20 Nov 2016, by mrexodia
This is already number thirteen of the weekly digests! It will highlight the things that happened to and around x64dbg this week.
This is an open blog!
In case you didn’t know yet, this blog is looking for writers. You (or your company) are welcome to write a post related to x64dbg on this blog. Check out the link for more information!
Also on a side note, I’m currently very busy with my studies so various promised posts (expression parser, type system) are placed on the backlog. I would very much like to keep this blog alive but writing is a very time consuming practice and I could very much use some help from you guys in the form of a post. Contact me if you’re interested and I will help you get started!
Decode function offset in stack
The offset to the function will now be shown on stack return addresses!
You can now set various kinds of breakpoints in the xref dialog directly.
Removed buggy branch destination cache
During tracing the dis.branchexec function would sometimes report incorrect results. This has now been fixed.
Added disassembly expression functions
You can now use the dis.isnop and dis.isunusual expression functions during tracing to get where you want to be even quicker!
The favourites menu now allows for more advanced interaction with the tools. You can use the %PID%, %DEBUGGEE% and %MODULE% in the path to launch your tool with contextually-relevant information. In addition you can use string formatting to fill in any expression you like. For instance %-{cip}-% will replace this with the contents of the EIP/RIP register.
Show better contextual information in the disassembler
Various (small) bugs in the capstone wrapper module have been fixed. NOP jumps should now be correctly detected. In addition x64dbg will show comments helping you see that certain branches are useless.
Various GUI improvements
Pull request #1272 by torusrxxx contains numerous GUI improvements. Various fixed hotkeys, better follow in memory map, search in the current function, show the list of variables and various other small fixes.
Additional fixes are more realistic scroll bars. Previously the scroll bars would always look like there was an enormous amount of data, but this has been adjusted to give a more natural feeling. You can also put comments on the first address of a memory page and it will show up in the memory map.
Icon for database files
Thanks to ThunderCls the launcher will now add icons for the x64dbg database files! See pull request #1246 for more information!
In case you didn’t know, the info box shows information about the currently-selected instruction and it’s location. This example shows the mov dword ptr ss:[ebp-4],FFFFFFFE instruction at the address 77683C87 in ntdll.dll. You can see the section .text:77683C87, the RVA ntdll.dll:$B3C87 (which is also a legal expression in the goto dialog) and the file offset ntdll.dll:#B3087. In addition to that you can see how many times the instruction has been recorded in the trace record.
Fixed find commands
The commands findall and findmemall would function improperly when the optional size argument was used. This has gone unnoticed for a long time, most probably because this option was never used. It has now been corrected.
Don’t consider reserved pages as valid memory
Reserved memory pages would in some cases be considered readable, which could lead to inconsistent menus. This has now been fixed and reserved memory is no longer considered readable.
Option for hardcore thread switch warnings
There are various undocumented setting in x64dbg (mostly to provide backwards-compatibility in case people don’t like a change). One of these was to show thread switch warnings in the log, it has now been added to the setting dialog.
Fixed unary operators
The expressions (-1), func(-1) and various others would be reported as invalid because the unary operators were detected incorrectly. This has now been corrected and the expression -(-variable) now works as expected! See the expressions documentation for more information on expressions!
Usual stuff
That has been about it for this week again. If you have any questions, contact us on Telegram, Gitter or IRC. If you want to see the changes in more detail, check the commit log.
You can always get the latest release of x64dbg here. If you are interested in contributing, check out this page.
Finally, if someone is interested in hiring me to work on x64dbg more, please contact me!
Comments
13 Nov 2016, by mrexodia
This is already number twelve of the weekly digests! It will highlight the things that happened to and around x64dbg this week.
Reflection
Over the last three weeks there has been lots of instability going on, mostly related to disassembly speed improvements. I expected around a week of instability, but unfortunately people keep finding issues and I cannot say with certainty that all bugs are gone.
The main reason for this being such an issue is that during initial development of the GUI a convenient function called GuiUpdateAllViews was introduced. This function will call the ‘force refresh’ functions of all individual views (disassembly, dump, stack, registers, sidebar, infobox, arguments, breakpoints, graph, call stack, memory map, etc.). Currently this function is no longer called in performance-critical code (such as the function responsible for updating the GUI to represent the current context) and many implicit update calls now have to be converted to explicit ones, which is a very prone to errors.
Testing all the features every time something changed is extremely time-consuming, which is why x64dbg relies on users willing to be on the bleeding edge to find issues like this. I would like to thank all of you!
Releases and versioning
As for releases and versioning, release versions imply that actual effort was put in making a specific version stable. While this might be a great model for certain projects, to me it’s an absolute joke to proudly say: “We released version 0.9 today!” and two days later dismiss someone reporting a bug with: “Always pull the latest commit and compile yourself.”
To save users from compiling x64dbg every day (which is easy, you should try it), a new snapshot is uploaded to Github immediately when a new commit is pushed to the repository. If you use a certain snapshot and everything is working fine, don’t update! If you find a bug, update to the latest snapshot and see if that solved the issue. If it didn’t, open an issue. Looking for older snapshots? Get them from SourceForge! If you see a nice new feature on this blog that you would like to try, you can copy your databases and settings in that snapshot and easily try it out.
Fixed more GUI issues
This week the following three GUI refresh issues were fixed:
- Register highlighting didn’t refresh the disassembly
- Using the ‘Set breakpoint on all commands’ didn’t update the breakpoint view
- Browsing the disassembly history would inconsistently refresh the disassembly
- Code folding was completely broken
Fixed inconsistent shortcuts
Pull request #1222 by kkthx fixed an inconsistent shortcut in the graph view.
Added content description in the memory map
Another pull request by kkthx implemented very basic content description of memory regions, currently based on the section names. If you can help improving this, please come up with ideas at issue #1212.
When using the string formatting functionality, the logging of {4:[esp+4]} would fail, this now works as expected.
Yet another pull request by kkthx allows you to add labels/comments directly from the graph view!
Add shortcut for copy RVA
The user ecx86 added the option to bind a hotkey to the ‘Copy RVA’ action in pull request #1232.
When using the comment list it usually doesn’t make much sense to list automatic comments (usually generated by plugins). This has now been changed and they will not be listed per default.
The (currently undocumented) CB_ADDRINFO plugin callback allows plugins to insert dynamically generated comments. This would allow a plugin to show context-relevant information directly in the comments.
Added more plugin templates
The PluginTemplate and ScriptDllTemplate are now extended with more variations to allow you to be more productive depending on your need.
Final words
That has been about it for this week again. If you have any questions, contact us on Telegram, Gitter or IRC. If you want to see the changes in more detail, check the commit log.
You can always get the latest release of x64dbg here. If you are interested in contributing, check out this page.
Finally, if someone is interested in hiring me to work on x64dbg more, please contact me!
Comments
06 Nov 2016, by mrexodia
This is already number eleven of the weekly digests! It will highlight the things that happened to and around x64dbg this week.
More advanced conditional tracing
Just like conditional breakpoints there is now more advanced conditional tracing. This allows you to (conditionally) log stuff and (conditionally) execute commands during tracing. In combination with plugin commands and expression functions you can make this arbitrarily complex, yay!
Fixed more GUI update issues
Sadly the recent performance improvements have introduced lots of GUI refresh bugs. Many were fixed and even more have been solved this week…
Remember history in goto file offset and RVA
The goto dialog has an edit box that has a history (use up/down to browse it). This feature is now available in all goto dialogs.
Reverted default behavior for null and nonprint characters
There was a discussion at issue #1196 and on Reddit and it seems like nobody likes the new behavior for null and nonprint characters. It has been reverted to use dots again. If you still want to show unicode replacements you can add the following to the GUI section of your config file.
[GUI]
NonprintReplaceCharacter=25CA
NullReplaceCharacter=2022
Cleaner GUI look
The GUI should look a little bit cleaner now (less borders mostly), see this GIF for a comparison.
Traced background in reference, source and symbol view
The trace record will now also show up in various views to help you understand where you might have already been.
ScyllaHide
The user gureedo has updated ScyllaHide and it should now work correctly on Windows 10 anniversary edition!
Update trace record when changing CIP manually
When you set CIP it will now execute the trace record on that address.
Allow skipping of INT3 instruction on run
The setting to skip INT3 instructions (mostly useful for ASM-level debugging) now also allows you to use the run command so INT3 instructions can be used as breakpoints directly.
Command to print stack trace
The (currently undocumented) printstack command will print the callstack in the log.
5 call stack frames (RIP = 00007FF7995A202F , RSP = 000000957F1FFD58 , RBP = 0000000000000000 ):
000000957F1FFDB0 return to 000000957F3E4829 from x64dbg.00007FF7995A202F
000000957F1FFDB8 return to x64dbg.00007FF7995A2555 from 000000957F3E4829
000000957F1FFDF8 return to kernel32.00007FFB74F013D2 from x64dbg.00007FF7995A2555
000000957F1FFE28 return to ntdll.00007FFB75B254E4 from kernel32.00007FFB74F013D2
000000957F1FFE78 return to 0000000000000000 from ntdll.00007FFB75B254E4
Set foreground on system breakpoint
Some time ago an option was introduced that would disable calls to set x64dbg as the foreground window. One of these calls is now removed and x64dbg will always be on the foreground after you started a new debug session.
Option to not highlight operands separately
A user on Telegram requested an option to expand the highlighting of the mnemonic to the whole instruction. This has now been added and this allows you to create absolutely stunning syntax highlighting!
Removed the toggle option for certain registers
General purpose registers had an option to ‘Toggle’ their state, but this did nothing particularly useful. This option has now been removed.
Translations
Some time ago a translation was opened at Crowdin. There has been great progress and here are some of the top languages. Thanks to all the translators!
- Spanish (95%)
- German (86%)
- Chinese Simplified (80%)
- Korean (64%)
- Russian (59%)
- Polish (47%)
- French (32%)
If you have some time it would be appreciated if you could translate a few sentences in your language!
Usual things
That has been about it for this week again. If you have any questions, contact us on Telegram, Gitter or IRC. If you want to see the changes in more detail, check the commit log.
You can always get the latest release of x64dbg here. If you are interested in contributing, check out this page.
Finally, if someone is interested in hiring me to work on x64dbg more, please contact me!
Comments