View Full Version : The trace replayer

Hex Blog
February 17th, 2012, 22:19
One of the new features that will be available in the next version of IDA is a trace re-player. This pseudo-debugger allows to re-play execution traces of programs debugged*in IDA. The replayer debugger allows replaying traces recorded with any of the currently*supported debuggers, ranging from local Linux or win32 debuggers to remote GDB targets. Currently supported targets include x86, x86_64, ARM, MIPS and PPC.
When we are re-playing a recorded trace, we can step forward and backward, set breakpoints, inspect register values, change the instruction pointer to any recorded IP, etc…
Also, trace management capabilities have been added to IDA in order to allow saving and loading recorded execution traces. Let’s see an example.

A vulnerable sample program
For this blog post, I will show you how this plugin can be used to analyze a bug in a toy executable program. This sample application receives 2 arguments: a message*to display and the size of it. The program checks if the size of the given buffer (calling strlen) is*longer than the size specified, printing out an error message and exiting. If not, memory of the given size is reserved for a local variable, the contents of the buffer copied to it and a message based on*this string printed out to stdout. After this, the memory reserved is freed and the application simply*exits.
In this application there is a little integer overflow bug that can be triggered giving to the size argument a negative value. Let’s record a trace of the program crashing and replay it in*IDA to understand why the program is crashing:
Set a breakpoint in the entry point.
Set the program arguments to whatever -1 in Debugger