Kayaker
August 4th, 2001, 03:13
Hi All,
I wrote a new Win9x reversing tool, TraceDis, that I hope might prove useful. It's made to work in conjunction with SoftICE to allow convenient viewing and saving of Backtrace logs. It combines a raw dump from memory of the addresses contained in the Backtrace buffer with a disassembler.
The Backtrace feature of SoftIce, which allows you to log all instructions executed within a specified address range, is a very powerful option that I think isn't used to its full potential because of the difficulty of working with the disassembled trace. Only the *addresses* of the lines logged are stored in the Backtrace buffer, the disassembled output you see with the SHOW or TRACE commands is generated internally by SoftIce.
You can do multiple screendumps of the trace with IceDump, but this isn't a good option for large traces. What TraceDis does is parse the addresses contained in a dump of the Backtrace buffer and disassemble those addresses in the target program while the program is loaded in memory. The results are a readable disassembled output much as you would see in SoftIce.
It works with Self Modifying Code (SMC) as well as packed programs using high memory addresses during unpacking. You can also use it to help manually trace redirected API calls. All dependant on the quality of your Backtrace in the first place of course.
It has a feature which allows you break into SoftIce, either specifically at the Program Entry Point of the target program, or at any time you wish after it is loaded, to access the address space of the program. This is simply an obsolete, never-used API invoked at a couple of places in TraceDis that you can set a breakpoint on.
I think it will be a handy utility to take full advantage of SoftIce's tracing abilities, simply because you can now view and save the traces outside of SoftIce. There's a complete help file giving examples of its usage.
I owe a large vote of thanks to +Tsehp for the major contribution he made by kindly providing a C source dll which converted the opcode instructions to readable assembly instructions. Not only did this save an immense amount of time (I'd still be decoding opcode mnemonics), it ensured the accuracy of the results.
I hope you find it useful once you've figured out wtf it's all about
and I'd appreciate any comments or bug reports to help improve it.
Cheers,
Kayaker
I wrote a new Win9x reversing tool, TraceDis, that I hope might prove useful. It's made to work in conjunction with SoftICE to allow convenient viewing and saving of Backtrace logs. It combines a raw dump from memory of the addresses contained in the Backtrace buffer with a disassembler.
The Backtrace feature of SoftIce, which allows you to log all instructions executed within a specified address range, is a very powerful option that I think isn't used to its full potential because of the difficulty of working with the disassembled trace. Only the *addresses* of the lines logged are stored in the Backtrace buffer, the disassembled output you see with the SHOW or TRACE commands is generated internally by SoftIce.
You can do multiple screendumps of the trace with IceDump, but this isn't a good option for large traces. What TraceDis does is parse the addresses contained in a dump of the Backtrace buffer and disassemble those addresses in the target program while the program is loaded in memory. The results are a readable disassembled output much as you would see in SoftIce.
It works with Self Modifying Code (SMC) as well as packed programs using high memory addresses during unpacking. You can also use it to help manually trace redirected API calls. All dependant on the quality of your Backtrace in the first place of course.
It has a feature which allows you break into SoftIce, either specifically at the Program Entry Point of the target program, or at any time you wish after it is loaded, to access the address space of the program. This is simply an obsolete, never-used API invoked at a couple of places in TraceDis that you can set a breakpoint on.
I think it will be a handy utility to take full advantage of SoftIce's tracing abilities, simply because you can now view and save the traces outside of SoftIce. There's a complete help file giving examples of its usage.
I owe a large vote of thanks to +Tsehp for the major contribution he made by kindly providing a C source dll which converted the opcode instructions to readable assembly instructions. Not only did this save an immense amount of time (I'd still be decoding opcode mnemonics), it ensured the accuracy of the results.
I hope you find it useful once you've figured out wtf it's all about
and I'd appreciate any comments or bug reports to help improve it.Cheers,
Kayaker
