13 Nov 2016, by mrexodia
This is already number twelve of the weekly digests! It will highlight the things that happened to and around x64dbg this week.
Reflection
Over the last three weeks there has been lots of instability going on, mostly related to disassembly speed improvements. I expected around a week of instability, but unfortunately people keep finding issues and I cannot say with certainty that all bugs are gone.
The main reason for this being such an issue is that during initial development of the GUI a convenient function called GuiUpdateAllViews was introduced. This function will call the ‘force refresh’ functions of all individual views (disassembly, dump, stack, registers, sidebar, infobox, arguments, breakpoints, graph, call stack, memory map, etc.). Currently this function is no longer called in performance-critical code (such as the function responsible for updating the GUI to represent the current context) and many implicit update calls now have to be converted to explicit ones, which is a very prone to errors.
Testing all the features every time something changed is extremely time-consuming, which is why x64dbg relies on users willing to be on the bleeding edge to find issues like this. I would like to thank all of you!
Releases and versioning
As for releases and versioning, release versions imply that actual effort was put in making a specific version stable. While this might be a great model for certain projects, to me it’s an absolute joke to proudly say: “We released version 0.9 today!” and two days later dismiss someone reporting a bug with: “Always pull the latest commit and compile yourself.”
To save users from compiling x64dbg every day (which is easy, you should try it), a new snapshot is uploaded to Github immediately when a new commit is pushed to the repository. If you use a certain snapshot and everything is working fine, don’t update! If you find a bug, update to the latest snapshot and see if that solved the issue. If it didn’t, open an issue. Looking for older snapshots? Get them from SourceForge! If you see a nice new feature on this blog that you would like to try, you can copy your databases and settings in that snapshot and easily try it out.
Fixed more GUI issues
This week the following three GUI refresh issues were fixed:
- Register highlighting didn’t refresh the disassembly
- Using the ‘Set breakpoint on all commands’ didn’t update the breakpoint view
- Browsing the disassembly history would inconsistently refresh the disassembly
- Code folding was completely broken
Fixed inconsistent shortcuts
Pull request #1222 by kkthx fixed an inconsistent shortcut in the graph view.
Added content description in the memory map
Another pull request by kkthx implemented very basic content description of memory regions, currently based on the section names. If you can help improving this, please come up with ideas at issue #1212.
When using the string formatting functionality, the logging of {4:[esp+4]} would fail, this now works as expected.
Yet another pull request by kkthx allows you to add labels/comments directly from the graph view!
Add shortcut for copy RVA
The user ecx86 added the option to bind a hotkey to the ‘Copy RVA’ action in pull request #1232.
When using the comment list it usually doesn’t make much sense to list automatic comments (usually generated by plugins). This has now been changed and they will not be listed per default.
The (currently undocumented) CB_ADDRINFO plugin callback allows plugins to insert dynamically generated comments. This would allow a plugin to show context-relevant information directly in the comments.
Added more plugin templates
The PluginTemplate and ScriptDllTemplate are now extended with more variations to allow you to be more productive depending on your need.
Final words
That has been about it for this week again. If you have any questions, contact us on Telegram, Gitter or IRC. If you want to see the changes in more detail, check the commit log.
You can always get the latest release of x64dbg here. If you are interested in contributing, check out this page.
Finally, if someone is interested in hiring me to work on x64dbg more, please contact me!
Comments
06 Nov 2016, by mrexodia
This is already number eleven of the weekly digests! It will highlight the things that happened to and around x64dbg this week.
More advanced conditional tracing
Just like conditional breakpoints there is now more advanced conditional tracing. This allows you to (conditionally) log stuff and (conditionally) execute commands during tracing. In combination with plugin commands and expression functions you can make this arbitrarily complex, yay!
Fixed more GUI update issues
Sadly the recent performance improvements have introduced lots of GUI refresh bugs. Many were fixed and even more have been solved this week…
Remember history in goto file offset and RVA
The goto dialog has an edit box that has a history (use up/down to browse it). This feature is now available in all goto dialogs.
Reverted default behavior for null and nonprint characters
There was a discussion at issue #1196 and on Reddit and it seems like nobody likes the new behavior for null and nonprint characters. It has been reverted to use dots again. If you still want to show unicode replacements you can add the following to the GUI section of your config file.
[GUI]
NonprintReplaceCharacter=25CA
NullReplaceCharacter=2022
Cleaner GUI look
The GUI should look a little bit cleaner now (less borders mostly), see this GIF for a comparison.
Traced background in reference, source and symbol view
The trace record will now also show up in various views to help you understand where you might have already been.
ScyllaHide
The user gureedo has updated ScyllaHide and it should now work correctly on Windows 10 anniversary edition!
Update trace record when changing CIP manually
When you set CIP it will now execute the trace record on that address.
Allow skipping of INT3 instruction on run
The setting to skip INT3 instructions (mostly useful for ASM-level debugging) now also allows you to use the run command so INT3 instructions can be used as breakpoints directly.
Command to print stack trace
The (currently undocumented) printstack command will print the callstack in the log.
5 call stack frames (RIP = 00007FF7995A202F , RSP = 000000957F1FFD58 , RBP = 0000000000000000 ):
000000957F1FFDB0 return to 000000957F3E4829 from x64dbg.00007FF7995A202F
000000957F1FFDB8 return to x64dbg.00007FF7995A2555 from 000000957F3E4829
000000957F1FFDF8 return to kernel32.00007FFB74F013D2 from x64dbg.00007FF7995A2555
000000957F1FFE28 return to ntdll.00007FFB75B254E4 from kernel32.00007FFB74F013D2
000000957F1FFE78 return to 0000000000000000 from ntdll.00007FFB75B254E4
Set foreground on system breakpoint
Some time ago an option was introduced that would disable calls to set x64dbg as the foreground window. One of these calls is now removed and x64dbg will always be on the foreground after you started a new debug session.
Option to not highlight operands separately
A user on Telegram requested an option to expand the highlighting of the mnemonic to the whole instruction. This has now been added and this allows you to create absolutely stunning syntax highlighting!
Removed the toggle option for certain registers
General purpose registers had an option to ‘Toggle’ their state, but this did nothing particularly useful. This option has now been removed.
Translations
Some time ago a translation was opened at Crowdin. There has been great progress and here are some of the top languages. Thanks to all the translators!
- Spanish (95%)
- German (86%)
- Chinese Simplified (80%)
- Korean (64%)
- Russian (59%)
- Polish (47%)
- French (32%)
If you have some time it would be appreciated if you could translate a few sentences in your language!
Usual things
That has been about it for this week again. If you have any questions, contact us on Telegram, Gitter or IRC. If you want to see the changes in more detail, check the commit log.
You can always get the latest release of x64dbg here. If you are interested in contributing, check out this page.
Finally, if someone is interested in hiring me to work on x64dbg more, please contact me!
Comments
30 Oct 2016, by mrexodia
This is already number ten of the weekly digests! It will highlight the things that happened to and around x64dbg this week.
InterObfu
An ongoing effort basically sucking all my time has been on a project called InterObfu. It is basically a representation of x86 instructions that allows you to transform instructions. It also allows for extensive wildcard matching of instructions.
The obvious usage is finding a sequence of wildcard instructions in x64dbg, but another application is peephole optimization (for deobfuscation-related applications). The screenshot below shows the progress of various patterns being replaced or removed.
The implementation was particularly interesting because it involves Aho-Corasick and various tricks to make it efficient. You can check out the code on the repository if you’re interested. Shout out to Matteo for support and discussion on the topic!
Updated mnemonic database
There have been some small additions to the mnemonic database where missing alias instructions iretq and retf have been added. This allows you to more easily query information about instructions.
Replace non-printable characters with special characters
Previously null and non-printable characters were represented in the dump view by dots. This has now been changed and one unicode character (circle) represents null characters and another one (diamond) represents non-printable characters. There is a discussion going on at issue #1196 and you are welcome to come discuss what’s better (default) behavior.
Better split function for commands
Previously it was not possible to include the ; character in command strings without splitting the command in two incorrect commands. This has now been corrected and log "eax={eax};ebx={ebx}";eax++ now works as you would expect.
Fixed global notes
Quite embarrassingly the global notes were saves, but not correctly loaded because of an inverted condition. Thanks to cxj98 for the report!
Added some expression functions
The expression functions dis.iscall, func.start and func.end have been added. This can be used with conditional breakpoints or tracing.
Allow editing of the watch expression
Previously it was not possible to edit the expression of a watch. You can now do this without having to remove and re-add the watch.
Added simple logging of instructions
You can now log instructions with {i:addr} currently this is not particularly useful (except if you have multiple log breakpoints and want the instructions for some reason), but there will be use for this in the near future…
Process GUI events in the script API
An issue reported at the x64dbgpy (Python) repository has been partially worked around. Basically the GUI would freeze if the script was executed on the GUI thread and when using debug functions. This has now been resolved and you can keep using the GUI while your script is running.
Added run to selection in the graph view
It is now possible to use the run to selection (F4) option directly in the graph when debugging. This has been implemented by kkthx in pull request #1199.
Save the graph view to a file
Thanks again to kkthx you can now save the currently-visible part of the graph directly from the context menu. In the future this will be expanded to allow you to save the entire graph to a file.
Usual stuff
That has been about it for this week again. If you have any questions, contact us on Telegram, Gitter or IRC. If you want to see the changes in more detail, check the commit log.
You can always get the latest release of x64dbg here. If you are interested in contributing, check out this page.
Finally, if someone is interested in hiring me to work on x64dbg more, please contact me!
Comments