Today looking at the snow on the to see someone ask how to control the file format documentation, and debugging the analysis program being parsed is what structure? Here summarizes a few methods, welcome to Supplement, but sometimes still need to rely on experience.
a taint tracking analysis: the markup file content as a stain, then use ida blot analysis of the associated plug-in to analyze the register corresponding to the contents of the file, combined with 010editor File format analysis script to locate the file structure.
（b）the execution of the instruction compared: recording a normal file with the exception of files of the executed instructions od, immdbg has a trace feature, then as a code diff, than the code difference, and then based on file content differences in the overall analysis.
（c）conditions message breakpoints: in some may lead to vulnerability variables are the conditions set message breakpoints, in the log recording his value, the less variable will be the loop operation, according to the variable recording the results, find the patterns to locate the file structure.
（d）assuming the law: sometimes the analysis of the vulnerability really is a guess, hypothesis corresponds to a file structure, and then commissioning analysis to confirm.
（e）open source software symbol table is loaded: for example, the analysis of the libpng vulnerability, the priority is to find a use libpng and open source and is provided with symbols software, such as Firefox, analysis libpng directly using the firefox symbol table to debug firefox it is easy to locate the structure, libpng function is also directly identify, or you can also directly compile libpng make the symbol table.