Exetools

Exetools (https://forum.exetools.com/index.php)
-   Developer Section (https://forum.exetools.com/forumdisplay.php?f=48)
-   -   x64dbg (https://forum.exetools.com/showthread.php?t=15328)

ahmadmansoor 04-17-2014 00:11

Hi Mr.exodia
how I can get the line ( address + hex + assemble command ) at GUI ?.
and how I can refresh the GUI after change some hex value ?

Insid3Code 04-17-2014 03:06

"invalid pe" Bug (Flash movie attached):
PHP Code:

http://www.mediafire.com/download/pwagwb0oppzmx5p/demo001.rar 


mr.exodia 04-17-2014 06:42

@ahmadmansoor: Copying this is not yet possible, same for the plugin API. This is on the todo list however. Refreshing the GUI is possible using the following APIs:
Code:

BRIDGE_IMPEXP void GuiUpdateAllViews();
BRIDGE_IMPEXP void GuiUpdateRegisterView();
BRIDGE_IMPEXP void GuiUpdateDisassemblyView();
BRIDGE_IMPEXP void GuiUpdateBreakpointsView();

@Insid3code: please try this 'fix' the only problem I could think of was something with virtual devices, but I just cannot reproduce the bug here. https://mega.co.nz/#!H5xlDBqb!j8cRrh3r4a89vXr00yPf_jYI5Oq7Cwx5H_7dSiyCm64

Greetings

ahmadmansoor 04-17-2014 07:42

"invalid pe" Bug Fix
 
2 Attachment(s)
Hi mr.exodia
no my friend the problem came form here ((DevicePathToPath))
specially from this command
Quote:

if(!_strnicmp(devicepath, curDevice, x)) //we match the device
I think u useing it wrong

this is how I modify the code to make it work
Quote:

bool DevicePathToPath(const char* devicepath, char* path, size_t path_size)
{
if(!devicepath or !path)
return false;
char curDrive[3]=" :";
char curDevice[MAX_PATH]="";
for(char drive='C'; drive<='Z'; drive++)
{
*curDrive=drive;
if(!QueryDosDeviceA(curDrive, curDevice, MAX_PATH))
continue;

std::string str(curDevice);
std::string str1(devicepath);
std::string temp,temp1;
int x=0;
for (int i=0;i<=str1.size();i++)
{
temp1=str1.substr(i,1);
if (temp1.compare("\\")==0){x=x+1;};
if (x==3){x=i;break;};
}
str1=str1.substr(0,x);
if(str1.compare(str)==0 )
{
//if(strlen(devicepath)-curDevice_len>=path_size)
if(strlen(devicepath)-x>=path_size)
return false;
//sprintf(path, "%s%s", curDrive, devicepath+curDevice_len);
sprintf(path, "%s%s", curDrive, devicepath+x);
return true;
}
}
return false;
}
note : I just like to work with string than other lab lab ( char -const char ...) :D

please try the attached files .
bs : thanks for the hint for Refreshing GUI

nonepe 04-17-2014 09:54

well, i will try to debug dos, hope it support.

mr.exodia 04-17-2014 15:22

@ahmadmansoor: you code does exactly the same. You function will not work with memdisks etc. strincmp just compares the beginning of the strings with the number of character of the device name. Take a look here for the source code from Scylla of this function: http://bitbucket.org/mrexodia/devicenameresolver

@nonepe: it will not work lol

Greetings

n00b 04-17-2014 15:26

@mr.exodia: I have to just say, I am truly amazed by your work so far - thus far, I have been able to work my way around several x64 targets that I probably wouldn't have been able todo properly with for instance IDA..

So thanks a million for this epic work bro, and thanks again for the testplugin that you made - really helped alot :D

mr.exodia 04-17-2014 16:02

@n00b: glad you like it! feel free to post feature suggestions anytime, so your experience can be improved.

Greetings

ahmadmansoor 04-17-2014 17:01

no it work very fine even with flash memory
 
1 Attachment(s)
Hi mr.exodia :
no my friend I am sure that my code work 100% with all devices ;) , I have try it on flash memory and the driver was V:\
and it work very fine without any problem .
I explain the problem ,why this happen with u .
Look after u make the GetMappedFileNameA

devicepath will be like this "\Device\HarddiskVolume19\T1\WinRAR\WinRAR.exe" const char *
the important thing is (( \Device\HarddiskVolume19 )) -on my PC it is S:\ Disk- this is our harddisk or flash disk name form root .
now u begin go in a loop to find the root name of each disk and make compare .
when u reach the to disk which have a name like ur hard disk name but without (( 9 )) at the end (( \Device\HarddiskVolume1 )) <<< this is G:\ disk on my PC -
and as will as ur length compare is wrong too so when u make compare with ur _strnicmp which will gave u the result = 0 so it pass the compare(if condition) and change the path of our exe to this
"G9\T1\WinRAR\WinRAR.exe" ,by this the next check will wrong too by this string of path.
then u will be not able to load the target .

please try this package again I am sure 100% it work and I can upload a movie prove that it work .

ahmadmansoor 04-17-2014 20:04

Lol 163 views through 45 min ...
x64_dbg is become a very desired debugger .... very Good mr.exodia :cool:

this is full package for both x32 and x64 , so anyone can try and give us the result pls .
Quote:

https://drive.google.com/file/d/0B402C-bcZm3la1BVMXJaVTJtbTA/edit?usp=sharing

Carbon 04-17-2014 21:17

@ahmadmansoor

There is still a bug with QueryDosDevice. This API cannot resolve all devices like encrypted devices.

I had the same bug in scylla https://github.com/NtQuery/Scylla/commit/67d62b4a2c4d7561b53bd595ca1fda51416ac20f

But there is still a problem with network devices.

ahmadmansoor 04-17-2014 21:59

nop my friend I try it on network folder and was working very will .
did u try the package my friend ??
I think I will upload a flash movie .

mr.exodia 04-17-2014 22:18

@ahmadmansoorn I think I see what was wrong with my code, but its fixed already using Aguila's code :)

Greetings

ahmadmansoor 04-17-2014 22:27

yes the problem come form (((ur length compare is wrong))
That all so no need ton of code to fix the problem ,that what I mean .

mr.exodia 04-17-2014 23:11

This code is needed for virtual drives (like ramdisks) like Carbon also said.


All times are GMT +8. The time now is 14:07.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2023, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX