Rolling your own debug symbols

Just released oSpy 1.9.6 (changelog here). This release has a few new features, some of which are not very mature, but due to the recent critical bugfixes that went in I decided to make another release sooner rather than later. (As my time is limited I don’t feel like spending time on branching and doing things by the book. :P)

Anyway, the new release comes with a slightly obscure feature that can be very useful if you know how to use it. A lot of proprietary software is written in C++ and has internal debugging infrastructures that typically log stuff using OutputDebugString, directly to a logfile, or similar. This is obviously in order to ease debugging issues that customers are seeing, and of course also during development. Sometimes these debug messages contain stuff like “SomeClassName::SomeMethodName: shit happened, LastError=%d”. Now what’s interesting about that? It has the class name and method name in it!

This is something you’ll notice fairly often if you use oSpy together with IDA to quickly jump around in the code using the return-addresses of the API calls made by the application. Obviously you don’t want to walk through function by function, find one of these strings, visually parse out the class and method name, write down the function boundaries (and take into account chunked functions where you need to map multiple boundaries), and finally produce a list of boundaries to name mappings. No, you want to use a wonderful piece of software like Gergely Erdélyi’s idapython and write a simple little python script that does it all for you. The output is a simple .osym file that you place in the same directory as your oSpy executable, and then with a trace open you go to ‘Tools’ -> ‘Apply debug symbols’, and voila, you’re done. At that point your trace should look a lot more interesting, like for example:

oSpy’s debug symbols feature, screenshot 1oSpy’s debug symbols feature, screenshot 2

Thanks a lot to Håvard for suggesting this particular feature! 🙂

Happy reverse-engineering!

Advertisements

~ by oleandre on March 7, 2007.

One Response to “Rolling your own debug symbols”

  1. So anybody here?
    Whenever I try to inject oSpy, I get “CreateRemoteThread failed with error code 0”, and then I obviously can’t do anything.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: