Topic created on: December 31, 2008 10:22 CST by mycuti  .
Hi,
I'm using IDA Pro 5.2. When using IDC function GetRegValue("EAX"), I got a runtime error: "Variable 'EAX' is undefined".
"EAX" is the parameter, not a variable. Why IDA Pro complained about that?
Thanks,
|
is the debugger been running? if so, "Message("%x\n",GetRegValue("eax"));" should work.
|
Yes, the debugger was running. I found out one thing, if I do like this:
"StepOver" followed by GetDebuggerEvent(WFNE_SUSP,-1) then GetRegValue works.
If I do like this:
EnableTracing(TRACE_INSN, 1);
for ( code = GetDebuggerEvent(WFNE_ANY|WFNE_CONT, -1);
code > 0;
code = GetDebuggerEvent(WFNE_ANY, -1) ){
Message("EAX = 0x%x\n", GetRegValue("EAX"));
}
EnableTracing(TRACE_INSN, 0);
it won't work. Why is that? Does the tracing stop it from working?
|
sorry, I was a bit sleepy tonight and my previous answer is not correct. I did meant that EnableTracing() does not trace program step-by-step like StepInto().
EnableTracing() stores trace events in a circular buffer and does not suspend the process. thus, GetRegValue() does not work. to obtain registers you should suspend the process, but it's impossible. I mean it's possible, but it takes time and IDA is tracing the process, so you're going to miss some info.
|
|
Thanks nezumi. That explained why.
|
mycuti:
you're welcome! btw, EnableTracing() does not lose data. I wrote a simple tracer, it works, but... too slooow (it's followed bellow), so use StepInto() and have no problem!
btw, I see you use Ilfak' script. it's incorrect and freezes IDA-Pro under certain conditions, so you can't stop the script with CTRL-Break and have to terminate IDA process (see "IDA-Pro EnableTracing() - how not to do").
EnableTracing(TRACE_STEP, 1);
if (GetDebuggerEvent(WFNE_ANY | WFNE_CONT, -1) < 1) return -1;
while (1)
{
r_eip = GetEventEa();
PauseProcess(); if (GetDebuggerEvent(WFNE_SUSP, -1) < 1) return -1;
Message("GetEventEa: %08Xh, EIP: %08Xh, EAX:%08Xh\n", r_eip, eip, eax);
GetDebuggerEvent(WFNE_NOWAIT | WFNE_CONT, -1);
}
plz, notice, I don't use GetRegValue, just register names. it answers your question, why IDA tells you that EAX is a variable. yes! it's a variable! IDA recognizes register names makes your life easier :)
the output looks like this:
GetEventEa: 00409B51h, EIP: 00409B56h, EAX:00000000h
GetEventEa: 00409B56h, EIP: 00409B5Ch, EAX:00000000h
GetEventEa: 00409B5Ch, EIP: 00409B5Dh, EAX:00000000h
plz, notice that GetEventEa() and GetRegValue("EIP") are different due to nature of tracing.
|
my previous script was not correct, sorry about it. the problem is - IDA-Pro sets internal breakpoints after calls. GetBptAttr() hides them, GetDebuggerEvent() does not and returns a lot of 10h (BREAKPOINT) events.
if tracing is enabled and IDA-Pro meets a real breakpoint, GetDebuggerEvent(WFNE_ANY, -1) will never return. IDA-Pro freezes. the only solution I found is to specify the max waiting time and check for the real breakpoint.
how we're going to do it? well, it's easy. if GetDebuggerEvent() retuned DBG_TIMEOUT just call GetBptAttr(GetEventEa(), BPTATTR_EA). if it's equal to GetEventEa() - it means the real breakpoint is present.
well, consider this:
code = GetDebuggerEvent(WFNE_ANY, MAX_WAIT);
r_eip = GetEventEa();
if (code == BREAKPOINT)
if (GetBptAttr(r_eip, BPTATTR_EA) == -1) ... // internal bp, ignore it
if (code == DBG_TIMEOUT) // exit due to timeout
if (GetBptAttr(r_eip, BPTATTR_EA) == r_eip) ... // real bp
more info - http://nezumi-lab.org/blog/?p=37
|
Note: Registration is required to post to the forums.
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}