====== Differences ====== This shows you the differences between two versions of the page.
ida_pro_tracing [2013/05/21 08:52] xvilka [Preparations] |
ida_pro_tracing [2013/05/21 20:39] (current) xvilka |
||
---|---|---|---|
Line 2: | Line 2: | ||
1. IDA Pro 6.0 and above | 1. IDA Pro 6.0 and above | ||
- | 2. installed qemu-0.14 and above | + | |
+ | 2. installed qemu-1.4.0 and above | ||
==== Preparations ==== | ==== Preparations ==== | ||
Line 10: | Line 11: | ||
2 Run relocate script | 2 Run relocate script | ||
- | 3. Place bios.rom, vgacirrus-bios.bin (from qemu site), bios_name.idb, linux.img in the current folder | + | 3. Place bios.bin, vgacirrus-bios.bin (from qemu site), bios_name.idb, linux.img in the current folder |
- | 4. Start qemu in debugging mode "qemu -s -S -L . -m 256 -hda linux.img | + | 4. Start qemu in debugging mode "qemu-system-i386 -s -S -L . -m 256 -hda linux.img |
-localtime -M pc -nographic" | -localtime -M pc -nographic" | ||
Line 33: | Line 34: | ||
Then open debugger options dialog | Then open debugger options dialog | ||
{{1.png}} | {{1.png}} | ||
- | |||
Check “Stop on debugging start” , enable logging of all events. check “Reconstruct the stack”, “Show debugger breakpoint instructions” | Check “Stop on debugging start” , enable logging of all events. check “Reconstruct the stack”, “Show debugger breakpoint instructions” | ||
Line 57: | Line 57: | ||
{{6.png}} | {{6.png}} | ||
- | Usually i’m using database notepad for saving some PCI, PNP, IOports information about your BIOS platform (for example outputs of lscpi, dmesg, lsusb, dmidecode, etc...) | + | Usually i’m using database notepad for saving some PCI, PNP, IOports information about your BIOS platform (for example outputs of lscpi, dmesg, lsusb, dmidecode, etc...): |
{{7.png}} | {{7.png}} | ||
- | some examples: | ||
- | recognize pci_writes: | + | ==== Examples ==== |
+ | |||
+ | 1 Recognize pci_writes: | ||
We already find WritePCI functions | We already find WritePCI functions | ||
Line 70: | Line 70: | ||
so, let this piece of code run: | so, let this piece of code run: | ||
{{9.png}} | {{9.png}} | ||
+ | then go to the trace window and find value of eax in the out 0xCF8, eax line: | ||
+ | {{10.png}} | ||
+ | as we can see eax=0x80003B60. It is 00:07.3 device register BAR2 | ||
+ | Also. for example we want to know, all calls of WritePCI_SL function, and values which it write somewhere. This is very simple - just add breakpoint to this function: | ||
+ | {{11.png}} | ||
+ | all calls we can see in the function calls window: | ||
+ | {{12.png}} | ||
+ | As we can see, we need add meaningfull comments in the line, where we can see “jmp WritePCI_SL” , so we can see these comments in each line in the function calls window |