what are those that x64dbg equivalence to ollydbg command sequences search?

[Sean the hard worker]

mov r32,[r32]
cmp [r32],r32
pushfd

if i use ollydbg, i can use above syntax to find all matches. however, when using x64dbg, what should i do to find all matches of command sequences?

sean.

Edited June 19, 2023 by windowbase

[Kirbiflint]

Hi,

there is no available option for this in x64dbg yet.

However. you can try searching for a sequence of code by pattern altogether.

[jackyjask]

3 hours ago, windowbase said:

if i use ollydbg, i can use above asyntax to find all matches. however, when using x64dbg, what should i do to find all matches of command sequences?

sean.

I see you very energized recently on forum

how about we work together and add support for Ollyplugins into Ollyx64?

 

[Sean the hard worker]

2 hours ago, jackyjask said:

how about we work together and add support for Ollyplugins into Ollyx64?

is there any ongoing project there? if any, let me know please. 

sean.

Edited June 19, 2023 by windowbase

[jackyjask]

No there is not, ... there is only last message from Ollydebugger author - "The development is frozen. Sorry.
For those who still want to try
the incomplete 64-bit version: odbg64.zip"

see the top message here

[boot]

On 6/20/2023 at 12:30 AM, Kirbiflint said:

is no available option for this in x64dbg yet.

There are two private plugins I have written myself, which can support to search sequences for command for xDbg.

They are not yet complete and have many bugs, currently in version 0.0.0.2. They may continue to update in the future...

PS:
I am trying to solve how to be compatible ?? ?? Fuzzy matching of forms and special mnemonics, such as the problem of CONST or R32/R16 or [R32]/[R16]
Who can provide some ideas?

Search4Sequences_v0.002_x86_x64.rar

[Sean the hard worker]

6 hours ago, boot said:

There are two private plugins I have written myself, which can support to search sequences for command for xDbg.

They are not yet complete and have many bugs, currently in version 0.0.0.2. They may continue to update in the future...

PS:
I am trying to solve how to be compatible ?? ?? Fuzzy matching of forms and special mnemonics, such as the problem of CONST or R32/R16 or [R32]/[R16]
Who can provide some ideas?

Search4Sequences_v0.002_x86_x64.rar 14.56 MB · 7 downloads

@boot good for you to try.

sean.

[fearless]

6 hours ago, boot said:

Who can provide some ideas?

Can use some of the internal commands to pattern match using DbgCmdExec (https://help.x64dbg.com/en/latest/developers/functions/debug/DbgCmdExec.html) or DbgCmdExecDirect: (https://help.x64dbg.com/en/latest/developers/functions/debug/DbgCmdExecDirect.html)

• `findall` command using the DbgCmdExec or DbgCmdExecDirectapi call (`findall` supports wildcard searching): https://help.x64dbg.com/en/latest/commands/searching/findall.html
• `findmemall` command using the DbgCmdExec or DbgCmdExecDirect call (`findmemall` supports wildcard searching): https://help.x64dbg.com/en/latest/commands/searching/findallmem.html

or even with the TitanEngine `MatchPattern` function directly: https://github.com/x64dbg/x64dbg/blob/e7995ffd5319ac0bbc26afd68f0cb07293a2e45f/src/dbg/TitanEngine/TitanEngine.h#L874

Edited August 3, 2023 by fearless
typo

[fearless]

Additionally you can optionally make use of the References View tab to add the search information to - its easy to add the columns and rows of data using the following api calls:

GuiReferenceAddColumn(int width, const char* title);
GuiReferenceSetRowCount(int count);
GuiReferenceGetRowCount();
GuiReferenceDeleteAllColumns;
GuiReferenceInitialize(const char* name);
GuiReferenceSetCellContent(int row, int col, const char* str);
GuiReferenceGetCellContent(int row, int col);
GuiReferenceReloadData; 
GuiReferenceSetSingleSelection(int index, bool scroll);
GuiReferenceSetProgress(int progress);
GuiReferenceSetCurrentTaskProgress(int progress, const char* taskTitle);
GuiReferenceSetSearchStartCol(int col);

 

Also, cant seem to open your attached file, gets deleted by MS Anti Virus, is the source of the plugins on github?

[boot]

1 hour ago, fearless said:

Also, cant seem to open your attached file, gets deleted by MS Anti Virus, is the source of the plugins on github?

I haven't seen any similar projects on GitHub yet. So try writing it by myself and calling relevant open source engines to implement it.

The core issue lies in how to set inputs similar to

CMP R32, R32
...
JMP CONST
...
PUSH CONST

Convert to machine code?

These special operators/SYMBOLS are not clear, and there is no similar reference in xDbg, and there is no ready-made engine to call transformations. These features are included in OllyDbg v1.10/OllyDbg64 v2.

In addition, the addressing of some calls [0xXXXXXXXX] is different, so it is not easy to find a suitable matching method.

The original file size is 30MB+/-  MFC DLL projects

*. dp32 org size 13MB +/- UPX pack ->2.85MB +/-  |  <- MS suggests that the virus likely the cause of UPX packaging
*. dp64 org size 16MB +/- UPX pack ->3.42MB +/-  |  <- MS suggests that the virus likely the cause of UPX packaging

 

such as

 

 

Edited August 3, 2023 by boot
video

[kuazi GA]

Does it support fuzzy lookup of CMP instructions?

 

Edited August 3, 2023 by kuazi GA