1.16. LOOPS
EIP=0x00331026
FLAGS=CF AF SF IF
(0) loops_2.exe!0x401026
EAX=0x00000005 EBX=0x00000000 ECX=0x6f0a5617 EDX=0x000ee188
ESI=0x00000009 EDI=0x00333378 EBP=0x0024fbfc ESP=0x0024fbb8
EIP=0x00331026
FLAGS=CF PF AF SF IF
PID=12884|Process loops_2.exe exited. ExitCode=0 (0x0)
We see how the value ofESIregister changes from 2 to 9.
Even more than that, thetracercan collect register values for all addresses within the function. This is
calledtracethere. Every instruction gets traced, all interesting register values are recorded.
Then, anIDA.idc-script is generated, that adds comments. So, in theIDAwe’ve learned that themain()
function address is0x00401020and we run:
tracer.exe -l:loops_2.exe bpf=loops_2.exe!0x00401020,trace:cc
BPFstands for set breakpoint on function.
As a result, we get theloops_2.exe.idcandloops_2.exe_clear.idcscripts.