Exetools  

Go Back   Exetools > General > Developer Section

Notices

View Poll Results: Would you use this debugger?
Yes (mainly x32) 73 29.92%
Not at all 22 9.02%
Yes, if it gets better (please post feature suggestions) 79 32.38%
Yes (mainly x64) 70 28.69%
Voters: 244. You may not vote on this poll

Reply
 
Thread Tools Display Modes
  #76  
Old 04-17-2014, 00:11
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 994
Rept. Given: 459
Rept. Rcvd 357 Times in 133 Posts
Thanks Given: 167
Thanks Rcvd at 250 Times in 94 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Hi Mr.exodia
how I can get the line ( address + hex + assemble command ) at GUI ?.
and how I can refresh the GUI after change some hex value ?
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #77  
Old 04-17-2014, 03:06
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 80
Rept. Given: 43
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 22
Thanks Rcvd at 99 Times in 53 Posts
Insid3Code Reputation: 60
"invalid pe" Bug (Flash movie attached):
PHP Code:
http://www.mediafire.com/download/pwagwb0oppzmx5p/demo001.rar 
__________________
Computer Forensics
Reply With Quote
  #78  
Old 04-17-2014, 06:42
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 857
Rept. Given: 496
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 742 Times in 354 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@ahmadmansoor: Copying this is not yet possible, same for the plugin API. This is on the todo list however. Refreshing the GUI is possible using the following APIs:
Code:
BRIDGE_IMPEXP void GuiUpdateAllViews();
BRIDGE_IMPEXP void GuiUpdateRegisterView();
BRIDGE_IMPEXP void GuiUpdateDisassemblyView();
BRIDGE_IMPEXP void GuiUpdateBreakpointsView();
@Insid3code: please try this 'fix' the only problem I could think of was something with virtual devices, but I just cannot reproduce the bug here. https://mega.co.nz/#!H5xlDBqb!j8cRrh3r4a89vXr00yPf_jYI5Oq7Cwx5H_7dSiyCm64

Greetings
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #79  
Old 04-17-2014, 07:42
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 994
Rept. Given: 459
Rept. Rcvd 357 Times in 133 Posts
Thanks Given: 167
Thanks Rcvd at 250 Times in 94 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Lightbulb "invalid pe" Bug Fix

Hi mr.exodia
no my friend the problem came form here ((DevicePathToPath))
specially from this command
Quote:
if(!_strnicmp(devicepath, curDevice, x)) //we match the device
I think u useing it wrong

this is how I modify the code to make it work
Quote:
bool DevicePathToPath(const char* devicepath, char* path, size_t path_size)
{
if(!devicepath or !path)
return false;
char curDrive[3]=" :";
char curDevice[MAX_PATH]="";
for(char drive='C'; drive<='Z'; drive++)
{
*curDrive=drive;
if(!QueryDosDeviceA(curDrive, curDevice, MAX_PATH))
continue;

std::string str(curDevice);
std::string str1(devicepath);
std::string temp,temp1;
int x=0;
for (int i=0;i<=str1.size();i++)
{
temp1=str1.substr(i,1);
if (temp1.compare("\\")==0){x=x+1;};
if (x==3){x=i;break;};
}
str1=str1.substr(0,x);
if(str1.compare(str)==0 )
{
//if(strlen(devicepath)-curDevice_len>=path_size)
if(strlen(devicepath)-x>=path_size)
return false;
//sprintf(path, "%s%s", curDrive, devicepath+curDevice_len);
sprintf(path, "%s%s", curDrive, devicepath+x);
return true;
}
}
return false;
}
note : I just like to work with string than other lab lab ( char -const char ...)

please try the attached files .
bs : thanks for the hint for Refreshing GUI
Attached Files
File Type: rar x64_fix.rar (116.7 KB, 7 views)
File Type: rar bridge.rar (14.0 KB, 5 views)
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #80  
Old 04-17-2014, 09:54
nonepe
 
Posts: n/a
well, i will try to debug dos, hope it support.
Reply With Quote
  #81  
Old 04-17-2014, 15:22
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 857
Rept. Given: 496
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 742 Times in 354 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@ahmadmansoor: you code does exactly the same. You function will not work with memdisks etc. strincmp just compares the beginning of the strings with the number of character of the device name. Take a look here for the source code from Scylla of this function: http://bitbucket.org/mrexodia/devicenameresolver

@nonepe: it will not work lol

Greetings
Reply With Quote
  #82  
Old 04-17-2014, 15:26
n00b n00b is offline
Friend
 
Join Date: Mar 2009
Posts: 43
Rept. Given: 18
Rept. Rcvd 25 Times in 14 Posts
Thanks Given: 10
Thanks Rcvd at 56 Times in 19 Posts
n00b Reputation: 26
@mr.exodia: I have to just say, I am truly amazed by your work so far - thus far, I have been able to work my way around several x64 targets that I probably wouldn't have been able todo properly with for instance IDA..

So thanks a million for this epic work bro, and thanks again for the testplugin that you made - really helped alot
Reply With Quote
  #83  
Old 04-17-2014, 16:02
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 857
Rept. Given: 496
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 742 Times in 354 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@n00b: glad you like it! feel free to post feature suggestions anytime, so your experience can be improved.

Greetings
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #84  
Old 04-17-2014, 17:01
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 994
Rept. Given: 459
Rept. Rcvd 357 Times in 133 Posts
Thanks Given: 167
Thanks Rcvd at 250 Times in 94 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Lightbulb no it work very fine even with flash memory

Hi mr.exodia :
no my friend I am sure that my code work 100% with all devices , I have try it on flash memory and the driver was V:\
and it work very fine without any problem .
I explain the problem ,why this happen with u .
Look after u make the GetMappedFileNameA

devicepath will be like this "\Device\HarddiskVolume19\T1\WinRAR\WinRAR.exe" const char *
the important thing is (( \Device\HarddiskVolume19 )) -on my PC it is S:\ Disk- this is our harddisk or flash disk name form root .
now u begin go in a loop to find the root name of each disk and make compare .
when u reach the to disk which have a name like ur hard disk name but without (( 9 )) at the end (( \Device\HarddiskVolume1 )) <<< this is G:\ disk on my PC -
and as will as ur length compare is wrong too so when u make compare with ur _strnicmp which will gave u the result = 0 so it pass the compare(if condition) and change the path of our exe to this
"G9\T1\WinRAR\WinRAR.exe" ,by this the next check will wrong too by this string of path.
then u will be not able to load the target .

please try this package again I am sure 100% it work and I can upload a movie prove that it work .
Attached Files
File Type: rar x32.rar (444.0 KB, 191 views)
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #85  
Old 04-17-2014, 20:04
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 994
Rept. Given: 459
Rept. Rcvd 357 Times in 133 Posts
Thanks Given: 167
Thanks Rcvd at 250 Times in 94 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Arrow

Lol 163 views through 45 min ...
x64_dbg is become a very desired debugger .... very Good mr.exodia

this is full package for both x32 and x64 , so anyone can try and give us the result pls .
Quote:
https://drive.google.com/file/d/0B402C-bcZm3la1BVMXJaVTJtbTA/edit?usp=sharing
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #86  
Old 04-17-2014, 21:17
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 57 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
@ahmadmansoor

There is still a bug with QueryDosDevice. This API cannot resolve all devices like encrypted devices.

I had the same bug in scylla https://github.com/NtQuery/Scylla/commit/67d62b4a2c4d7561b53bd595ca1fda51416ac20f

But there is still a problem with network devices.
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
  #87  
Old 04-17-2014, 21:59
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 994
Rept. Given: 459
Rept. Rcvd 357 Times in 133 Posts
Thanks Given: 167
Thanks Rcvd at 250 Times in 94 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
nop my friend I try it on network folder and was working very will .
did u try the package my friend ??
I think I will upload a flash movie .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #88  
Old 04-17-2014, 22:18
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 857
Rept. Given: 496
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 742 Times in 354 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@ahmadmansoorn I think I see what was wrong with my code, but its fixed already using Aguila's code

Greetings
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #89  
Old 04-17-2014, 22:27
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 994
Rept. Given: 459
Rept. Rcvd 357 Times in 133 Posts
Thanks Given: 167
Thanks Rcvd at 250 Times in 94 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
yes the problem come form (((ur length compare is wrong))
That all so no need ton of code to fix the problem ,that what I mean .
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #90  
Old 04-17-2014, 23:11
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 857
Rept. Given: 496
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 92
Thanks Rcvd at 742 Times in 354 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
This code is needed for virtual drives (like ramdisks) like Carbon also said.
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
Reply

Tags
bit, debugger, x32, x64, x64_dbg

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
nfd - x64dbg plugin hors Community Tools 2 04-01-2018 08:18
CopyToAsm - x64dbg plugin mrfearless Community Tools 0 03-04-2018 08:36
x64dbg - Find OEP by section hop schrodyn General Discussion 6 01-19-2018 04:31
Q: How can I get this kind of output from X64DBG? Stingered General Discussion 3 01-13-2018 07:15
x64dbg python Storm Shadow Developer Section 6 08-04-2017 15:29


All times are GMT +8. The time now is 09:27.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX