Reverse Debugging

    You can use commands for recording and managing program states. After recording the states, you can seek pc back and forth to any points after saved address. So after recording, you can try single step back:

    1. [0x004028a0]> 2dso
    2. [0x004028a0]> dr rip
    3. 0x004028ae
    4. [0x004028a0]> dsb
    5. continue until 0x004028a2
    6. hit breakpoint at: 4028a2
    7. [0x004028a0]> dr rip

    When you run dsb, reverse debugger restore previous recorded state and execute program from it until desired point.

    Or you can also try continue back:

    You can see current recorded program states using dts:

    2. session: 0   at:0x004028a0   ""
    3. session: 1   at:0x004028c2   ""

    NOTE: Program records can be saved at any moments. These are diff style format that save only different memory area from previous. It saves memory space rather than entire dump.

    And also can add comment:

    Program records can exported to file and of course import it. Export/Import records to/from file:

    1. [0x004028c2]> dtst records_for_test
    2. Session saved in records_for_test.session and dump in records_for_test.dump
    3. [0x004028c2]> dtsf records_for_test
    4. session: 0, 0x4028a0 diffs: 0

    Moreover, you can do reverse debugging in ESIL mode. In ESIL mode, program state can be managed by aets commands.

    And step back by aesb:

    2. 0x00404870
    3. [0x00404870]> 5aeso
    4. [0x00404870]> aer rip
    5. 0x0040487d
    6. [0x00404870]> aesb
    7. [0x00404870]> aer rip