PDA

View Full Version : SoftIce Backtrace Buffer Disassembler - A new tool


Kayaker
August 4th, 2001, 02:45
Hi All,

I wrote a new Win9x reversing tool, TraceDis, that I hope might prove useful. It's made to work in conjunction with SoftICE to allow convenient viewing and saving of Backtrace logs. It combines a raw dump from memory of the addresses contained in the Backtrace buffer with a disassembler.

The Backtrace feature of SoftIce, which allows you to log all instructions executed within a specified address range, is a very powerful option that I think isn't used to its full potential because of the difficulty of working with the disassembled trace. Only the *addresses* of the lines logged are stored in the Backtrace buffer, the disassembled output you see with the SHOW or TRACE commands is generated internally by SoftIce.

You can do multiple screendumps of the trace with IceDump, but this isn't a good option for large traces. What TraceDis does is parse the addresses contained in a dump of the Backtrace buffer and disassemble those addresses in the target program while the program is loaded in memory. The results are a readable disassembled output much as you would see in SoftIce.

It works with Self Modifying Code (SMC) as well as packed programs using high memory addresses during unpacking. You can also use it to help manually trace redirected API calls. All dependant on the quality of your Backtrace in the first place of course.

It has a feature which allows you break into SoftIce, either specifically at the Program Entry Point of the target program, or at any time you wish after it is loaded, to access the address space of the program. This is simply an obsolete, never-used API invoked at a couple of places in TraceDis that you can set a breakpoint on.

I think it will be a handy utility to take full advantage of SoftIce's tracing abilities, simply because you can now view and save the traces outside of SoftIce. There's a complete help file giving examples of its usage.

I owe a large vote of thanks to +Tsehp for the major contribution he made by kindly providing a C source dll which converted the opcode instructions to readable assembly instructions. Not only did this save an immense amount of time (I'd still be decoding opcode mnemonics), it ensured the accuracy of the results.

I hope you find it useful once you've figured out wtf it's all about and I'd appreciate any comments or bug reports to help improve it.

Cheers,
Kayaker

latigo
August 5th, 2001, 15:22
Hey Kayaker..
Cheers for the new tool
I seem to have a problem trying to download it..
I get a 404.
Is it me?


Latigo

Kayaker
August 5th, 2001, 20:22
Quote:
latigo (08-05-2001 13:22):
Is it me?
Latigo


Hi Latigo,

No, it's me

I've always had a problem posting attachments on this forum for some reason, still don't know why. So I had to cross post on the Newbies forum. You can d/l the file OK from there. Sorry about the mixup.

Cheers,
Kayaker

tsehp
August 7th, 2001, 02:33
hiya,
thanks for your new tool kayaker, I'll try it today on win2k, hope for me it's working.

In this message you'll find a upload test for kayaker's new tool, I'll try to fix this upload problem from my vacation place. :-(

good news : the new tracer for revirgin is now working on win9x and nt, so I'll add now some dump fonctionalities into revirgin + some fixing for recent asprotect's evolutions (emulation of small api's like getCurrentThreadId and other that our beloved splaj discovered), available here in the month of august.

regards,

tsehp (in the rain)

postnote : the upload worked, you can download kayaker's tool on my attachment.

Kayaker
August 7th, 2001, 16:00
Thanks for fixing up a link +Tsehp. Let me know if it works on Win2K.

I want to try to get it working on NT as well. I have access to an NT machine, but not with SoftIce installed, so I'm error checking the old fashioned way with MessageBox calls all over the place. LOL, feels like stone-age debugging ;p

Kayaker