有没有办法可以在执行过程中记录程序的所有EIP值?我可以使用Ollydbg的插件吗?
答案 0 :(得分:1)
ollydbg logs all eips执行的 Run Trace Feature。
ollydbg 1.10 debug trace into ctrl+f11 and then view run trace
ollydbg 2.01 trace trace into ctrl+f11 and then view run trace
windbg也有很多跟踪变体,如step in / step over till address / until return until branch until next call等等ta / pa tr pr th ph tct pct tc pc等等,选择你的选择
您也可以使用简单的trace t命令直到指定的地址,如下所示
0:000> .printf "executable entry point is %x as denoted by symbol %y\n" , $exentry , @eip
executable entry point is 1012475 as denoted by symbol calc!WinMainCRTStartup (01012475)
0:000> p calc!WinMain
01012477 68e0150001 push offset calc!`string'+0x4 (010015e0)
0101247c e847030000 call calc!_SEH_prolog (010127c8)
01012481 33db xor ebx,ebx
01012483 53 push ebx
01012484 8b3d20100001 mov edi,dword ptr [calc!_imp__GetModuleHandleA (01001020)]
0101248a ffd7 call edi
0101248c 6681384d5a cmp word ptr [eax],5A4Dh
01012491 751f jne calc!WinMainCRTStartup+0x3d (010124b2)