Page 3 of 5 FirstFirst 12345 LastLast
Results 31 to 45 of 61

Thread: Good binary code profilers?

  1. #31
    Sorry for my absence lately; I was shipped to San Francisco to attend GDC, which is where I am now as well.


    Hey, L. Spiro, is that feature fully implemented and included in current versions of MHS? You mention that you had a problem before because your tool did not have any kernel components, but if I'm not mistaken, it does now, right?
    The feature is not implemented in any way in the current version. The current version is a complete rewrite of the old version which did have it nearly 100% done.
    I do have kernel now but not kernel debugging. But there is a solution I can employ without the need of actually following SYSENTER/INT 2E.


    Bad news aside, this is a feature I will 100% definitely implement, and not too far from now.

    My implementation will:
    1: Provide a graphical interface that allows viewing the whole control path as it was executed. It will be a grid with zoom capabilities and each call goes down one stack layer, allowing you to easily see how deep the call-tree goes and of course where it goes. It will be represented as a bunch of continguous chunks of code stacked on top of each other with the executed code highlighted, allowing you to also see the code that was skipped and all of the code’s locational relationship with all the other code.
    2: Show how many times the code was hit (for loops that do not go down call depths).
    3: Allow you to refollow the code from any point to any other point, even backwards. The context structures are logged for every single instruction so you can go anywhere and then restep forward/backwards to see what the registers were. This will update the current Disassembler window as if it was stepping in real-time.
    4: Create multiple “logs” this way and compare them, showing code that was executed here, here, here, and here, but not here. As with searching, there will be many evaluation types to allow finding code various ways by various criteria.
    5: Allow filtering. Showing code with greater than X hitcounts, for example.
    6: Allow exporting to text or SQL or whatever else I can imagine.



    Actual release time for this feature could be 6 or 7 months from now. I have a few things to finish first but I was just planning to get into this soon. This is a feature I really want to have and it was one of the key features I planned for the new rewrite. It will not be a simple side-feature, but one of the main attractions.


    L. Spiro
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #32
    Welcome to the neighborhood!

    Regards,
    JMI

  3. #33
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Quote Originally Posted by L. Spiro View Post
    Bad news aside, this is a feature I will 100% definitely implement, and not too far from now.

    My implementation will:
    1: Provide a graphical interface that allows viewing the whole control path as it was executed. It will be a grid with zoom capabilities and each call goes down one stack layer, allowing you to easily see how deep the call-tree goes and of course where it goes. It will be represented as a bunch of continguous chunks of code stacked on top of each other with the executed code highlighted, allowing you to also see the code that was skipped and all of the code’s locational relationship with all the other code.
    2: Show how many times the code was hit (for loops that do not go down call depths).
    3: Allow you to refollow the code from any point to any other point, even backwards. The context structures are logged for every single instruction so you can go anywhere and then restep forward/backwards to see what the registers were. This will update the current Disassembler window as if it was stepping in real-time.
    4: Create multiple “logs” this way and compare them, showing code that was executed here, here, here, and here, but not here. As with searching, there will be many evaluation types to allow finding code various ways by various criteria.
    5: Allow filtering. Showing code with greater than X hitcounts, for example.
    6: Allow exporting to text or SQL or whatever else I can imagine.
    Damn, that sounds so cool! This (group of) feature(s) would really cement the status of MHS as the total king of application stalker tools, and I'm really looking forward to getting my hands on it!

    One question/suggestion:
    When you say "filtering", are you referring to the same kind of filtering as pStalker has (see the following URL for a demo of this exact feature: http://pedram.redhive.com/PaiMei/docs/PAIMEIpstalker_flash_demo/index.html )?

    That would be extremely useful I think, and especially in a tool like the one you describe above, since the foremost problem I immediately foresee with it is execution speed during tracing, which could indeed be vital for some situations. The data you describe above that your program will save is of incredible value, BUT, it will most likely also make the program execute incredibly slow during this "tracing", won't it? So, if you could just turn the tracing/logging on for just some exact parts of the code, it would be a total killer feature, and even a life saver for some hacks. The way that these kinds of filters can be dynamically defined in pStalker is incredibly efficient (again, please see the flash demo at the link above), so I really suggest you implement it in a way similar to this too (if you don't have an even better idea of how to do it of course, then never mind ).

    Until this tool is released, I'm just gonna stand here jumping up and down, please just ignore that, I really can't help it.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #34
    The demo is good for GUI applications but not necessarily games which is my primary focus with my software. For example if you wanted to get just mouse-related code it would be virtually impossible to separate just that from all the start-up code, minimization code, maximization code, etc.

    My plan is to simply allow the user to specify a starting address and ending address between which code will be logged. The user may set up a counter (pure hit-count based or tied into scripts) to start the log after some time or some number of hits or whatever, and end after some other criteria as well. This is how the previous version already worked as well.

    Filters will simply eliminate code from being shown to reduce the clutter and scripts will be able to add criteria for eliminating code. Filters may show code that was only executed in one log and not others or whatever else you can imagine.

    As for slowdown, it did get slow in the first version but since you usually only want to log from here to there it isn’t a problem.


    L. Spiro
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #35
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Yes, I understand that the feature I'm mentioning won't be good in all situations, and that your ideas will be very good in many situations and should of course be implemented first, please don't get me wrong about that! (btw, isn't Minesweeper a game too? )

    There are situations though (also in "real" full screen games etc) where the "auto filter builder" I'm describing above will be of unbeatable value compared to specifying the addresses yourself, so all I'm asking is for you to consider implementing this as an additional feature, after all your other and original great features are in place.

    And just to clarify things about this filter: It doesn't have anything directly to do with GUI applications, that's was just a (good) example, most likely chosen in that Flash demo because GUI/graphics code is often very messy, is often responsible for a large part of a program's execution time, and can often hide the small pieces of really interesting code (game logic code for example) that you are really looking for, in huge amounts of uninteresting information while tracing (and it can of course be very tedious to manually having to find out which is which beforehand in a disassembler, to be able to specify these exact, possibly intertwined, memory ranges before you can start tracing).

    What the filter does is simply letting you first perform any uninteresting operations in the target application that are not the ones you are currently looking for at the moment, so that you are then able to exclusively focus on only the remaining parts when doing your common looking-for-the-needle-in-the-haystack work.

    An example: Let's say you have a complex game like Half Life 2, where you want to find the code responsible for decreasing your energy counter when you get hurt in the game. Using a feature like this filter, you would find it like this:

    1. Set the program in "code coverage mode" (contrary to "code profiling mode", where all executions/hits of any code are recorded, while in "code profiling mode" only the first execution/hit is recorded, after which tracing/logging is disabled for the just executed code block/instructions).
    2. Start the game, run around a bit in it, shoot at things with all your weapons, blow up things with your grenades, perform all the common actions, attract the attention of some enemies, and let them shoot at you (but do NOT let them hit you so you decrease the energy counter!). This will of course also execute most of the common graphics/sound/mouse/keyboard code etc, which is exactly what we want.
    3. Now, after doing this to a satisfying degree, tell the stalker program (MHS) to save all executed/covered code so far as a filter (i.e. memory ranges which should not be traced/logged again as long as the filter is applied). This will first of all make sure that the game runs at full speed as long as you don't perform anything that triggers code that has not already been executed (execution speed won't really be an issue as long as you are already operating in "code coverage mode" rather than "code profiling mode" though, since all code that has been executed once will already be automatically excluded from tracing). Secondly, this will start a new recording session that will be sure to not include any of your previous instructions/code hits that you got while performing all the uninteresting operations in step 1 above.
    4. If you want a more detailed analysis of the energy counter decrease code, you can also now activate the "code profiling mode" instead of the current "code coverage mode".
    5. Now, finally, let an enemy hit you, or harm yourself with your own grenade etc, so that your energy counter decreases.
    6. Stop the tracing/logging.
    7. You will now have a detailed trace (viewable in the wonderful GUI that you describe above) for ONLY the unique not-executed-before code that was executed in connection with you losing energy in the game!

    I guess you can see the extremely efficient code pinpointing and data pinpointing possibilities that this opens up, which would also be incredibly useful for game hacking?

    So again, please don't misunderstand me, what you are describing as the planned feature set is the ultimate binary code profiling tool from a stalker perspective, and that will be invaluable in many situations. What I'm suggesting is just some alternative modes of operation for the same great stalker code, which will be also be extremely useful in some other situations too, including games hacking indeed (like described above), and it would feel like such a waste to not implement this when you have already done all the hard work of implementing the excellent tracing/logging engine!

    Either way, I'm really looking forward to your first code tracing features!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  6. #36
    I can see the usefulness of this.

    I can add it to the TODO list, especially since it is quite simple to implement. All it needs to do is start at the entry of the program and breakpoint all functions, then remove each breakpoint as hit.


    L. Spiro
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #37
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Great!

    And that's exactly what I was hoping for, that it would be (in relative terms speaking) easy to implement this feature given all the other things you will be implementing already! Thanks!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  8. #38
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Just in case anyone is interested:

    I have been playing with AMD CodeAnalyst and can tell you that it works (At least at first glance it works) inside a VMware virtual machine, but the profile of code coverage is substantially different from real machines. I found the most interesting results by running it in two VM clones simultaneously, in order to minimize meaningless differences, then tracking the behavior of an app with or without a license file, or before and after expiration date.

  9. #39
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Cool! Could you elaborate a little more on the "but the profile of code coverage is substantially different from real machines" part? Sounds interesting.

    It would be really cool with a little blog post or possibly even a tutorial that sums up your most interesting experiences during this experiment, if possible!

    I'm also really, now even more, looking forward to these features in MHS, since a specialized software could make these already-in-the-generic-form useful techniques extremely useful and efficient for reversing purposes I think, as discussed above!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  10. #40
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    A few more interesting factoids:

    Trying to figure out how the AMD CodeAnalyst would behave on a VM running under an (Host) Intel CPU, I found that, at least superficially, the program does not mind, even when the CPU, as detected from inside the VM is still read as Intel (Celeron 1700 in this case). VMware does NOT seem to emulate the CPU, as it does with most of the virtual hardware. What is even more curious, I installed the CodeAnalyst directly onto the Intel CPU/host system, and at least with the basic profiling, it works as expected, producing the results you should see as described in the demo tutorial. (??????).
    Some more advanced features may be functional only in AMD machines, they even mention some AMD models. But the basic, raw functionality appears to work for Intel CPU's as well. (At least my crappy Celeron CPU, which is all I have available to test right now).

    Correction:

    Only certain profiling options (Time based profiling, Pipeline based profiling)are available for non-AMD based CPU. Instruction based profiling and Event Based profiling, which are potentially the most valuable for RCE only work for AMD based real or virtual machines.

  11. #41
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Very good things to know, I was actually wondering those exact things, and was hoping that someone would try/confirm them, thanks naides.

    And yes, it is a known and official fact that the CPU is not emulated in VMware, the real processor just "falls through" to the guest.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  12. #42
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by naides View Post
    Just in case anyone is interested:

    . . ., but the profile of code coverage is substantially different from real machines.

    Let me explain: Code Analyst takes a system wide profile, included all the active modules open in the system ring 0, ring 3. That includes invasive processes and services that show up in all user processes, such as firewall services, antivirus guards, video services, virtual disks, all the bells and whistles you'll have in your main system but are not installed into a bare-bones VM. So the profiles of an app running in the host system look much more complex (more modules, more calls, more time slices, more events than the profile generated by the same app inside a VM. There seems to exist ways to filter out the events related to your Module/Process alone, but I am only learning the ins and outs of the tool

    I found the most interesting results by running it in two VM clones simultaneously, in order to minimize meaningless differences, then tracking the behavior of an app with or without a license file, or before and after expiration date.
    Sure, I'll be glad to write a little tutorial when I iron all the wrinkles of the tool. Just one question, for me to use a simple example: Has any one seen a time limit crackme?? ( I don't want to use a commercial app in a tut).

  13. #43
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    You mean like a "30 day trial period" crackme? I'll whip one up for you if no one has a ready made one (which I'm sure exist though), just let me know.

    Looking forward to this tutorial indeed!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  14. #44
    @naides. You can try geeko's Donald Duck at http://crackmes.de/users/geeko/donald_duck/
    The only reason for time is so that everything doesn't happen at once. [A. Einstein]

  15. #45
    I thought I would give an update since some people are waiting for features and I have been dormant for a while.
    I stopped working on MHS in favor of drawing a picture for a while, but I have already gotten back to MHS and am already about 50% through the code profiler discussed above.
    I had to make a design decision which slowed me down for a while but I have finally reached a decision and can proceed.

    However I am seeing a Japanese girl now and do not work on MHS as much as I normally would, but I still make progress and expect it to get done within a few weeks.


    L. Spiro
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Can't Dump a w32 binary (malware)?
    By digdugg in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: January 17th, 2011, 15:14
  2. Good Laugh
    By NoLoader in forum Off Topic
    Replies: 3
    Last Post: August 30th, 2007, 05:12
  3. REQ: binary calculator
    By yaa in forum Tools of Our Trade (TOT) Messageboard
    Replies: 10
    Last Post: May 3rd, 2004, 04:33
  4. reversing the binary code of .exe and .dll
    By Alawi in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: December 21st, 2001, 14:35
  5. Good time to get into cracking?
    By Unregistered in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 11th, 2001, 13:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •