search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.73k stars 3.01k forks source link

help~ : the usage of the dts... #22524

Open b1gcat opened 10 months ago

b1gcat commented 10 months ago

I wanna trace some special address by dta/dts:

I create a script to load while debuging:

└─# cat a.py
import r2pipe
import sys
import json
import re

r2=r2pipe.open()
r2.cmd('aaa')
r2.cmd('e asm.trace=true; e dbg.trace=true')
r2.cmd('dts+')
blocks=[]
bl = r2.cmdj('afbj @ entry0')
for k,b in enumerate(bl):
    blocks.append([k, b['addr'], b['size']])
    r2.cmd('dta '+ hex(b['addr']))

and then load script:

┌──(root㉿c8bd5ecd7a9d)-[/tmp]
└─# r2 -d ob.bin
 -- I nodejs so hard my exams. What a nodejs!
[0x004013d2]> . ./a.py

and then run dcs , I hope to trace something, but nothing:

[0x004013d2]> dcs
INFO: Running child until next syscall
INFO: --> SN 0x00401d44 syscall 0 read (0x0 0x7fffffffe518 0x8)

[0x00401d44]> dt
[0x00401d44]>

Maybe I have some misunderstanding about trace, can someone help?

thanks.

ps: ob.bin.zip

└─# r2 -v
radare2 5.8.8 31324 @ linux-x86-64
birth: git.5.8.8 2023-11-01__10:26:37
commit: ea7f0356519884715cf1d5fba16042bac72b2df5
options: gpl -O? cs:5 cl:2 make
trufae commented 10 months ago

iirc dts command was introduced by a gsoc student many years ago and it was a bit broken at the time, i found some more bugs and fixed them right now, but the main problem is that dts is probably not the thing you are looking for. because this command is used to trace reg and mem access in order to perform backstepping. and my guess is that you want to just traces when the program hits a specific address, right?

you shuold be able to do that using a tracepoint, aka a breakpoint with the tracebit set.

| dbite <idx>               enable breakpoint Trace by index
| dbitd <idx>               disable breakpoint Trace by index

its also been a while since this was used and the debugger tests has been enabled few weeks ago, so i expect to focus on the debugger this year and get all those issues addressed, but i cant promise you all these commands would work as expected because they have been touched by many people and hasnt been tested at all.

My suggestion is to use r2frida, which i use more frequently and it's heavily tested on many more platforms, r2frida provides breakpoints and tracepoints. The support for syscall tracing is not yet there, but i also hope to find some time this year to implement it.

Let me know how your testing goes and feel free to report anything you find in these commands.

Thank you

b1gcat commented 10 months ago

thank you, I got it