Hi all,

So I got a program that I don't have source code for and want to find a function in it. I know this function is executed when I perform a specific action. What I plan to do is the following: perform this action for example 20 times, and see witch functions are executed exactly 20 times. I also know this function is located in a specific range of addresses. Simple as that. I use IDA for such things, but it don't have this option for tracking function calls and logging how many times it was called.
So can you guys tell me such program/debugger I can use, or functions in c++ I can use so I can log all function calls.

Thanks in advance.

That's not an easy thing to do.

Do you have any other information what this function supposedly does? Does it show a message box? Does it print something? Does it write a file? etc.

Hi,

If it was doing this things it would be easy to find that function. The function is in a dll (witch I know at what address is located). It handles a packet and responses to it. This packet has a random crypted and hard to trace opcodes. The opcodes are not 0x00,0x01,0x02... they are random. So I know 2 of this opcodes and don't know where it checks the opcode either. If I found where, I would know the other opcodes and the opcode I need ;) . So I wanna send first opcode 20 times and see in witch 20 functions its handled, after that I will send other opcode 20 times and see again witch functions are accessed exactly 20 times. By comparing these functions I will see witch functions are different, and the first function that differs between the 2 opcodes, should be the one that checks the opcodes. So when I find in witch function it is checked, I will find the check and find the other opcodes and there functions.
Ofc there are other ways to find what I am looking, but after I write a code that finds this for me, such things will be a lot easy to find and save time.

Your method makes little sense to me...

By comparing these functions I will see witch functions are different, and the first function that differs between the 2 opcodes,

Why would different functions be called if you send different 'opcodes'? They will both fail the same verification function(from your story, I guess that is what you're looking for).

It handles a packet and responses to it.

This is doing 'something', the data has to come from somewhere.

So why don't you break ok recv/recvfrom, then you are probably already close to your function. Next you put an 'access' breakpoint on the buffer that was passed to recv/recvfrom, so the next time the program reads/writes to this buffer (your opcodes) it breaks again.

Apologies if I completely misunderstand your problem

Edited 5 Years Ago by thelamb: n/a

No, the 2 opcodes that I know, are valid, so they will be executed in different functions and will pass the verification function. And after the recv it is a long way until checking the opcodes so that will work but would take too much time. Its easier to write such program and it every time I look for a function and I know what it is doing, I will find it easy.

Well, as you can imagine... if it were that easy it would've been built into IDA.

I do know of a 'run trace' in OllyDbg, if you use the latest version it is even quite fast (in 1.0 it's dead slow, especially if you 'trace into').
It can be a pain to analyze the trace log though.
Maybe it's also in IDA, but the debugger isn't very mature so I doubt the run trace would be better than in Olly.

Other than that... the only way I can think of is running the program in some virtualized environment which emulates all instructions and thus can log all calls, but I don't know if this is easily available anywhere.

I tried that run trace in OllyDbg and it logs absolutely everything and it is logging around 800 events per second. I need something that logs only the function calls, because I'm sure the game executes more than 800 events per second but its only able to log 800 and so only a little part of the called functions, were logged.

Did you do a trace over or a trace into?
trace into should log everything.

To only log function calls you probably have to write a plugin for OllyDbg, I don't know of any existing way.

This article has been dead for over six months. Start a new discussion instead.