x64dbg
An open-source x64/x32 debugger for windows...
173 topics in this forum
-
Problem with mapping x32dbg
by Euclidyr- 2 replies
- 6.2k views
Hello guys, i am very new to this reverse engineering. I will try to explain my problem. After i tried unpacking a dll, i have a problem of mapping some relative addresses. My imagebase is 0x10000000. Everytime i loaded the dll into memory, the base address changes. As shown in the pictures below, the addresses behind CALL and JUMP instructions are changed accordingly. But the addresses after PUSH or after dword ptr data segment, seem to remain unchanged. My question is how can I fix this problem? and what do u refer this problem as? Im grateful for all of you who can enlighten me... thank you guys!
-
static binary analysis
by fletcher- 3 replies
- 8.4k views
how can i do it?(no debug, only static analysis)
-
UPX 3.93
by KDN- 6 replies
- 10.8k views
Hi all, I am struggling to unpack a 64 bit DLL file that is packed with UPX 3.93. I have been able to upx -d with no issue. But n order to debug it, I need it to work, so I need to fix the import table and OEP. Does anyone have any steps on how I can do this? Being 64 bit the tutorials do not help me and I can't find anything for a 64-bit dll. If I can find the OEP I can use OllydumperEX but I cannot even find that!
-
X64DBG - Show All Addresses in CPU Pane
by KannerFest- 0 replies
- 5.7k views
Hey Guys. I'm sure this will be kind of a noobish question, I'm just scurrying out the door but thought I'd ask after doing a cursory search of the forum for similar topics but not really knowing what terms to use specifically. I'm trying to get the CPU pane to show all of the addresses at Default. I can find the addresses I need if I do a GOTO (CTLG+G) but as soon as I scroll they disappear. Ugh An image detailing the skips is attached. Thanks for the help. Kanner
-
Unable to Run a program from within X64BDG
by Johncoool- 0 replies
- 5.5k views
To my luck the 1st program I want to use with X64BDG has issues. It seems that the program cannot open without also opening an INI setting file which might be the reason it does not run from within the program. I am new to it so I am not sure what I am doing. I tried attaching a process and DLL and a process to get it to open but with no luck. Please find below the link to the small program. https://www.sordum.org/7941/askadmin-v1-6/ Please assist.
-
x64dbg crashes when searching for a pattern
by Kurapica- 0 replies
- 5.3k views
I was debugging an application that loads many DLLs Trying to search for a pattern pops up this dialog after 2 or 3 seconds I'm using this snapshot : snapshot_2019-11-13_01-33
-
- 2 replies
- 6.8k views
Hi, I made a simple x64dbg script that copies DWORD values from source to a destination buffer. The problem is that it crashes the debugger with EXCEPTION_ACCESS_VIOLATION. It doesn't happen all the times though, but it's pretty often. If I debug the script (using TABs) the crash does not occur. Increasing the size of the buffer seems to increase the probability of occuring the problem. Anybody else having the same problem? More infos below. Script: ; HOWTO: Open any target in the debugger, open this script, and run it. ; Repeat this process many times to ensure it's (not) working. ; I used cip as the src, but the problem happens with any other inputs too. src…
-
Rebuild x64dbg
by My13- 1 follower
- 3 replies
- 10.4k views
Hi. I try to rebuild all modules of x64dbg, but don't understand makepath of openssl (libeay32.dll, ssleay32.dll) + jansson (dll) + yara (windows src) -> yara.dll Does anyone know how to do this?
-
Tracing Differences x64dbg
by Leila.Morar48- 1 follower
- 9 replies
- 9k views
How to tracing like this video https://www.youtube.com/watch?v=DJP-dFRoA6Q in x64dg?
-
x32dbg Plugins Problem
by Ahmad_k- 2 replies
- 7.7k views
is there any problem with x32 or x64 plugins ? all plugins are not recognized (only builtin scylla). Tried on 2 different machines i put plugins files inside x32/plugins for 32bit version. there is no settings to define plugins directory like OllyDBG UPDATE it looks like all plugins needs to be updated to work with latest version, like AdvancedScript and APISearch. xAnalyzer works
-
- 1 reply
- 7.1k views
hi, How to set condition breakpoint and never pause program? And Ollydbg has a feature, never pause the running program. But failed in x64_dbg as the similar command. x64_dbg version : 02/07 2019
-
Scripts in x64dbg
by newhak- 13 replies
- 20.8k views
Hi, Can you please tell me if there is any way to run the olleydbg scripts using x64dbg, namely how to run the assembly scripts on x64dbg as it dose not accept that.
-
PE Viewer - plugin for x64dbg
by hors- 0 replies
- 7.2k views
Download: https://github.com/horsicq/pex64dbg/releases Sources: https://github.com/horsicq/pex64dbg More Info: http://n10info.blogspot.com/2019/05/pe-viewer-plugin-for-x64dbg.html
-
- 0 replies
- 5.3k views
Download: https://github.com/horsicq/nfdx64dbg/releases Sources: https://github.com/horsicq/nfdx64dbg More Info: https://n10info.blogspot.com/2017/05/nfd-plugin-for-x64dbg.html
-
Debugger Detected
by Beast_Hunter- 19 replies
- 19.6k views
How To Fix Debugger Detected In x64dbg Picture ProtectionID Scan Spoiler -=[ ProtectionID v0.6.7.0 OCTOBER]=- (c) 2003-2015 CDKiLLER & TippeX Build 31/10/15-14:35:10 Ready... Scanning -> C:\Users\Dell\Desktop\VNHAX_PUBGM.exe File Type : 32-Bit Exe (Subsystem : Win CUI / 3), Size : 531968 (081E00h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x5C42DE39 -> Sat 19th Jan 2019 08:22:17 (GMT) [TimeStamp] 0x5C42DE39 -> Sat 19th Jan 2019 08:22:17 (GMT) | PE Header | - | Offset: 0x00000118 | VA: 0x00400118 | - [TimeStamp] 0x5C42DE39 -> Sat 19th Jan 2019 08:22:17 (GMT) | DebugDirectory | - | Offset…
-
How to log xmm0 register when tracing?
by noonerulez- 7 replies
- 8.6k views
I have breakpointed at a specific instruction and I did Trace --> Trace into. This is what I put for my log text: "0x{p:rip} {i:rip} xmm0: {xmm0}". However, I get "0x000000010003B036 cmp qword ptr ds:[rax+0x68], 0x0 xmm0: ???" as the output in the log tab. According to this, the registers in the architecture are provided. However, the FPU registers do not seem to available. Have I made a mistake?
-
- 4 replies
- 10.9k views
Real Solution from Mr.Exodia himself: You don't have to look any further, that's how awesome Mr. Exodia is. Hello Guys, I was wondering if you guys could point me to a pattern search similar to Yara pattern search (Eg. Pattern: 00 00 [5-6] ?? ?? FF) within X64DBG scripting, or may be someway to use that Yara pattern inside X64DBG scripting. Also is there by any chance could I set the $res1 to $res3 with subsequent search results (I mean $res = first result; $res1 = second result so on and so forth over a single pattern search). A way to get the results in an array, hope you got the idea. Why I need it perhaps you might ask; Well I was working o…
-
- 3 replies
- 6.4k views
Solution Like Mr. Exodia said: 1. Never clone the repo from browser, it will always miss the important files. 2. Don't use svn ether, sometimes the project may be a little outdated. copying the old Zydis wrapper folder actually worked out for me. 3. Always go with the ever trusted Git. Hello Guys, I would like to request a detailed instruction, perhaps a video tut on how to build the latest repository of x64DBG using visual studio 2013 (2017preferable). I have tried it so many times that I don't care anymore bothering you guys for this. Also I would like to share this down-loader script to get the necessary files real quick. Cloning t…
-
Could someone provide me a step by step on how to trace? Can you log the output to a file like OllyDbg does ? thanks
-
- 4 replies
- 6.1k views
@mrexodia Mr. Yuschuk delayed the OllyDbg 64-bit project for a long long time (the last updated: February 05, 2014). I think because of you, because of your debugger, your debugger is the main reason. Your debugger is my current lover but I wanna get back with ex-lover, Ms. OllyDbg. How can I? :)) P.S Thank for your daughter. She is so beautiful.
-
Winlicense-Themida Unpacking X64 using x64dbg
by Chicks Roy- 0 replies
- 14.4k views
Please friends, post your knowledge regarding themida x64 unpacking for x64dbg. please post your scripts also.
-
- 0 replies
- 6.3k views
What it does It' simply shows in the hex dump the second section in the hex dump at startup (it's not a hell of a feature and this is my first plugin/c++ project) How it works the plugin wait for the fisrt PAUSDEBUG event, gets the base address of main module, read the second section RVA from the header using DbgMemRead Update the plugin will look for the first writable section and show it in dump, if none is found it shows the second section Download https://github.com/cobrce/DataDump/releases/ p.s : if there is a simpler way to do its work please tell me
-
- 0 replies
- 5.6k views
Hello my name is Markus, I´m very new to this debugger. Could someone please help me and tell me, whats the easiest way to get a trace file with shows me all calls to a special dll which is also loaded before in memory. Example: I have a main.exe (aka loader.exe) which loads some dlls and then its starts one of this dlls, (lets say game.dll : function runGame) and this one make a lot of jumps to various functions inside a third dll, ( lets call it anticheat,dll) I want now to know how I can get a tracefile with all functioncalls from the game.dll to the anticheat.dll. but not ALL availiable Calls, but only these of them , which are really exe…
-
Problems logging all jumps/calls
by chickenmc- 9 replies
- 15.1k views
Hello all, I am new to x64dbg and I am trying to log all jumps and calls of my main prog1.exe. I am doing so using this command: TraceSetLog "{p:cip}", "dis.isbranch(cip) && prog1.EntryPoint == mod.entry(dis.branchdest(cip))" dis.isbranch(cip) will be true if there is a call or jump and the right part will check if I am in my main prog1.exe (because I don't want to log any jumps/calls from dll's that are loaded - I am only interested in prog1.exe) After that command I type in: StartRunTrace C:\Users\x64user\Desktop\log.txt and then start the Run Trace (one million hits will be logged): TraceOverConditional 0, 1000000 My prob…
-
- 0 replies
- 7.7k views
Hello, I have a software that takes an input and gives an output. I want to check what instructions are run for a "good" input and what extra instructions are used for a "bad" input so that I can have somewhere to look. What's the best way I can do this? Is there a plugin I can use? (Also might be related but, in this software the first and major module I see is just "ntdll" instead of the program itself which is what I'm used to. For example, as soon as I do anything in the program, one of the first instructions is `call ntdll` and then all the magic happens in there and I get an output. The only other piece of software that I reverse engineered (im a noob…
