Skip to content

ut

Jump to bottom
Park Seong Bin edited this page Jul 13, 2019 · 1 revision

ut command

The ut command indicates **"unassembly and trace".**
This command will output clearer information than the original windbg command **uf**.
it is also linked with DML, making it easy to track code.

directions

0:000> .load dbghlpr.dll
 *****************************************************************************
 *                                                                           *
 *         PEGASUS - reverse engineering extension plugin for windbg         *
 *                                                                           *
 *****************************************************************************

0:000> k
 # Child-SP          RetAddr           Call Site
00 0000001f`dc4ff9d8 00007ff8`59cc96c1 ntdll!NtDelayExecution+0x14
01 0000001f`dc4ff9e0 00007ff7`bfe610f3 KERNELBASE!SleepEx+0xa1
02 0000001f`dc4ffa80 00007ff7`bfe61349 test!main+0x33 
03 (Inline Function) --------`-------- test!invoke_main+0x22 
04 0000001f`dc4ffac0 00007ff8`5cb87974 test!__scrt_common_main_seh+0x11d 
05 0000001f`dc4ffb00 00007ff8`5ce7a271 KERNEL32!BaseThreadInitThunk+0x14
06 0000001f`dc4ffb30 00000000`00000000 ntdll!RtlUserThreadStart+0x21

0:000> !arch 64
 [+] current arch=>x64 arch

0:000> !ut 0007ff7`bfe610f3 -entry

  ; goto 7ff7bfe610f3
  00007ff7'bfe610c0	48 83 ec 38                     sub         rsp, 0x38
  00007ff7'bfe610c4	c7 44 24 20 00 00 00 00         mov         dword ptr [rsp + 0x20], 0             ; test!main+0x2c
  00007ff7'bfe610cc	eb 0a                           jmp         0x7ff7bfe610d8                        ; test!main+0x18, jump branch

  00007ff7'bfe610ce	8b 44 24 20                     mov         eax, dword ptr [rsp + 0x20]           ; test!main+0x32
  00007ff7'bfe610d2	ff c0                           inc         eax
  00007ff7'bfe610d4	89 44 24 20                     mov         dword ptr [rsp + 0x20], eax           ; test!main+0x38

  > 7ff7bfe610cc 
  00007ff7'bfe610d8	8b 54 24 20                     mov         edx, dword ptr [rsp + 0x20]           ; test!main+0x3c
  00007ff7'bfe610dc	48 8d 0d dd 7a 01 00            lea         rcx, qword ptr [rip + 0x17add]        ; "test:: %d"
  00007ff7'bfe610e3	e8 78 ff ff ff                  call        0x7ff7bfe61060                        ; test!printf, call branch

  00007ff7'bfe610e8	b9 e8 03 00 00                  mov         ecx, 0x3e8
  00007ff7'bfe610ed	ff 15 0d ff 00 00               call        qword ptr [rip + 0xff0d]              ; KERNEL32!SleepStub, call branch

  00007ff7'bfe610f3	eb d9                           jmp         0x7ff7bfe610ce                        ; test!main+0xe, jump branch

  [top]
Clone this wiki locally