[Feature Request] Ultimap-like tool with limited software breakpoints

[korcankaraokcu]

I occasionally run into situations where I get a trace data with very long functions that I need to inspect each of them. For instance, I'm currently trying to get the loot function in Torchlight 2. I've got a trace data of the function that gets called when an enemy dies. So logically, the loot function should reside in that death managing function since enemies drop loots. But that function is way too long and has many checks about the monster that got killed. So, I thought of a tool that does this:

It sets breakpoints to every call in a level of trace data. The tool will make use of the hit counts of the breakpoints set to filter out the results like ultimap does. It'll also have options like "delete breakpoints that has been executed X times" to reduce the workload. Only one level of the tracer would store like 200 functions at max anyway. Btw, with this way, you could also read the calls like "call eax" thanks to the register data tracer provides, I guess dissect code misses this kind of feature.

This tool could also help people that doesn't have intel processor or have outdated intel processor. What do you think about this feature?

[cheat-engine]

sounds interesting. I'll look into it

[korcankaraokcu]

https://www.youtube.com/watch?v=P0UXR861WYM
This tool is quite close to my description, just wanted to share

[JasonGoemaat]

I thought about making something very like this, just haven't had the time. I was thinking you select a region of code in the disassembler view and it could automatically write an injection that would duplicate each line win an 'inc' instruction to see how many times each line was executed, along with storing some registers possibly.

I think it should be pretty reliable to change something like this:

prison architect64.exe+2B8DD2 - lea rcx,[rbx+000000F8]
prison architect64.exe+2B8DD9 - mov rdx,r14
prison architect64.exe+2B8DDC - call "prison architect64.exe"+3EE940
prison architect64.exe+2B8DE1 - lea rcx,[rbx+00000108]

Into something like this:

  jmp injection
  nop
  nop
  
injection:
line1:
  // save source registers before instruction, like mov eax,[eax]
  mov [register2],rbx 
  pushfq
  inc dword ptr [lineCounts]
  popfq
  lea rcx,[rbx+000000F8] // original line 1
  // save destination register after instruction, or rax if it was a 'call'
  mov [register1],rcx

line2:
  mov [register2+8],r14
  pushfq
  inc dword ptr [lineCounts+4]
  popfq
  mov rdx,r14 // original line 2
  mov [register1+8],rdx

// etc...

Since it's executing in the process it wouldn't slow down the game, it's only multiplying the number of times each instruction runs by 6. You could then do memscans on the lineCounts memory area, but it would be nice to have a window with buttons like utilimap that would do that automatically (remove has run/remove has not run) and just list the lines like in disassembly. The counts could be displayed like in 'find out what accesses this address' and either have columns for the registers or click on a row to see the most recent values. Double-click (or pop-up menu) to go to that line in the disassembler.

[cheat-engine]

The codefilter does this, but to save speed it does not keep a hit counter. It instantly removes breakpoints that are hit and leaves only those that are not hit (Still good to find code you're interested in)

[korcankaraokcu]

Just tried codefilter in a ctf challenge and it works perfectly, many thanks!