/usr/share/doc/radare-doc/html/Section20.3.5.html is in radare-doc 1:1.5.2-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=US-ASCII">
<title>Tracing facilities</title>
<link rel="previous" href="Section20.3.4.html">
<link rel="ToC" href="contents.html">
<link rel="next" href="Section20.3.6.html">
</head>
<body>
<h1><a name="tracing"></a>20.3.5 Tracing facilities</h1>
<p>
The '!trace' command provides a simple way to get execution traces of opcodes.
</p>
<p>
This command accepts a numeric argument specifying the verbose level. But you can also tune its output using eval variables.
</p>
<pre><code>[0x4A13B8C0]> !trace?
!trace [level]
0 no output
1 show addresses
2 address and disassembly
3 address, disassembly and registers
4 address, disassembly and registers and stack
> eval trace.calls = true ; only trace calls
> eval trace.smart = true ; smart output
> eval trace.bps = true ; do not stop on breakpoints
> eval trace.libs = true ; trace into libraries
> eval trace.bt = true ; to show backtrace
> eval trace.sleep = 1 ; animated stepping (1fps)
> eval cmd.trace = x@eip ; execute a cmd on every traced opcode
</code></pre>
<p>
The nice thing is that with cmd.trace you can extend its functionality with your own code. For example. you can for example !dump if the traced opcode is a call and then you will be able to read the program log and be able to perform a 'stepback' using !restore <id> command, restoring the process memory and registers.
</p>
<p>
Let's make a test:
</p>
<pre><code>[0x4A13C000]> !bp 0x4a13c009
new hw breakpoint 0 at 0x4a13c009
[0x4A13C000]> !trace 3
Trace level: 3
eax 0xbfae23b0 esi 0x00000000 eip 0x4a13c000
ebx 0x00000000 edi 0x00000000 oeax 0xffffffff
ecx 0x00000000 esp 0xbfae23ac eflags 0x200382
edx 0x00000000 ebp 0x00000000 cpazSTIdor0 (STI)
_shstrtab:0x4a13c001 0 eip: 89e5 mov ebp, esp
eax 0xbfae23b0 esi 0x00000000 eip 0x4a13c001
ebx 0x00000000 edi 0x00000000 oeax 0xffffffff
ecx 0x00000000 esp 0xbfae23a8 eflags 0x200382
edx 0x00000000 ebp 0x00000000 cpazSTIdor0 (STI)
_shstrtab:0x4a13c003 8_ eip: 57 push edi
eax 0xbfae23b0 esi 0x00000000 eip 0x4a13c003
ebx 0x00000000 edi 0x00000000 oeax 0xffffffff
ecx 0x00000000 esp 0xbfae23a8 eflags 0x200382
edx 0x00000000 ebp 0xbfae23a8 cpazSTIdor0 (STI)
_shstrtab:0x4a13c004, 8_ eip: 56 push esi
eax 0xbfae23b0 esi 0x00000000 eip 0x4a13c004
ebx 0x00000000 edi 0x00000000 oeax 0xffffffff
ecx 0x00000000 esp 0xbfae23a4 eflags 0x200382
edx 0x00000000 ebp 0xbfae23a8 cpazSTIdor0 (STI)
_shstrtab:0x4a13c005 8_ eip: 53 push ebx
eax 0xbfae23b0 esi 0x00000000 eip 0x4a13c005
ebx 0x00000000 edi 0x00000000 oeax 0xffffffff
ecx 0x00000000 esp 0xbfae23a0 eflags 0x200382
edx 0x00000000 ebp 0xbfae23a8 cpazSTIdor0 (STI)
_shstrtab:0x4a13c006 64_ eip: 83ec40 sub esp, 0x40
eax 0xbfae23b0 esi 0x00000000 eip 0x4a13c006
ebx 0x00000000 edi 0x00000000 oeax 0xffffffff
ecx 0x00000000 esp 0xbfae239c eflags 0x200382
edx 0x00000000 ebp 0xbfae23a8 cpazSTIdor0 (STI)
HW breakpoint hit!
_shstrtab:0x4a13c009 0 eip: e8bd480100 call 0x4a1508cb
eax 0xbfae23b0 esi 0x00000000 eip 0x4a13c009
ebx 0x00000000 edi 0x00000000 oeax 0xffffffff
ecx 0x00000000 esp 0xbfae235c eflags 0x200386
edx 0x00000000 ebp 0xbfae23a8 cPazSTIdor0 (PSTI)
Breakpoint!
7 traced opcodes
[0x4A13C000]> :pd 7
0x4a13c000, 8_ push ebp
0x4a13c001 8 mov ebp, esp
0x4a13c003 16_ push edi
0x4a13c004, 24_ push esi
0x4a13c005 32_ push ebx
0x4a13c006 96_ sub esp, 0x40
0x4a13c009 96 call 0x4a1508cb
</code></pre>
<!-- version IDs:
$Id: radare.but 2009-04-25 pancake $
-->
</body>
</html>
|