SpiderPig and The Childs.

It has been a while since i've published first post about SpiderPig, currently i think i may found a really suitable solution for speeding up the process (as far as it can be speeded). Also i think i will power off the emulator and exchange it with SpiderPig mini regions, i just need to find a way to describe specified region's result basing on the defined object appearance and intersection, that's bit messy for current time being.

Also i've made some simple screenshots regarding child objects creation, generally that's based on some intersection rules and it can support currently 8/16/32 bit mode, but without FPU and MMX stuff, i may think about including support the FPU stuff since many cool Media apps are using it :) Clickable graphs are out of the scope right now.

I'm starting to developing new SpiderPig model next week, so maybe i will shoot something here.

Some child graphs, we start with 0x402000 as protected memory:

# EXAMPLE 1 (click to expand)

# EXAMPLE 2 (click to expand)

# EXAMPLE 3 (MOVSD, click to expand)

# EXAMPLE 4 (aka child array chain, click to expand)

Seems that's all.

Huh that was cool.

Yesterday i had a moment to try a bit old but still ubber-cool game called Metal Gear Solid: Snake Eater. If you ever played MGS series, i don't have to say how fantastic they are. To be honest all the series always make me say "how the hell they did it?".

But regarding the game itself, i was fighting with The End, a game-boss and member of the Cobra unit, born in the early 1860s. He was instanly sniping me from his Mosin-Nagant rifle, and since i'm pretty noob in such games i couldn't find him inside that freakin forrest (he's really good camouflaged).




After getting seriously injured (few times), i've googled for some hints. And firsty i couldn't belive. This boss is really old, even his parrot names him as Grandpa, so the hint uses this fact very directly. In order to pass him away (one of the ways) you need to save your game, reset your console, change the system date (one week forward) and reload the save. And guess what, when you reload it The End will simply die because of an old age. For me that was a really, really incredible game plot, holy cow. I havent seen such thing yet.

If you are a music fan, you should also test "Snake Eater" song, performed by Cynthia Harrel:




And if you haven't played the Metal Gear Solid series so far, go and do so, they are really worth it. Thank you Mr. Hideo Kojima, this rocks.

SpiderPig Memory Tracer

Firstly, lets start with a little SpiderPig introduction:


In last few days i decided to finish the prototype of my old memory tracer idea, which stayed in my drawer for some time already. Generally, i was trying to build it for Immunity Debugger Plugin Challenge but i had some problems with the debugger itself since it crashed most of the time while working with SpiderPig, so i've hacked some functions of the debugger itself, and now it's pretty stable - but guess its not suitable for the challenge so i will not submit it.

Main idea of SpiderPig is to trace a specified memory region (or specified register value), and also be able to trace all the childs regions that were created by refferencing to previously traced regions. So whenever a previously traced memory region will be refferenced or any other memory region which bases on previously traced memory region will be created, SpiderPig will snort it.

Since i don't want to speak about tracing technique itself, i will just show you some basic-sample output of the trace:

Following code will be traced (it's really dumb so don't try to think what it does, but look at the stack and global variables), of course i'm not tracing every intruction of the code, that would be to easy and to slow...

/* some gibberish */


/* some globals */
int g1 = 0;
int g2 = 0;
int g3 = 0;
int g4 = 0;


/* you can use following procedure in your own software if you want :) */
int sub1(int param1)
{
g1 = (param1 * 55) + GetTickCount();
g1 ^= 0x66;
g1 ^= 33;
return g1;
}


void yo(int param)
{
char buff[10];
g2 = g3 = param;
sub1(param);
memset((void*)&buff,0x0,param);
}


int main(void)
{
int our_param = 5; // <--- we will be tracing this _asm { lea eax,our_param int 3 }; // just an breakpoint if (our_param > 10)
return 0;

yo(our_param);

our_param = 0;
return 0;
}

#0 Tracing State (our_param = 555 (sample))

The condition (our_param > 10) is met, and we end the program execution, and that's how SpiderPig reports it:

#1 Tracing State (our_param = 5 (sample))


The condition (our_param > 10) is not met, and we continue the program execution, so here we have (click to expand):

Also a clearer graph is available here


Graph Legend:

• blue node - shows the child node (child object)
• red node - shows the instruction wich refferenced the object
• Defined regs - shows the traced regs at current moment
• Created at - shows where the object was created
  
• Destroyed at - shows where the object was destroyed

#Conlusions

If you ever tried reversing something or some bug finding routines, sooner or later you will get tired of tracing memory variables that flows in all directions, SpiderPig is an idea to make it faster and less harmful task. Of course it's a prototype, there are many things to be done and many thing to be changed (because i think i missed some important points already :)). What i can say, stack tracing is really painful, so in future versions i will try to avoid it as far as i can, also currently it has some problems with larger applications.

So here's a little TODO list:

TODO:

• stable tracing driver
• take care of node dupilcation
• miniregions (and yes, they are not standard mini regions)
• stack tracing avoidance methods (heuristics)
• multithreading

That's all! *hrum* *hrum*