x64dbg

Hello, I have a software that takes an input and gives an output. I want to check what instructions are run for a "good" input and what extra instructions are used for a "bad" input so that I can have somewhere to look. What's the best way I can do this? Is there a plugin I can use? (Also might be related but, in this software the first and major module I see is just "ntdll" instead of the program itself which is what I'm used to. For example, as soon as I do anything in the program, one of the first instructions is `call ntdll` and then all the magic happens in there and I get an output. The only other piece of software that I reverse engineered (im a noob…

Hi, Whenever I use ScyllaHide in x64dbg an error that is "NT APIs missing" pop up so any help will be appreciated. I have NtApiCollection.ini but always a section is missing BTW, I downloaded pdb-getprocaddress but no idea whether I need to extract it to the plugins folder or do something else, namely how to use it to get the missing section. Thanks

A plugin to copy a selected disassembly range in the x64dbg cpu view tab and convert to a masm compatible style assembler code and output to clipboard or the reference view tab. Features Copy selected range to assembler style code. Outputs assembler code to clipboard or reference view. Adds labels for jump destinations. Adjusts jump instructions to point to added labels. Indicates if jump destinations are outside selection range. Code comments to indicate start/end and outside range. Options to adjust comments and label outputs. Format hex values as C style (0x) or Masm style. Registered commands: CopyToA…

hello how are you introduce me my name is sebastian and I would like and know if you can help me with a problem like I could compare 2 files with olldbg and know which modified characters

Hello author I use x64dbg recurrent crashes, most of the time it occurs when I reload the program, or when the program exits. Hope to solve this problem as soon as possible. Thank you for creating such a great debugger. thank ver much. x64 dbg minidump.7z video.7z

Hello Friends How to Auto "Hide debugger (PEB)" in xdbg? Always enable this option!!! Without clicking "Hide debugger (PEB)" menu item. Thanks

Hello, I am using x64dbg and would like to search for certain ds references. In the example image above I would like to search my executable for all ds:"NameID" references. It won't show up when I search for referenced strings, so how am I supposed to do that? Thanks!

First of all, I would like to thank the person who developed this. Really, it is a good debugger. By the way, I think that memory area breakpoint API does not exist. I would appreciate it if you could make it. I am always thankful to you. SCRIPT_EXPORT bool SetBreakpoint(duint address); SCRIPT_EXPORT bool DeleteBreakpoint(duint address); SCRIPT_EXPORT bool DisableBreakpoint(duint address); SCRIPT_EXPORT bool SetHardwareBreakpoint(duint address, HardwareType type = HardwareExecute); SCRIPT_EXPORT bool DeleteHardwareBreakpoint(duint address); The existing functions are listed above, There is no function …

How can I find all references to an instruction (from call or jump): I only know about right click on instruction and "Find references to"->"Selected address(es) Ctrl+R", I also know about graph view, Is there any other way of doing that? Maybe what I search don't even exist!

Overview The CeAutoAsm plugin is a wrapper around a mini-project of mine, ceautoasm.dll. ceautoasm.dll is Cheat Engine's internal auto assembler ripped out into a standalone library that can be used pretty much anywhere in a Windows environment. ceautoasm.dll uses the latest Cheat Engine code base for its internal workings with as minimal changes to the original code as needed to make it work. Some features of the auto assembler and internals have been removed to limit file size and ease of use. Removed Features (General) All ARM / JNI / Unix / Mono features removed. All Lua features are removed. All driver/kernel level features removed.…

Alter to graph. Same line different jumps. Should I open an issue ? Regards.

I tried to load an lnk file, but the path with the Chinese language, x64dbg suggested File does not exist!

The idea of this plugin is simple and was born out an agony I went through while using x64dbg with IDA simultaneously. It solves the problem of stealing the window focus from x64dbg to IDA, each time you single-step in the debugger, the sync plugin in x64dbg will send the sync info to IDA to show the current location and this makes IDA get the focus, very annoying when you are doing a quick single stepping ! This plugin simply restores the focus to the debugger, that's all. Flock_32_64.rar

On x86 version i'm unable to commit a push 12345678, only 7 cypher accepted! If you tell me how to see exact build i can reply to you!

Who will share A x64dbg with some useful plugins for us.

Just a quick fix for this plugin to prevent IDA from stealing focus from x64dbg window during stepping. I also added check marks to all the menu items to see which state is active.

I'm trying to open VB program and getting following error: VB file is attached, it's from r4ndom's tutorial, works on olly and immunity CrackmeVB1.exe

A small blog post I wrote. Hope it's interesting! http://x64dbg.com/blog/2017/06/08/kernel-driver-unpacking.html

Hey guys, First of all, sorry if this question has already been answered. I looked up first but didn't find anything. So I'm pretty new to reversing and I went through a few of Lena's tutorials but I decided to go through once again using x64dbg this time. Near the end of part 4, it shows OllyDbg's reference window. There is a Disassembly column that shows where the instruction that pushes this string. There is no such thing in x64dbg so I was wondering if there was another method to do the same. Thanks!

Hello, I'm currently working on a plugin for x32dbg and I was wondering if there is another way to disassemble a function where I can receive information like the opcode as char so I don't have to work with the char array to see what kind of instruction I'm dealing with. And I also want to know if there is a way to see if the argument from the DISASM_INSTR array is a register, pointer, memory value/constant or such also without dealing with the char array. Regards, Castor

Heya, I'm migrating over to x32dbg from olly 2.01. I wrote a plugin to aid me in decryption of certain internal strings of certain files. I use the code below as an example: unsigned char* data = new unsigned char[len]; if(DbgMemRead(sel.start, data, len)) { decrypt_data(data, len); DbgMemWrite(sel.start, data, len); _plugin_logprintf("[" PLUGIN_NAME "] Region decrypted"); } delete[] data; When I click on my menu to decrypt the currently selected region the result is completely fine. However, the issue is that x32dbg does not recognize the edited memory as being modified (like you would get using Ctrl+E). This means I see a blank screen in the patc…

Thank you for such a great tool @mrexodia , I want to add some little specific feature to x32dbg, nothing important but still useful for me. I have the experience to write programs in python and C++, but have no idea how to create plugin for x32dbg, Is there any good instruction/tutorial about writing plugin for x32dbg?

Is there any thought about possibly adding a zoom in and out to get an "aerial" view of the entire code section being graphed? The graph feature is very well executed, the only issues is the constant scrolling left and right because of the amount of jump sequences in a particular region I'm looking at. For small sections, zoom is clearly not needed, but with multiple jump points and multiple landing areas to the same call, it tends to create a lot of left to right scrolling for the draw creation. While I realize the assembly becomes unreadable the further out you zoom, you can still track the jump hierarchy (maybe with a "tooltip code eyeglass" for fast reference and…

Love my Olly, but really diggin x64DBG. One question I can't seem to sort out. When you are in Olly, and your at the entry point, if you open the executable modules, you see your .exe. When you run it, you can see what dlls are being loaded and can ultimately sort by path location to see which dlls are in play. I can see all the dlls under symbols, but what is not seen is the path and caller of which dll from user vs system. Is there a way to track that? I can see it says "user" "system" "party" but It would be helpful when searching for APIs or strings when your looking for any given routine to know the caller path. Is this just not implemented or am…

How can I debug a plugin? I can imagine that same way debugging a regular DLL ? Thanks