Not sure if support is the correct forum for this or the more “General” forum, I am looking for some tips on the Tracing feature of IDA Pro.
I am currently tackling an iOS malware that uses a giant loop to execute its VM code, the entire function is obfuscated with indirect branches (BR X8, BRX10 etc.) the best way to deal with this simply tracing and patching the branches in afterwards and the tracing instructions works great for the small part I tested, my issue comes that the script is so large that its wasting so much time in the dyld functions, I am assuming as its single stepping even in that area, so my questions are this.
My question really is rather is there a way to force the tracer to completely skip the dyld functions? or can wet set a call depth that say after 1 call we don’t trace further?
I am guessing that the only way to really handle this would be with a script to handle the debug and turn the tracer off before such calls and back on after.
It’s a little difficult to answer without seeing your script, but perhaps you can use “Trace over debugger segments” or “Trace over library functions” in the Tracing Options.
Hi, thanks for the reply and sorry for my late reply.
I actually don’t even have a script at the moment, I was just attaching and enabling the instruction tracing with “Trace over Debugger segments”, “Trace over library functions” and “Only log new Instructions” options are enabled, then hitting continue and waiting.
After around 4 hours I noticed it’s still running and no more log entries, hitting suspend I am always in the dyld sections, I let it run a few more hours and again no log entries and still in dyld section so based on this my assumption was it is maybe single stepping through all that code.
So, I was thinking maybe the best way to solve this is with a script that steps over calls or asking if there is a depth limit, we can set.
Sorry for the time wasting, its actually working perfectly, I had frozen the other threads as to not face anti-debug issues and it turns out the thread I was working on is waiting for a reply from their mag port.