Results 1 to 1 of 1

Thread: [DynamoRIO] Counting every opcode of CoD2MP.exe

  1. #1
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,083 Times in 753 Posts

    [DynamoRIO] Counting every opcode of CoD2MP.exe

    DynamoRIO was a long time on my radar, but I never really managed to be productive with it. It is a "binary translator", which can be used for all kind of Reverse Engineering purposes.

    Now I downloaded it for Windows and it worked straight away.

    A simple test:

    1) Download DynamoRIO:

    https://github.com/DynamoRIO/dynamorio/wiki/Downloads
    Direct link: https://github.com/DynamoRIO/dynamor...ws-6.1.1-3.zip

    Unzip it to C:\dr

    2) Make a file named dynamorio.bat next to your CoD2MP.exe:

    Code:
    C:\dr\bin32\drrun.exe -c C:\dr\samples\bin32\opcodes.dll -- CoD2MP_s.exe
    3) Filthy part, because it needs admin rights: start cmd.exe as admin, e.g. go into Task Manager -> File -> New Task, enter cmd and mark [X] Run as admin

    Then "cd" into your CoD2 directory and simply enter "dynamorio.bat", it should show something like this:

    Code:
    C:\Windows\system32>cd G:\DATA\GAMES\CoD2 1.3
    
    C:\Windows\system32>g:
    
    G:\DATA\GAMES\CoD2 1.3>dynamorio.bat
    
    G:\DATA\GAMES\CoD2 1.3>C:\dr\bin32\drrun.exe -c C:\dr\samples\bin32\opcodes.dll -- CoD2MP_s.exe
    Client opcodes is running
    
    G:\DATA\GAMES\CoD2 1.3>
    For some reason "rightclick->run as admin" on the .bat doesn't work

    4) Now CoD2MP.exe should start, but it is extremly slow, because every opcode is basically counted. After entering quit in console, this window should appear:

    Click image for larger version. 

Name:	dynamorio.png 
Views:	74 
Size:	94.9 KB 
ID:	1093

    There are quite some examples, which can be used to play around with the opcodes of the instrumentalized process:

    Click image for larger version. 

Name:	dr2.png 
Views:	74 
Size:	45.1 KB 
ID:	1094

    I took a look into opcodes.c, but tbh I have no clue how the opcodes are actually counted. Take a look yourself:

    PHP Code:
    /* ******************************************************************************
     * Copyright (c) 2015 Google, Inc.  All rights reserved.
     * ******************************************************************************/

    /*
     * Redistribution and use in source and binary forms, with or without
     * modification, are permitted provided that the following conditions are met:
     *
     * * Redistributions of source code must retain the above copyright notice,
     *   this list of conditions and the following disclaimer.
     *
     * * Redistributions in binary form must reproduce the above copyright notice,
     *   this list of conditions and the following disclaimer in the documentation
     *   and/or other materials provided with the distribution.
     *
     * * Neither the name of VMware, Inc. nor the names of its contributors may be
     *   used to endorse or promote products derived from this software without
     *   specific prior written permission.
     *
     * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
     * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     * ARE DISCLAIMED. IN NO EVENT SHALL VMWARE, INC. OR CONTRIBUTORS BE LIABLE
     * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
     * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
     * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
     * DAMAGE.
     */

    /* Code Manipulation API Sample:
     * opcodes.c
     *
     * Reports the dynamic count of the total number of instructions executed
     * broken down by opcode.
     */

    #include "dr_api.h"
    #include "drx.h"
    #include <stdlib.h> /* qsort */

    #ifdef WINDOWS
    # define DISPLAY_STRING(msg) dr_messagebox(msg)
    #else
    # define DISPLAY_STRING(msg) dr_printf("%s\n", msg);
    #endif

    #define NULL_TERMINATE(buf) buf[(sizeof(buf)/sizeof(buf[0])) - 1] = '\0'

    /* We keep a separate execution count per opcode.
     *
     * XXX: our counters are racy on ARM.  We use DRX_COUNTER_LOCK to make them atomic
     * (at a perf cost) on x86.
     *
     * XXX: we're using 32-bit counters.  64-bit counters are more challenging: they're
     * harder to make atomic on 32-bit x86, and drx does not yet support them on ARM.
     */
    enum {
    #ifdef X86
        
    ISA_X86_32,
        
    ISA_X86_64,
    #elif defined(ARM)
        
    ISA_ARM_A32,
        
    ISA_ARM_THUMB,
    #endif
        
    NUM_ISA_MODE,
    };
    static 
    uint count[NUM_ISA_MODE][OP_LAST+1];
    #define NUM_COUNT sizeof(count[0])/sizeof(count[0][0])
    /* We only display the top 15 counts.  This sample could be extended to
     * write all the counts to a file.
     *
     * XXX: DynamoRIO uses a separate stack for better transparency. DynamoRIO stack
     * has limited size, so we should keep NUM_COUNT_SHOW small to avoid the message
     * buffer (char msg[NUM_COUNT_SHOW*80]) in event_exit() overflowing the stack.
     * It won't work on Windows either if the output is too large.
     */
    #define NUM_COUNT_SHOW 15

    static void event_exit(void);
    static 
    dr_emit_flags_t event_basic_block(void *drcontextvoid *taginstrlist_t *bb,
                                             
    bool for_tracebool translating);

    DR_EXPORT void
    dr_client_main
    (client_id_t idint argc, const char *argv[])
    {
        
    dr_set_client_name("DynamoRIO Sample Client 'opcodes'",
                           
    "http://dynamorio.org/issues");
        
    /* register events */
        
    dr_register_exit_event(event_exit);
        
    dr_register_bb_event(event_basic_block);

        
    /* make it easy to tell, by looking at log file, which client executed */
        
    dr_log(NULLLOG_ALL1"Client 'opcodes' initializing\n");
    #ifdef SHOW_RESULTS
        /* also give notification to stderr */
        
    if (dr_is_notify_on()) {
    # ifdef WINDOWS
            /* ask for best-effort printing to cmd window.  must be called at init. */
            
    dr_enable_console_printing();
    # endif
            
    dr_fprintf(STDERR"Client opcodes is running\n");
        }
    #endif
    }

    #ifdef SHOW_RESULTS
    /* We use cur_isa to iterate each ISA counters in event_exit, so there will be
     * no race on accessing it in compare_counts.
     */
    static uint cur_isa;
    static 
    int
    compare_counts
    (const void *a_in, const void *b_in)
    {
        const 
    uint a = *(const uint *)a_in;
        const 
    uint b = *(const uint *)b_in;
        if (
    count[cur_isa][a] > count[cur_isa][b])
            return 
    1;
        if (
    count[cur_isa][a] < count[cur_isa][b])
            return -
    1;
        return 
    0;
    }

    static const 
    char *
    get_isa_mode_name(uint isa_mode)
    {
    #ifdef X86
        
    return (isa_mode == ISA_X86_32) ? "32-bit X86" "64-bit AMD64";
    #elif defined(ARM)
        
    return (isa_mode == ISA_ARM_A32) ? "32-bit ARM" "32-bit Thumb";
    #else
        
    return "unknown";
    #endif
    }
    #endif

    static void
    event_exit
    (void)
    {
    #ifdef SHOW_RESULTS
        
    char msg[NUM_COUNT_SHOW*80];
        
    int leni;
        
    size_t sofar 0;
        
    /* First, sort the counts */
        
    uint indices[NUM_COUNT];
        for (
    cur_isa 0cur_isa NUM_ISA_MODEcur_isa++) {
            
    sofar 0;
            for (
    0<= OP_LASTi++)
                
    indices[i] = i;
            
    qsort(indicesNUM_COUNTsizeof(indices[0]), compare_counts);

            if (
    count[cur_isa][indices[OP_LAST]] == 0)
                continue;
            
    len dr_snprintf(msgsizeof(msg)/sizeof(msg[0]),
                              
    "Top %d opcode execution counts in %s mode:\n",
                              
    NUM_COUNT_SHOWget_isa_mode_name(cur_isa));
            
    DR_ASSERT(len 0);
            
    sofar += len;
            for (
    OP_LAST NUM_COUNT_SHOW<= OP_LASTi++) {
                if (
    count[cur_isa][indices[i]] != 0) {
                    
    len dr_snprintf(msg sofarsizeof(msg)/sizeof(msg[0]) - sofar,
                                      
    "  %9lu : %-15s\n"count[cur_isa][indices[i]],
                                      
    decode_opcode_name(indices[i]));
                    
    DR_ASSERT(len 0);
                    
    sofar += len;
                }
            }
            
    NULL_TERMINATE(msg);
            
    DISPLAY_STRING(msg);
        }
    #endif /* SHOW_RESULTS */
    }

    static 
    uint
    get_count_isa_idx
    (void *drcontext)
    {
        switch (
    dr_get_isa_mode(drcontext)) {
    #ifdef X86
        
    case DR_ISA_X86:
            return 
    ISA_X86_32;
        case 
    DR_ISA_AMD64:
            return 
    ISA_X86_64;
    #elif defined(ARM)
        
    case DR_ISA_ARM_A32:
            return 
    ISA_ARM_A32;
            break;
        case 
    DR_ISA_ARM_THUMB:
            return 
    ISA_ARM_THUMB;
    #endif
        
    default:
            
    DR_ASSERT(false); /* NYI */
        
    }
        return 
    0;
    }

    static 
    dr_emit_flags_t
    event_basic_block
    (void *drcontextvoid *taginstrlist_t *bb,
                      
    bool for_tracebool translating)
    {
        
    instr_t *instr;
        
    instr_t *first instrlist_first_app(bb);
        
    uint isa_idx get_count_isa_idx(drcontext);

    #ifdef VERBOSE
        
    dr_printf("in dynamorio_basic_block(tag="PFX")\n"tag);
    # ifdef VERBOSE_VERBOSE
        
    instrlist_disassemble(drcontexttagbbSTDOUT);
    # endif
    #endif

        
    for (instr instrlist_first_app(bb);
             
    instr != NULL;
             
    instr instr_get_next_app(instr)) {
            
    /* We insert all increments sequentially up front so that drx can
             * optimize the spills and restores.
             */
            
    drx_insert_counter_update(drcontextbbfirst,
                                      
    SPILL_SLOT_1IF_ARM_(SPILL_SLOT_2)
                                      &
    count[isa_idx][instr_get_opcode(instr)], 1,
                                      
    /* DRX_COUNTER_LOCK is not yet supported on ARM */
                                      
    IF_X86_ELSE(DRX_COUNTER_LOCK0));
        }

    #if defined(VERBOSE) && defined(VERBOSE_VERBOSE)
        
    dr_printf("Finished instrumenting dynamorio_basic_block(tag="PFX")\n"tag);
        
    instrlist_disassemble(drcontexttagbbSTDOUT);
    #endif
        
    return DR_EMIT_DEFAULT;


    Any ideas how this could be of use?
    timescale 0.01

  2. The Following 4 Users Say Thank You to kung foo man For This Useful Post:

    kubislav23 (18th April 2016),maxdamage99 (17th May 2016),suck000 (18th April 2016),voron00 (18th April 2016)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •