0

我想在 IDA Pro 中使用插件 Bochs 调试程序。我有 IDA Pro 6.4 和 Bochs 2.5.1。

对于我所有的可执行文件,当我启动 Bochs(使用 PE 模式)时,我会执行以下操作:

bochsys:E0001810 bochsys_R3Entry:
bochsys:E0001810 mov     eax, [esp+8]
bochsys:E0001814 mov     dword_E0002004, eax
bochsys:E0001819 cmp     eax, 1
bochsys:E000181C mov     eax, [esp+4]
bochsys:E0001820 jnz     short **loc_E000182C**
bochsys:E0001822 push    0
bochsys:E0001824 push    eax
bochsys:E0001825 call    near ptr unk_E0001A50
bochsys:E000182A jmp     short loc_E0001890
bochsys:E000182C ; ---------------
bochsys:E000182C
bochsys:E000182C **loc_E000182C:**           ; CODE XREF: bochsys:bochsys_R3Entry+10j
bochsys:E000182C mov     dword_E00022D8, eax
bochsys:E0001831 mov     ecx, [eax+3Ch]
bochsys:E0001834 add     ecx, eax
bochsys:E0001836 lea     edx, [ecx+0C0h]
bochsys:E000183C mov     dword_E0003638, ecx
bochsys:E0001842 mov     dword_E00022D4, edx
bochsys:E0001848 mov     ecx, [ecx+28h]
bochsys:E000184B add     ecx, eax
bochsys:E000184D push    1
bochsys:E000184F mov     dword_E0002630, ecx
bochsys:E0001855 mov     dword_E00022E0, 0
bochsys:E000185F mov     dword_E0002634, eax
bochsys:E0001864 call    near ptr unk_E0001770
bochsys:E0001869 push    offset aExitprocess             ; "ExitProcess"
bochsys:E000186E push    offset aKernel32_dll_0          ; "kernel32.dll"
bochsys:E0001873 call    near ptr bochsys_BxGetModuleHandleA
bochsys:E0001878 push    eax
bochsys:E0001879 call    near ptr bochsys_BxGetProcAddress
bochsys:E000187E mov     edx, dword_E0002630
bochsys:E0001884 push    eax
bochsys:E0001885 push    edx
bochsys:E0001886 call    **near ptr unk_E0001A50**
bochsys:E000188B jmp     short loc_E0001890

在 E0001820 中,程序跳转到函数 loc_E000182C。当程序在 ptr unk_E0001A50 附近执行时,它会停止并显示以下消息:

Debugger: process has exited (exit code 0)
Bochs debugger has been terminated.

它永远不会出现在我的代码中。我尝试了使用 Visual C++ 2010 制作的各种程序。

4

1 回答 1

1

如果您正在调试 MSVCRT 链接的二进制文件,您甚至无法访问应用程序,main()因为 msvcrt 初始化代码中的崩溃。MSVCRT 的问题在于___tmainCRTStartup()函数内部的一些代码尝试在调用 main() 之前初始化环境变量:

您需要在 IDA 中激活 Python 作为默认解释器

将此脚本放在 ~/.idapro 或 %APPDATA%\Hex-Rays\IDA Pro 下

# idapythonrc.py
import idaapi
idaapi.enable_extlang_python(1)

然后在 ida_root\plugins\bochs\startup.py

代替:

def bochs_startup():
  print "[Python] Bochs debugger has been initialized!\n"
  return 0


def bochs_startup():
  import idautils
  msg("[Python] Bochs debugger has been initialized!\n")
  ienv = idc.get_name_ea_simple("__initenv")
  ienv_loc = idc.get_wide_dword(ienv)
  auto_bps = []

  ep = idc.get_name_ea_simple("start")
  idc.add_bpt(ep)
  idc.set_bpt_cond(ep,"bochs_late_startup()")
  auto_bps.append(ep)

  for xref in idautils.XrefsTo(ienv,idaapi.XREF_ALL):
    write_p = {xref.frm:("BochsVirtProtect(SegStart(0x%x),SegEnd(0x%x)-SegStart(0x%x),1)" %(ienv_loc,ienv_loc,ienv_loc))}
    for ea in write_p.keys():
      if idc.get_bpt_attr(ea,BPTATTR_COND) not in [-1,""]:
        msg("[Python] Skipping BP at %08x\n" %ea)
        continue
      idc.add_bpt(ea)
      auto_bps.append(ea)
      cond = write_p[ea]
      msg("[Python] Adding bp at %08x with cond %s\n" %(ea,cond))
      idc.set_bpt_cond(ea,cond)
  return 1

@ https://tuts4you.com/download.php?view.3136

于 2014-03-20T09:41:35.927 回答