Magic Breakpoint

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset

https://www.radare.org/

GNU Lesser General Public License v3.0

20.57k stars 2.99k forks source link

Magic Breakpoint #18693

Open CorruptedByCPU opened 3 years ago

CorruptedByCPU commented 3 years ago

Hey! I will really appreaciate if someone might implement "magic breakpoint" similar to Bochs Internal Debugger

Bochs (config file) magic_break: enabled=1

How it should work:

if magic breakpoint is enabled
and inside the binary file there is CPU instruction like

xchg bx,bx

Radare should stop executing further code and show actual state of CPU (registers, memory, assembly)

It might really helps us to get inside some specific functions at some behavior.

radare commented 3 years ago

Uhm, from what i read a magic breakpoint is just something tied to the emulator internals that handles a nop instruction as a breakpoint, so the app wont contain real breakpoints, but the debugger can take them as is.

I can think on two ways to solve this:

Method 1: patching in memory

wa int3 @@/ad xchg ebx, ebx

Method 2: Step tracing

Debug-step-until-disasm matches the given expression.

dsui xchg ebx, ebx

gogo2464 commented 3 years ago

e magic_break enabled=1 could be nice. I will check what I can do. I just need time.

trufae commented 3 years ago

You need something more than time to fix this. Let me explain:

e magic_break enabledis not a valid eval var name and its just confusing. better go for e dbg.bpmagic or so
magic breakpoints ONLY work when you have control of the CPU itself. r2 debugger is an userland debugger . so its FAR from being able to do this
You can use magic breakpoints already when using the bochs:// plugin
I have suggested two approaches to achieve the same, but require manual work because those are just not going to work well without human review.

CorruptedByCPU commented 3 years ago

* magic breakpoints ONLY work when you have control of the CPU itself. r2 debugger is an userland debugger . so its FAR from being able to do this

I'm using Qemu + gdb + r2, so it might work :)

trufae commented 3 years ago

you will need to modify qemu to support magic breakpoints. qemu JIT works by basicblocks, so you dont have instruction accuracy. it's a BOCHS specific feature

CorruptedByCPU commented 3 years ago

Hmm...

but ... let's say I stop the virtual machine and execute the command (shortcut?) in r2 to scavenge all memory from address X up to size of Y bytes for corresponding Z instruction and put the software breakpoint there automatically :) is it possible to implement?

example:

  -- Have you ever ordered a pizza using radare2?
  [0x0000fff0]> dba 0x100000 0x2000 "xchg ebx,ebx"
  found magic breakpoint "xchg ebx,ebx" at: 0x101623 (registered)
  [0x0000fff0]> db
  0x00101623 - 0x00101624 1 --x sw break enabled valid cmd="" cond="" name="0x101623" module=""

radare commented 3 years ago

Of course, as i said in my previous response this is the way to go. But then those breakpoints are not magic :D

You can use db $$@@/ad xchg ebx,ebx

And you’ll get all the breakpoints set

On 21 May 2021, at 14:54, Andrzej Adamczyk @.***> wrote:

Hmm...

but ... let's say I stop the virtual machine and execute the command (shortcut?) in r2 to scavenge all memory from address from X up to size of Y bytes for corresponding Z instruction and put the software breakpoint there automatically :) is it possible to implement?

example:

-- Have you ever ordered a pizza using radare2? [0x0000fff0]> dba 0x100000 0x2000 found magic breakpoint "xchg ebx,ebx" at: 0x101623 (registered) [0x0000fff0]> db 0x00101623 - 0x00101624 1 --x sw break enabled valid cmd="" cond="" name="0x101623" module=""

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.