Hi, I was wondering if there was any tools available (or softice patches, plugins, etc.), where you could specify a starting and ending address, and it would dump a trace of the code in between the 2 address. Kind of like TMG Ripper Studio, except that it would actually run the program and dump only the path that was followed? And in order that it was followed, rather than in order of the address of the code.

Actually to make it simpler. Just a jump table of all the jumps that were taken in the order that they were executed.

Hello NE1 !

No, such a tool does not exist.
This topic has been already discussed many times.
You would have found information about it by using the search function.
Try SoftICE or ICEDump if you don't know further. (Read the manual or search on this board to find out how to do it)

If you want to have a tool like this, code your own kernel mode tracer which logs all jumps.
But people who are able to code such a thing won't need it.
Just finding a "good boy"/"bad body" message isn't so hard.

Yes, such a tool does exist, although apparently not many are aware of it: icedump's tracer engine can be told to log various amount of trace info (or extended to log anything of course). Take a look at its '/option t' command.

I wondered if icedump could do that, but I could not find much info really on how to use it. Most info on it is related to unpacking programs etc, and not tracing. Do you know any good sites with extended info on icedump. Also, I am using DS 2.6 with Win XP, and ANTI-Softice patches. Will this be a problem with using icedump?

Hello NE1 !

Yes, ICEDump on WinNT is a problem, because you've no /TRACEX command, to be exactly, you can just load and dump memory.

The only other method is switching off the code window and programming a self repeating macro just doing "P;P;P;P;P;P;P;P;...". But you'll soon notice that this isn't the yellow part of the egg.

Ahh, thanks for the info, and I see what you mean about the self repeating macro. I was also checking out Iczelion's tutorials on the Win32 Debug API, to see if I could do it that way. One of the tutorial's (#30), basically single steps through a program and counts the number of instructions. I think I might be able to use that as a starting point to make something myself to do it.
Of course I could be getting in over my head here hehe, but that is part of the fun...

NE1:

Check out an article by Lord Soth titled "SoftIce's Back Trace buffer and some advanced commands" which appears to discuss methods of tracing program flow similar to what you are looking for. You can find it on the "What's new" page of the companion +Fravia site listed on the bottom of the page.

It has some very usefull Softice command discussion on commands most people don't bother or know how to use. On the Back Trace Buffer it states :
[QUOTE]

Well folks, we've finally reached the part of the essay which you've all been waiting for. This little section describes the SI back trace buffer and how to use it. Now, I'm sure some of you got some ideas on how this buffer works, but actually, it takes some thinking and planning and some luck to use it appropriately.

We all know the common problem. Sometimes we would like to know what was the program's flow of execution before SI popped (due to a BP or whatever..).

The trace buffer, while able to give us this information, will only help us if we set everything up right. If we don't, the trace buffer will not give us anything at all.

The reason this happens is very simple. SI has a limited sized buffer to use for storing logged instructions, and because of that, it would be pointless to have a backtrace utility without specifying a certain range of locations to monitor. What I'm trying to say basically is that SI can only monitor and log instructions that are in a predefined range of addresses.

If any of the instructions in that range are executed, SI will log them into the backtrace buffer, and allow us to enter trace simulation mode, which in turn allows us to see what was executed.

Once there are instructions in the buffer, we can either display them, trace them and basically do anything we wish with them, while using the trace commands (the special trace simulation commands).

So in order to even start this, we need to learn how to set a range for monitoring. This can be done with the following command:

bpr xxxxxxxx yyyyyyyy T [W]

[END QUOTE]

The article continues and contains a great deal of useful information on using Softice to a greater potential.

Regards.

w9x/doc/icedump6.txt should have all the info you need.

The public version of nticedump does not support tracing, so you'll need some other tool, and since NTICE does not have the backtrace buffer feature either, you're pretty much left with non-kernel based tools. You should try OllyDbg's tracer which is based on the win32 API (and is therefore considerably slower than a kernel mode based tracer), but may still cut it for your purposes.

Again, thanks for the info. As for Icedump, I read the doc in the NT directory, which did not have much info in it. I figured the 9x version was basically the same, but I have since read it, and as was stated it does have the info I was looking for about Icedump. As for the back tracing tutorial. I have read others, but the one mentioned looks like it has the level of detail I am looking for. Even if I can't use these things right now, I still like having the information for future reference, etc.
So, thanks again, to everyone....

have u try my LOG3 plugin for trw, NE1? maybe it can fulfill what u need

Think above the crowd.

Softice is not the ONLY debugger.

Icedump is not the ONLY cool extension to a software.

All of the following will do what you want, in UNLIMITED quantites (does it even of the file exceeds GIGs of data, which it will if you TRACE all rather than TRACE OVER all)

Tools:

1. Ollydbg 1.06 and above.
2. Microsoft debugger
3. Turbo Debugger (very small level logging)

Personal choice for such traces on ONLY THE PATH followed?

Ollydbg.

Hands down the best tracer I've ever seen.

Better than Icedump in trace logging.

Have Phun

Hi dion, No I have not tried, that. As of matter of fact, I have never tried TRW. I guess I will have to try that as well.

In any case, I am getting to the point where I am thinking that having this functunailty is not going to help anyway. As DakienDX pointed out:



Which under normal circumstances I agree with. It is just the protection I am trying to currently reverse, seems to have some tricks thrown in. I have tried the old paper and pencil method of tracing the jump tables used in this protection, and seem to be getting different results each time using the same input. I would have to confirm that as I could be just making a mistake as I have to trace through a lot of calls, but if it is the case, then a trace is not going to help the way I originally thought it might.

As for Aimless's reply.
I have tried Ollydbg, and am aware of it's hit trace and run trace capabilities. I just have not figured out how to use that functionality as of yet. I don't know what conditions I have to set to have it do a conditional trace, or even a trace all for that matter, and if I do not enter any conditions, the trace log is empty. It is just a matter of figuring out how to use the program I guess. I do use a lot of tools in addition to Softice. It is just that with Softice, there is most likely a tutorial somewhere, that can explain pretty much anything you need to do using Softice. The same cannot be said for other debuggers, thus making them a little harder to figure out the more advanced functionality of the programs.

I fugred out how to the run trace in Ollydbg.
Thanks for all the help....

Aimless,
Ollydbg worked excellant. Thanks again for the suggestion.