Fun with self-decryption

The big handle gamble

• A shot in the dark
• Pushing our luck
• Winner winner chicken dinner!

Goodbye Capstone, hello Zydis!

Limitations in x64dbg

• Export functions
• Access to features
• Performance

Messages Breakpoints in x64dbg

• Introduction
• Using Windows Messages
• Event-driven programming
• Window Messages
• Window Procedures
• Getting External Window Procedures
• Intercepting Messages
• WinProc Conditional Breakpoints
• Use Cases
• Final Words
• References

Kernel driver unpacking

• Initial analysis
• Faking the kernel imports
• Unpacking
• Finding a faster way of unpacking
• Dumping + Rebuilding
• Conclusion

Make better use of x64dbg

• Code cave
• Use watch window
• Work with snowman
• Use commands and functions
• Use tracing where it works best
• Use trace record

Hooking WinAPI to improve Qt performance

Weekly digest 16

• Christmas
• x64dbgpylib
• Translations
• Restart as admin
• Secure symbol servers
• Fixed weird display issue on the tab bar
• Various copying enhancements
• Fixed a bug if IMAGE DOS HEADERS is malformed
• Fixed some bugs with handling big command lines
• Launcher improvements
• Load/free library in the symbols view
• String search improvements
• Don't change the active window when closing a tab
• Workaround for a capstone bug
• Improve autocomments
• Save and restore the window position and size
• Allow permanent highlighting mode
• Copy as HTML
• Usual things

Weekly digest 15

• Log redirection encoding
• Properly enforce size limits for comments and labels
• Large address awareness
• Optimized logging speed
• Fixed a crash when clicking out of range in the side bar
• Updated Scylla
• Plugin API to get useful information about the current debuggee
• Various improvements to the type system
• More styles
• Case-insensitive regex search in symbol view
• GUI speed improvements
• Intercept more functions for crashdumps
• Don't change selection when the search text changes
• Make x64dbg run on Wine again
• Added more advanced plugin callbacks
• Print additional information on access violations
• Fixed incorrect detection of unary operators
• Remove breakpoints when clearing the database
• Fixed bug with searching in the memory map
• Improvements to the breakpoint view
• Find window in the attach dialog
• Usual stuff

Type system

• Internal representation
• Primitives
• Types
• Members
• StructUnions
• Functions
• Where is the tree?
• Visitor
• Conclusion

Weekly digest 14

• Types
• Fix log links and show suspected call stack frame
• Finished layered loop implementation
• Fixed 'cannot get module filename'
• Allow for more customization
• Usual things

xAnalyzer Reviewed

• Introduction
• Going back
• What is xAnalyzer?
• Basic functionality
• CALL -> JMP -> API (Indirect Call)
• CALL -> POINTER -> API (Indirect Call)
• CALL -> API (Direct Call)

Weekly digest 13

• This is an open blog!
• Decode function offset in stack
• Context menu in the xref dialog
• Removed buggy branch destination cache
• Added disassembly expression functions
• Added more advanced arguments in favourite tools
• Show better contextual information in the disassembler
• Various GUI improvements
• Icon for database files
• Fixed format in infobox
• Fixed find commands
• Don't consider reserved pages as valid memory
• Option for hardcore thread switch warnings
• Fixed unary operators
• Usual stuff

Weekly digest 12

• Reflection
• Releases and versioning
• Fixed more GUI issues
• Fixed inconsistent shortcuts
• Added content description in the memory map
• Fixed an issue with format delimiters
• Add comments and labels in the graph view
• Add shortcut for copy RVA
• Don't list automatic comments per default
• Plugin callback for dynamic comments
• Added more plugin templates
• Final words

Weekly digest 11

• More advanced conditional tracing
• Fixed more GUI update issues
• Remember history in goto file offset and RVA
• Reverted default behavior for null and nonprint characters
• Cleaner GUI look
• Traced background in reference, source and symbol view
• ScyllaHide
• Update trace record when changing CIP manually
• Allow skipping of INT3 instruction on run
• Command to print stack trace
• Set foreground on system breakpoint
• Option to not highlight operands separately
• Removed the toggle option for certain registers
• Translations
• Usual things

Weekly digest 10

• InterObfu
• Updated mnemonic database
• Replace non-printable characters with special characters
• Better split function for commands
• Fixed global notes
• Added some expression functions
• Allow editing of the watch expression
• Added simple logging of instructions
• Process GUI events in the script API
• Added run to selection in the graph view
• Save the graph view to a file
• Usual stuff

Weekly digest 9

• Autocomment for call $0
• Improvements to the disassembly popup
• Source line and autocomments
• Show CIP in graph overview
• Less jumpy experience while debugging in the graph
• Fine-grained dump offset control
• Allow checkable menu items for plugins
• Codename iconic
• Updated capstone, keystone and asmjit
• Copy as base64
• Callback for changed selection
• Analysis plugins
• Maximum trace count option
• Copy selection to file
• Disassembly speed improvements
• Reports
• Copy symbolic name
• Allow customizing of the main menus
• Fixed a bug with little/big endian when editing FPU registers
• Show extended exception information on exception events
• Final words

The x64dbg threading model

• Command loop thread
• Debug thread
• Script thread
• Worker threads
• TaskThread
• GUI Thread

Weekly digest 8

• GUID Reference Searching
• Graph comments
• Graph overview
• Added some expression functions
• Cross references dialog
• Graph debugging
• Freeze stack has been fixed
• Fixed complex memory assignments
• Execute multiple commands
• x64dbgbinja
• Refactor
• Tracing plugins
• Usual things

Weekly digest 7

• Plugin page
• Variable list will now be shown in the reference view
• Fixed a crash in the pluginload command
• Added undo in registers view
• Hide actions in a submenu
• Better character recognition in the info box
• Character recognition in comments
• Goto origin in memory map
• Highlight jump lines in the sidebar if the destination is selected
• Various updates to the mnemonic database
• Open file/directory options for the source view
• Next/Previous/Hide tab
• Import/export database
• Better IsJumpGoingToExecute
• Usual stuff

Architecture of x64dbg

• Bootstrapping
• Debugging
• Message passing from GUI to DBG
• Commands dispatch
• Directly exported functions
• Export functions dispatch
• DbgFunctions
• Message flow from DBG to GUI
• Important subsystems in GUI
• Tables in GUI
• Context menu management
• Configuration management
• Important subsystems in DBG
• threading.h
• x64dbg.cpp
• memory.h , module.h and thread.h, label.h and breakpoint.h, etc
• scriptapi

Weekly digest 6

• Remove all breakpoints before detaching
• Warnings when trying to set CIP to a non-executable page
• Fixed event filter plugin callbacks with Qt5
• Refactor command-related code
• Import multiple patches
• Adjust width of status label for translations
• Active view API
• Highlight ud2 and ud2b as unusual instructions
• Optimized menu order in the register view
• Lots of code improvements
• Allow debugging of AnyCPU .NET files
• Clarified SetMemoryBPX command
• Improved follow in memory map
• Highlight active view in CPU
• Print symbolic name on expression command
• Performance improvement of disasm command
• Corrected width of the Hex short dump
• Fixed bug with endianness in the float register editor
• Performance improvement in plugin loader
• Type system
• Fail assembling short jumps that don't fit in 2 bytes
• Added plugin callback to filter symbols
• Show comments/labels in the bookmark list
• Use reference view for varlist
• Allow allocation at a specified address
• Use CIP per default in imageinfo
• Final words

Weekly digest 5

• Register and argument view enhancements
• Dynamically load/unload plugins
• Improvements to the info box
• Fixed search for constant references
• Copy improvements
• Improved the favorites dialog
• Fixed confusing wording
• Better uppercase disassembly
• Fixed compile error with yara in the pluginsdk
• Improved selection API
• Improved dbload command
• Expression functions for reading data
• Improved documentation
• Progress with a type system
• Plugin template for Visual Studio
• GetRelocSize
• MxCsr
• Final words

Weekly digest 4

• Fixed goto dialog for reserved memory pages
• Different trace record + selection color in the graph
• No foreground window per default
• Disassembly preview is now theme aware
• Search pattern in module
• Fixed intermodular calls in module
• Added various memory-related expression functions
• Script DLL template for Visual Studio
• UpxUnpacker for x64dbgpy
• Register view enhancements
• University
• Final words

Weekly digest 3

• Don't freeze the GUI while downloading symbols
• Follow in Dump N in registers view
• DLL Breakpoint GUI
• Shortcuts for animation commands
• GUI performance improvements
• Script performance improvements
• Expression parser performance improvements
• Fixed compilation on Visual Studio 2015
• GetTickCount expression function
• Fixed a crash with history
• More icons in the GUI
• Added the asmjit assembler engine
• Fixed a deadlock on aborting a script
• Fixed string sorting in table views
• Fixed FS/GS memory branch destinations
• Option to ignore inconsistent breakpoints
• FAQ in the attach dialog
• No longer show RIP-relative memory addresses when assembling
• Fixed truncating dialogs on translation
• Allow ESC and Backspace to be used for shortcuts
• Data commands
• Import (partial) settings
• Disallow dump/disasm on reserved memory pages
• Fixed command animation
• Faster startup
• Different implementation of run to user code
• Last code page edit box in hex editor
• Initialization script now runs in a new thread
• Fixed the copy menu in the handles view
• Highlight token context menu
• Shortcuts for Treat selection as head X
• Data copy in disassembly view
• Added dummy menu for "save file"
• Follow in memory map
• Intelligent following of addresses
• Branch destination preview setting
• Hyperlinks in the log view
• Update checker has been fixed
• Script DLLs work again
• Exception breakpoints
• Setting to not call SetForegroundWindow
• Detachable breakpoint view
• Execute a script from the clipboard
• Fixed a weird bug with DLLs that are loaded multiple times
• Added IP address to data copy
• Disable log scrolling
• Final words

Weekly digest 2

• Font in the command completion dialog
• Added memdump option to savedata
• Fixed various general purpose instructions
• More usable disassembly popup
• Fixed empty watchdog menu
• Trace record tracing works again
• Animation into has been implemented!
• Better unicode support
• Execute a script on attach or initialize
• Create a thread in the debuggee
• Performance improvements in TitanEngine
• Auto scrolling when moving the mouse out of views
• Expression functions
• Allow modification of the singleshoot flag
• Added NTSTATUS codes
• Updated color schemes
• Final words

Weekly digest 1

• Improvements to the attach dialog
• Disable debuggee notes when debugging
• Translation of the DBG
• Search box locking in symbol view
• Various GUI improvements
• Don't freeze when the debuggee doesn't close properly
• Warn when setting a software breakpoint in non-executable memory
• Signed and unsigned bytes in the dump
• Fixed WOW64 redirection issues
• Fixed invalid save to file sizes
• Added imageinfo command
• Updated Yara to 3.5.0
• Work on GleeBug
• Final words

64bit Debugging and the WoW64 File System Redirection

• A small note on WoW64 Redirection on Windows
• How this affected the x96dbg.exe loader
• The Fix
• References

User interface design principles

• Access any feature, anywhere
• Offer to show the most needed data to user
• Guide the user to do the right thing
• Easy to understand and master
• User interface customization is important
• Fast and responsive
• Afterword

x64dbg plugin SDK

• Contents
• Overview
• Common questions
• Wait, what? there are two plugin SDKs?
• Which plugin SDK should I use?
• Why create a plugin SDK in assembler?
• What assembler should I use, if I'm to use the plugin SDK for assembler?
• Why write a plugin?
• Ongoing development
• Feature request alignment
• Understanding the x64dbg plugin architecture
• The plugin load sequence
• DllMain
• The pluginit exported function
• The plugsetup exported function
• The callback exported functions and structures
•  plugin registercallback
• The registered event callback function for  plugin registercallback
• The CDECL export callback function
• Summary
• Afterword
• Additional resources of interest
• x64dbg
• x64dbg Plugin SDK For Assembler
• Assemblers
• Other

Control flow analysis and graphing

• Introduction
• Analysis
• GUI

Introducing Contemporary Reverse Engineering Techniques to Real World Use

• How do we reverse engineer a program these days?
• Automation and analysis are more important
• Introducing dynamic analysis
• The future of reverse engineering

Looking for writers!

• Topics
• Writing a post