0

I want to debug a program with the plugin Bochs in IDA Pro. I have IDA Pro 6.4 and Bochs 2.5.1.

With all my executables, when I launch Bochs (with the PE mode) I have this execution :

bochsys:E0001810 bochsys_R3Entry:
bochsys:E0001810 mov     eax, [esp+8]
bochsys:E0001814 mov     dword_E0002004, eax
bochsys:E0001819 cmp     eax, 1
bochsys:E000181C mov     eax, [esp+4]
bochsys:E0001820 jnz     short **loc_E000182C**
bochsys:E0001822 push    0
bochsys:E0001824 push    eax
bochsys:E0001825 call    near ptr unk_E0001A50
bochsys:E000182A jmp     short loc_E0001890
bochsys:E000182C ; ---------------
bochsys:E000182C
bochsys:E000182C **loc_E000182C:**           ; CODE XREF: bochsys:bochsys_R3Entry+10j
bochsys:E000182C mov     dword_E00022D8, eax
bochsys:E0001831 mov     ecx, [eax+3Ch]
bochsys:E0001834 add     ecx, eax
bochsys:E0001836 lea     edx, [ecx+0C0h]
bochsys:E000183C mov     dword_E0003638, ecx
bochsys:E0001842 mov     dword_E00022D4, edx
bochsys:E0001848 mov     ecx, [ecx+28h]
bochsys:E000184B add     ecx, eax
bochsys:E000184D push    1
bochsys:E000184F mov     dword_E0002630, ecx
bochsys:E0001855 mov     dword_E00022E0, 0
bochsys:E000185F mov     dword_E0002634, eax
bochsys:E0001864 call    near ptr unk_E0001770
bochsys:E0001869 push    offset aExitprocess             ; "ExitProcess"
bochsys:E000186E push    offset aKernel32_dll_0          ; "kernel32.dll"
bochsys:E0001873 call    near ptr bochsys_BxGetModuleHandleA
bochsys:E0001878 push    eax
bochsys:E0001879 call    near ptr bochsys_BxGetProcAddress
bochsys:E000187E mov     edx, dword_E0002630
bochsys:E0001884 push    eax
bochsys:E0001885 push    edx
bochsys:E0001886 call    **near ptr unk_E0001A50**
bochsys:E000188B jmp     short loc_E0001890

In E0001820 the program jump to the function loc_E000182C. When the program execute near ptr unk_E0001A50 it stop with the message :

Debugger: process has exited (exit code 0)
Bochs debugger has been terminated.

It never go in my code. I tried with various programs made with Visual C++ 2010.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
user3410945
  • 11
  • 5

1 Answers1

1

If you are debugging a MSVCRT-linked binary, you won't even be able to reach the application's main() because of a crash in the msvcrt initialization code. The problem with MSVCRT comes with some code inside the ___tmainCRTStartup() function that tries to initialize the environment variables before calling main():

You need to activate Python as default interpreter in IDA

Place this script under ~/.idapro or %APPDATA%\Hex-Rays\IDA Pro

# idapythonrc.py
import idaapi
idaapi.enable_extlang_python(1)

Then in ida_root\plugins\bochs\startup.py

Replace:

def bochs_startup():
  print "[Python] Bochs debugger has been initialized!\n"
  return 0

with

def bochs_startup():
  import idautils
  msg("[Python] Bochs debugger has been initialized!\n")
  ienv = idc.get_name_ea_simple("__initenv")
  ienv_loc = idc.get_wide_dword(ienv)
  auto_bps = []

  ep = idc.get_name_ea_simple("start")
  idc.add_bpt(ep)
  idc.set_bpt_cond(ep,"bochs_late_startup()")
  auto_bps.append(ep)

  for xref in idautils.XrefsTo(ienv,idaapi.XREF_ALL):
    write_p = {xref.frm:("BochsVirtProtect(SegStart(0x%x),SegEnd(0x%x)-SegStart(0x%x),1)" %(ienv_loc,ienv_loc,ienv_loc))}
    for ea in write_p.keys():
      if idc.get_bpt_attr(ea,BPTATTR_COND) not in [-1,""]:
        msg("[Python] Skipping BP at %08x\n" %ea)
        continue
      idc.add_bpt(ea)
      auto_bps.append(ea)
      cond = write_p[ea]
      msg("[Python] Adding bp at %08x with cond %s\n" %(ea,cond))
      idc.set_bpt_cond(ea,cond)
  return 1

@ https://tuts4you.com/download.php?view.3136

evandrix
  • 6,041
  • 4
  • 27
  • 38
user3410945
  • 11
  • 5