Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Runing PIN in IDA 6.4?

Questions concerning tools (other than OllyDbg) - IDA Pro, SoftIce, member contributions, etc.
<b>NOTE:</b> You must <b>always</b> make sure you cannot find what you are looking for in our <a href="/collaborative/tools">Collaborative RCE Tool Library</a> before asking for <b>any</b> tools that can do this or that though!
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Runing PIN in IDA 6.4?

Post by Aimless »

Hello,

I am trying to use PIN (from Intel) as the debugger, so that I can get instruction traces.

The first step, of course, is to download the source code for IDADBG.DLL from hex-rays site and compile it. The compilation was done in VS2010 and successful (not even a single warning).

Now then, I disassembled notepad.exe (remember, everything here is 32bit --- I am using WinXP SP3, with IDA 6.4) and chanced the debugger to PIN.

[ATTACH]2769[/ATTACH]

Pressing OK, I move forward and select the debugging options to further configure my PIN debugger setup. And here it is.

[ATTACH]2770[/ATTACH]

Perfect, no issues so far. Now I run the program in the debugger and here is the error I get:

[ATTACH]2771[/ATTACH]

AND, a configuration box opens up for the PIN parameters. This is how they are filled.

[ATTACH]2768[/ATTACH]

Unfortunately, after saying OK, I get the same error message as in Step 3. And it loops infinitely.

My questions are:

1. Do you think I am configuring PIN correctly?

2. Are there any additional PARAMETERS that need to be given in the last dialog box?

If anyone has successfully managed to get pin running in IDA, please give me a yell.

On a side note, running pin seperately outside IDA, AND also running Dereko's pinlogger, everything is running perfect. But IDA does not seem to want to play.

Any suggestions?

Thank you in advance.

Have Phun
Attachments
3.JPG
2.JPG
1.JPG
4.JPG
Blame Microsoft, get l337 !!
naides
Posts: 1655
Joined: Sat Jan 12, 2002 12:00 pm
Location: Planet Earth

Post by naides »

Stupid suggestion: try loading a different .exe that loads at the conventional 0x00400000 memory address, instead of high memory 0x10000000, the way notepad does. Somewhere, someone may have assumed the usual 0x00400000 memory arrangement, and is fucking things up.
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

naides wrote:Stupid suggestion: try loading a different .exe that loads at the conventional 0x00400000 memory address, instead of high memory 0x10000000, the way notepad does. Somewhere, someone may have assumed the usual 0x00400000 memory arrangement, and is fucking things up.
Thank you. I did. But it didn't work.

Strangely, running PIN (on it's own, without IDA) works. Running Dereko's PINTOOL works. ONLY when combined with IDA, it does not seem to work.

And yes, I did try with a simple EXE (built using cl.exe) and running in 4x range. Nope.

Still waiting for something...

Have Phun
Blame Microsoft, get l337 !!
User avatar
[yAtEs]
Posts: 97
Joined: Wed Feb 06, 2002 9:52 am
Contact:

Post by [yAtEs] »

For me it works fine, i followed the instructions here https://www.hex-rays.com/products/ida/s ... torial.pdf

i unpacked the pin zip to c:\pin

my pin binary path then becomes: C:\pin\ia32\bin\pin.exe
and my tool path becomes: C:\pin\source\tools\pin\Release

I built the plugin using vc2010 - release/win32
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

'[yAtEs wrote:]For me it works fine, i followed the instructions here https://www.hex-rays.com/products/ida/s ... torial.pdf

i unpacked the pin zip to c:\pin

my pin binary path then becomes: C:\pin\ia32\bin\pin.exe
and my tool path becomes: C:\pin\source\tools\pin\Release

I built the plugin using vc2010 - release/win32
Bang on, yates. Bang on.

But still...nada! :(

And it's not just my OS (winXP 7)

I did it on a variety of VMs (xp, vista, 7) but no avail.

the only problem I think is, I just opened the solution in VC2010 and rebuilt the same. Mayhaps I should be specifying win32 somewhere?

Let me try.

Thanks for the heads up, though.

Have Phun

PS: Did you download the Apr 11 or Jan 20 version of pin? I am assuming here you went with vc10.
Blame Microsoft, get l337 !!
User avatar
[yAtEs]
Posts: 97
Joined: Wed Feb 06, 2002 9:52 am
Contact:

Post by [yAtEs] »

I downloaded the april 11th vc10

also after copying the pin folder directly from the idaSDK into the \pin\source\tools folder i loaded vc2010 express manually
then did file/open project/solution on IDADBG.sln then at the top changed Debug to Release, i also had to add
C:\pin\source\include\pin and C:\pin\source\include\pin\gen to my include folder in the studio properties for it to build.

I'm going to eventually play around with editing the IDA plugin to enable and disable block tracing on a chosen function
with a block execution counter for function internal profiling.

Perhaps your IDAsdk does not match your IDA version in some minor way
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

'[yAtEs wrote:]I downloaded the april 11th vc10

also after copying the pin folder directly from the idaSDK into the \pin\source\tools folder i loaded vc2010 express manually
then did file/open project/solution on IDADBG.sln then at the top changed Debug to Release, i also had to add
C:\pin\source\include\pin and C:\pin\source\include\pin\gen to my include folder in the studio properties for it to build.

I'm going to eventually play around with editing the IDA plugin to enable and disable block tracing on a chosen function
with a block execution counter for function internal profiling.

Perhaps your IDAsdk does not match your IDA version in some minor way
Thanks yates. But I did not compile mine from the SDK. Instead, I compiled mine from a seperate download from hex-rays (the source, that is).
So, I guess let me try doing it from the SDK then. Thanks for the drive-by. ;)

Have Phun
Blame Microsoft, get l337 !!
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

Right then.

Did the SDK way (yes, the IDA 6.4 release and SDK match -- they're from the same distribution).

Everything compiles ok. Until it comes to the bloody linker. And here is the rush:
1>idadbg.obj : error LNK2019: unresolved external symbol [email protected] referenced in function "bool __cdecl sockets_startup(void)" ([email protected]@YA_NXZ)
1>idadbg.obj : error LNK2019: unresolved external symbol [email protected] referenced in function "bool __cdecl init_socket(void)" ([email protected]@YA_NXZ)
1>idadbg.obj : error LNK2019: unresolved external symbol [email protected] referenced in function "bool __cdecl init_socket(void)" ([email protected]@YA_NXZ)
1>idadbg.obj : error LNK2019: unresolved external symbol [email protected] referenced in function "bool __cdecl init_socket(void)" ([email protected]@YA_NXZ)
1>idadbg.obj : error LNK2019: unresolved external symbol [email protected] referenced in function "bool __cdecl init_socket(void)" ([email protected]@YA_NXZ)
1>idadbg.obj : error LNK2019: unresolved external symbol [email protected] referenced in function "bool __cdecl init_socket(void)" ([email protected]@YA_NXZ)
1>idadbg.obj : error LNK2019: unresolved external symbol [email protected] referenced in function "bool __cdecl init_socket(void)" ([email protected]@YA_NXZ)
1>idadbg.obj : error LNK2019: unresolved external symbol [email protected] referenced in function "int __cdecl pin_recv(unsigned int,void *,unsigned int,char const *)" ([email protected]@[email protected])
1>idadbg.obj : error LNK2019: unresolved external symbol [email protected] referenced in function "int __cdecl pin_send(unsigned int,void const *,unsigned int,char const *)" ([email protected]@[email protected])
1>C:\pin\source\tools\pin\Release\idadbg.dll : fatal error LNK1120: 9 unresolved externals
========== Rebuild All: 0 succeeded, 1 failed, 0 skipped ==========
Now, all the definitions for the external symbols are given in idadbg.h and idadbg_local.h in the /source/tools/pin directory iteself, which is also, by the way, added as an include path in the project.

And then, bang, the above errors.

Any kind soul willing to tell me just what it is that Ilfak wants here? :P

Have Phun
Blame Microsoft, get l337 !!
User avatar
[yAtEs]
Posts: 97
Joined: Wed Feb 06, 2002 9:52 am
Contact:

Post by [yAtEs] »

did you open the IDADBG.sln file in vc2010 ?
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

'[yAtEs wrote:]did you open the IDADBG.sln file in vc2010 ?
Yes. In VC2010 Express.

Compiling asks for a lot of .H and .HPP files, but these errors are easily solved using the additional directories.

Then, the Linker starts giving errors saying it cannot find so-and-so lib files. This is also easily corrected with the Additional Dependencies and Additional lib paths in the LINKER and Directories options.

So, it can now find ALL .H and .LIBs. But this is coming around. And yes, I've also included idadbg.h and idadbg_local.h where these external symbols are defined.

On second thoughts, is it possible for you to attach your PIN solution directory? Or even better, attach the released version of IDADBG.DLL that you have managed to compile?

I am using the IDA 6.4 version (before the one with 6.4 service pack).

Thanks

Have Phun
Blame Microsoft, get l337 !!
User avatar
[yAtEs]
Posts: 97
Joined: Wed Feb 06, 2002 9:52 am
Contact:

Post by [yAtEs] »

sent you a msg, also it might be worth mentioning that the plugin works by setting up sockets communicating
to pin.exe via network so check AV/Firewalls etc. (for you last compiled version of course, or if mine also doesnt work)
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

'[yAtEs wrote:]sent you a msg, also it might be worth mentioning that the plugin works by setting up sockets communicating
to pin.exe via network so check AV/Firewalls etc. (for you last compiled version of course, or if mine also doesnt work)
Solved the errors, not the problem.

You needed to add the ws2_32.lib (winsock32) lib from the Platform SDK. THEN my sample from 6.4 sdk compiled. No errors this time as above.

But still, same problem of my ORIGINAL THREAD STARTER Message. The file can't be loaded, yadda-yadda.

Yes, the firewall is OFF in XP.

I'll try out your release and update the result here.

In the meanwhile, a question --- In my snaps above, if you look at the last one, the one with the window titled "DEBUG APPLICATION SETUP:PIN", is that same for you? I mean, are you using any different ports, or anything additional in the PARAMETERS entry box?

Thanks -- Much appreciated.

Have Phun

UPDATE: Nope, Yates. Your release also gives the exact same error. I'm thinking its probably something, somewhere in my OS that's breaking this up.

To verify this, I just need a small favor. Forget PIN. Just select the normal win32 debugger and open notepad. Travel to the code where it calls ShellAboutW and select any one code (call ds:ShellAboutW). Breakpoint at START. When the debugger hits, run an INSTRUCTION trace. When notepad opens, go to Help->About. WHen you hit the breakpoint, just continue. Then Exit notepad. Now, IDA should have yellowed the traced instructions. Go to the location where it says call ds:ShellABoutW. Are the instructions there yellow? Mine are NOT! That means, even though IDA is covering these instructions, they are not appearing in the trace. But if I use Dereko's IDALOG tool, then these instructions are shown as excuted (hence using PIN in the first place rather than the default win32 debugger). If, on your system, you can see the yellow tracemarks when it calls ds:ShellAboutw, then I know something is definitely wrong with my system.

Thanks for the asssit. REALLY appreciate it. And thanks again for the release.

Have Phun
Blame Microsoft, get l337 !!
User avatar
[yAtEs]
Posts: 97
Joined: Wed Feb 06, 2002 9:52 am
Contact:

Post by [yAtEs] »

i have the same port number but for hostname mine is blank and doesnt say localhost, not sure that should make a difference.

I set a bpx on the shellaboutw call and start entry point of notepad, when the first breakpoint hit i enabled instruction tracing with the win32 debugger
and continued, upon the break of shellabout(when clicking help about in notepad) i continued and exited notepad.

The code around shellabout was not yellow! however the code at the entrypoint was, so not sure whats going on there, maybe
some buffer issue or bug, but i dont think thats anything related to Pin not working. Weird that you had to do lots of stuff to make it
compile, i just downloaded vc2010, opened the sln and added 2 paths :) ,, the mystery continues ...

Try load IDA with admin rights, the error msg suggestions the plugin cannot access the target file.
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

'[yAtEs wrote:]
The code around shellabout was not yellow! however the code at the entrypoint was, so not sure whats going on there, maybe
some buffer issue or bug, but i dont think thats anything related to Pin not working. Weird that you had to do lots of stuff to make it
compile, i just downloaded vc2010, opened the sln and added 2 paths :) ,, the mystery continues ...

Try load IDA with admin rights, the error msg suggestions the plugin cannot access the target file.
Goddamn PIN...such a drama queen! :P

But I digress.

Point 1 --- The reason I wanted to switch to using PIN is because the default win32 debugger does not do a proper path coverage, as evidenced with the lack of yellowing of the areas near the call ds:ShellAboutW in 6.4 (without the service pack, though I am sure that is not one of the problems solved there). If that coverage was working properly, there was no need for me to use PIN in the first place. For me, what it implies is that the next time I do a binary instruction trace, I cannot be sure that IDA 6.4 has done a proper coverage --- if I use the win32 debugger, that is. Not only that, I did it with the 6.1 PRO version also and same thing! The call at call ds:ShellAboutw is not shown anywhere in the trace window (essentially meaning, somewhere the TRACE INSTRUCTION facility in WIN32 debugger, from Version 6.1 onwards, is broken --- Hey Ilfak, if you are lurking on this board, maybe you can do something about it! :P).

Now, if you wait till you hit the call ds:ShellAboutW breakpoint, then SINGLE STEP, the remaining instructions are YELLOWED! This means, that the normal TRACE INSTRUCTION facility "IS" indeed broken. And since version 6.1, I reckon.

So, to counter this, I ran Dereko's PINLOG tool. Now THIS tool actually marks the coverage , including the call to call ds:ShellAboutW and the nearby lines. (Though, its purple, instead of yellow, but I'm not finicky :) you can change it if you want in the loader.py --- Way to go, Dereko!)

Point 2 --- I took up your suggestion. And I ran pin under IDA running as Administrator. And in the IDA output window, here is the message I get:
Connected to IDA PIN controller!
Network error: Not enough space
Connected to IDA PIN controller!
Network error: Not enough space
Well, poring over PIN documents, trying to see what this error is going to do. And wondering if it's PIN release specific, or IDADBG specific.

Thanks for sticking with me for this long. Mucho appreciated Yates.

Will keep this updated.

Have Phun

EDIT: (First Cut) And...the result is...blank! No ideas what the "Network error: Not enough space" means. Tried searching for this on the internet. Too much noise. Continuing search...

EDIT: Now, this is strange. I am now getting another error (after rebooting my machine and doing everything anew). This happens only once. Then, the error in my original message with screenshot number 4 comes up.

[ATTACH]2773[/ATTACH]

AND, in the IDA output window, this error:
Connected to IDA PIN controller!
Network error: Not enough space
Unfortunately, this error does not seem to go even after running and re-compiling and running again on ALL 12 versions of PIN available on the PIN download side (Yes, I did that!). Goddamn! What a mess!!! :P

Still trying something here and there...

Yates, you with me still? (heh!). I walked in with my head full of hair. I guess I'm going to walk out bald!! :P And the missus says she's not seen me this glued to the computer since I registered for the membership at brazzers.com [NSFW boys!) :P

Thanks again.

Have Phun
Attachments
image001.jpg
Blame Microsoft, get l337 !!
User avatar
[yAtEs]
Posts: 97
Joined: Wed Feb 06, 2002 9:52 am
Contact:

Post by [yAtEs] »

lol :) i dont have any further suggestions at this point :P
Locked