace. Do you need to input the number of max instructions? Edited March 20, 2017 by fred26
mrexodia Posted March 21, 2017 Posted March 21, 2017 Generally I would recommend against doing a really large trace, but you can just change the settings to something like 4 billion.
fred26 Posted March 21, 2017 Author Posted March 21, 2017 @mrexodia thanks! I see a plugin you created for Tracing: https://github.com/mrexodia/TracePlugin/tree/master/TracePlugin This PLUG_EXPORT void CBTRACEEXECUTE(CBTYPE cbType, PLUG_CB_TRACEEXECUTE* info) routine overrides the default trace routine ?
mrexodia Posted March 21, 2017 Posted March 21, 2017 It registers an event callback. You can use PLUG_CB_TRACEEXECUTE.stop to control the 'break condition' but the default routine will run first. So for example if the user trace condition is "rax == 0" and this is true, you callback will get info->stop == true. If you change info->stop to false it will continue execution anyway. You can find exactly how this is implemented at: https://github.com/x64dbg/x64dbg/blob/development/src/dbg/debugger.cpp#L1331
fred26 Posted March 21, 2017 Author Posted March 21, 2017 7 hours ago, mrexodia said: It registers an event callback. You can use PLUG_CB_TRACEEXECUTE.stop to control the 'break condition' but the default routine will run first. So for example if the user trace condition is "rax == 0" and this is true, you callback will get info->stop == true. If you change info->stop to false it will continue execution anyway. You can find exactly how this is implemented at: https://github.com/x64dbg/x64dbg/blob/development/src/dbg/debugger.cpp#L1331 Thanks
paul44 Posted June 19, 2017 Posted June 19, 2017 (edited) I can understand the frustration behind some of the posts here. I'm sure - once going - things clear up nicely, but in the mean time... I've read all the doc pages mentioned above; thought I had it figured out, but... (did look for the 'p: & i:' but does not seem to be explained anywhere ~ I suppose 'i = instruction') Anyways: I'm trying following trace logging: "{rip} >= 0000000140203260 & {rip} <= 000000014020336C" (= my log condition). I do get login info, but nothing between those 2 mem addresses (which is the area where my breakpoint kicks in). Btw: typing "rip <= 000000014020336C" gives me correct 'true/false' in the command prompt; depending current address location. ps: it would be nice if a) the trace window would remember previous entry (entries ~ via dropdown selection), and latest logfile name & location. also: append option would be nice as well. (no pressure :)) ps2: I always get a "Failed to start trace" error, but I do get proper loging though. And: although I regularly forgot to fill in the logfile name, it does take/overwrite the latest logfile selected. Edited June 19, 2017 by paul44
paul44 Posted June 20, 2017 Posted June 20, 2017 I was no longer able to edit my prev post, so... edited my prev log condition to: [ {rip} >= mem.base(rip)+D02260 & {rip} <= mem.base(rip)+D0236C ]. Still not what I was expecting (btw: && and & both work). and the expression does work appropriately in the command window. A nice variant to this would be: start loging when passing 1st address, and stop loging after 2nd address (so it would also register "subfunctions", residing outside those memory boundaries, but called from within the defined boundary).
mrexodia Posted June 24, 2017 Posted June 24, 2017 The manual says: Quote If log condition is set, evaluate the expression (defaults to 1); This means that log condition must be a valid expression. Probably what you want is: rip >= 0000000140203260 && rip <= 000000014020336C Which will enable logging of the log text (for which the format can be found here) if rip is between 0000000140203260 and 000000014020336C (inclusive).
madskillz Posted June 24, 2017 Posted June 24, 2017 Hi How to trace and break when a Unicode string loads into the register without knowing the address? Want to find the address where it loads the string. For example, I want to find - EAX 03FB8EA4 UNICODE "demostring" Thanks
mrexodia Posted June 24, 2017 Posted June 24, 2017 @madskillz You can try https://github.com/pastaCLS/cndsteroids 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now