HellSpider Posted May 19, 2017 Posted May 19, 2017 (edited) Heya, I'm migrating over to x32dbg from olly 2.01. I wrote a plugin to aid me in decryption of certain internal strings of certain files. I use the code below as an example: unsigned char* data = new unsigned char[len]; if(DbgMemRead(sel.start, data, len)) { decrypt_data(data, len); DbgMemWrite(sel.start, data, len); _plugin_logprintf("[" PLUGIN_NAME "] Region decrypted"); } delete[] data; When I click on my menu to decrypt the currently selected region the result is completely fine. However, the issue is that x32dbg does not recognize the edited memory as being modified (like you would get using Ctrl+E). This means I see a blank screen in the patches dialog. Am I using the wrong function to write the data ( DbgMemWrite() ) or is there a feature/button/something to scan the memory for edits to get them visible in the patch dialog? Edited May 20, 2017 by HellSpider 1
fearless Posted May 19, 2017 Posted May 19, 2017 (edited) There is a _mempatch function in _DbgFunctions: https://github.com/x64dbg/x64dbg/blob/24972c02783404d51343e9f8fcc94ac6cf12a60d/src/dbg/_dbgfunctions.cpp#L81 that calls MemPatch that might work and register the patch to the PatchList (which is enumerated and shown in the Patch Dialog) I think this is available vis the DbgFunctions structure: https://github.com/x64dbg/x64dbg/blob/24972c02783404d51343e9f8fcc94ac6cf12a60d/src/dbg/_dbgfunctions.cpp#L353 As far as I'm aware these are considered internal functions, but have been here for a while, but cant guarantee that they wont be moved or refactored to some other way of doing the same, but might not be available externally to developers in future - might have to check with @mrexodia to see what is likely Edited May 19, 2017 by fearless add @ properly 3
HellSpider Posted May 20, 2017 Author Posted May 20, 2017 17 hours ago, fearless said: There is a _mempatch function in _DbgFunctions: https://github.com/x64dbg/x64dbg/blob/24972c02783404d51343e9f8fcc94ac6cf12a60d/src/dbg/_dbgfunctions.cpp#L81 that calls MemPatch that might work and register the patch to the PatchList (which is enumerated and shown in the Patch Dialog) I think this is available vis the DbgFunctions structure: https://github.com/x64dbg/x64dbg/blob/24972c02783404d51343e9f8fcc94ac6cf12a60d/src/dbg/_dbgfunctions.cpp#L353 As far as I'm aware these are considered internal functions, but have been here for a while, but cant guarantee that they wont be moved or refactored to some other way of doing the same, but might not be available externally to developers in future - might have to check with @mrexodia to see what is likely Alright, had a go at this again this morning. Using MemPatch() from the DBGFUNCTIONS structure seems to do the trick. unsigned char* data = new unsigned char[len]; if(DbgMemRead(sel.start, data, len)) { decrypt_data(data, len); DbgFunctions()->MemPatch(sel.start, data, len); _plugin_logprintf("[" PLUGIN_NAME "] Region decrypted"); } delete[] data; Thanks for the tips. 2
fearless Posted May 20, 2017 Posted May 20, 2017 Your welcome. Feel free to join the x64dbg telegram group as well: http://telegram.x64dbg.com/
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now