Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 15 20:17
    ZehMatt closed #2733
  • Sep 15 20:17
    ZehMatt commented #2733
  • Sep 15 20:16
    tracid1987 commented #2733
  • Sep 15 20:07
    ZehMatt commented #2733
  • Sep 15 19:57
    tracid1987 commented #2733
  • Sep 15 19:09
    tracid1987 edited #2733
  • Sep 15 19:08
    tracid1987 edited #2733
  • Sep 15 18:27
    tracid1987 opened #2733
  • Sep 15 18:27
    tracid1987 labeled #2733
  • Sep 15 09:17
    lupier commented #2719
  • Sep 15 08:35
    AndyWatterman edited #2732
  • Sep 15 08:35
    AndyWatterman labeled #2732
  • Sep 15 08:35
    AndyWatterman opened #2732
  • Sep 14 10:18
    AppVeyorBot commented #2731
  • Sep 14 09:59
    torusrxxx synchronize #2731
  • Sep 14 09:48
    torusrxxx commented #2728
  • Sep 14 09:30
    torusrxxx commented #2728
  • Sep 14 09:26
    torusrxxx opened #2731
  • Sep 13 12:30
    mrexodia labeled #1764
  • Sep 13 11:34
    mrexodia commented #2722
x64dbgbot
@x64dbgbot
<mrexodia> Hm? (re @x64dbg_bot: <SunBeam> not cool, man, not cool πŸ˜„)
x64dbgbot
@x64dbgbot
<SunBeam> x64 programs need to be disassembled, apparently 😦
<SunBeam> no other way due to variable length instructions and other crap
<SunBeam> was hoping to find some formula or some simplified code; but that dis.sel() kinda says it all
x64dbgbot
@x64dbgbot
<mrexodia> Simplified code to do what? It’s just passing the disassembly selection to the command
x64dbgbot
@x64dbgbot
<c0rt3x0> @mrexodia we will have any major update on x64dbg or st3p by step
<c0rt3x0> ???
<mrexodia> What kind of update are you looking for? (re @c0rt3x0: @mrexodia we will have any major update on x64dbg or st3p by step)
x64dbgbot
@x64dbgbot
<c0rt3x0> For the strings
<c0rt3x0> Specially
x64dbgbot
@x64dbgbot
<mrexodia> Pull requests with fixes are welcome
<mrexodia> Likely this is what caused the issue x64dbg/x64dbg#2482
x64dbgbot
@x64dbgbot
<SunBeam> hey, I already asked in the beginning of my quest what I was looking for
<SunBeam> you seem to fixate on some elements and get stranded there
<SunBeam> I asked for a simple METHOD to scan an entire executable for static executable code references of a (static) pointer
<SunBeam> then looked at the documentation for leads on how "Find references > Address: X" works
<SunBeam> then said "oh, so that's how it works; nothing simple" > imbricated high-level programming, function calling function calling function
<SunBeam> bottom line being you need to disassemble/dissect the executable to be able to start formulating a way in which to scan for mnemonics like "mov r64,[ptr]", "lea r64,[ptr]", etc. -- all possibilities
<SunBeam> if it's not something you can do with some pattern scanner or w.e., then just say "it's more complicated than that" instead of asking simple questions denoting you couldn't be arsed reading the entire story
<SunBeam> I event left 2 pictures showing what I'm looking for; I don't want to do it in x64dbg, I want to understand HOW IT WORKS πŸ™‚
x64dbgbot
@x64dbgbot
<SunBeam> so I can think of reliable ways to scan, for example, a 500MB executable for a static -- [14556C8800] -- and I'd get in return lines with "mov rax,[14556C8800]", "lea rax,[14556C8800]", "mov [14556C8800],rax", etc.
<ThisIsLibra> This group is a gold mine for entitled requests
x64dbgbot
@x64dbgbot
<EvilSapphire> Dude just dump the pe with scylla and open it on ida or something to get the references. Ida has great cross reference detection
x64dbgbot
@x64dbgbot
<SunBeam> the intention here is not analysis of a file; it's coding a PROXY DLL that SCANS an entire PE of 500MB for a "mov rax,[addr]" reference
<SunBeam> and this - the scanning - happens when the process starts
<SunBeam> I cannot use some pattern to find it because it's a dynamic initializer function in initterm (it's run in TLS)
<SunBeam> then I can't use a hardcoded offset because when the game updates, bye bye offsetting.. the function will change offset/position in initterm tree most likely, this (the position) being determined by the compiler
<SunBeam> so then I thought "what if I find all references for the static address I need and filter/pick the one reference I want?"
<SunBeam> but as it turns out, doing this to find ANY possibility of a mnemonic involving that static address across the entire executable code space of the game will take an enormous amount of time to scan for; file's protected with Denuvo, which means Denuvo has moved all that exec code with length larger than 5 bytes to its gynormously allocated section
<SunBeam> exe is 500+MB πŸ˜„
x64dbgbot
@x64dbgbot
<Matti> yes holy shit
<Matti> 'request' is putting it mildly
<SunBeam> k, hope it makes more sense now
x64dbgbot
@x64dbgbot
<mrexodia> ah this
<xuan2261> hello
<mrexodia> it just disassembles linearly and checks the operands
<xuan2261> Someone suggested this to me and I don't know what to do and where to start

<xuan2261> "VMP puts a fake native Layer and due to this you won't see any proper Runtime File in the memory because that is executed using the data available in vmp0 section.

Remove VMP by putting bp just before the execution call in x64dbg and you can Dump Runtime and Main EXE without VMP but as the vmp Section is removed so file won't start."

<xuan2261> Can someone guide me to follow the suggestions above?
x64dbgbot
@x64dbgbot
<raven224> you cannot strip off VMP LOL (re @x64dbg_bot: <xuan2261> i want remove VMP
https://cdn.discordapp.com/attachments/360907625837101067/888432334846701628/unknown.png)
<SWaNk> Well, you can but it is far from trivial... (re @raven224: you cannot strip off VMP LOL)
x64dbgbot
@x64dbgbot
<SWaNk> Unpack vmprotect is not an easy task
<raven224> yeah that what i meant.
i was talking regardless of the above steps he mentioned (re @SWaNk: Well, you can but it is far from trivial...)
<SWaNk> Yeah... way more steps than that lol... (re @raven224: yeah that what i meant.
i was talking regardless of the above steps he mentioned)
<raven224> Need to understand the Virtual machine first over those obfuscation/mutations.
<SWaNk> Right Click protector line in DIE and hit del... Easy like that πŸ˜‚πŸ‘
<SWaNk> Yeah... not trivial (re @raven224: Need to understand the Virtual machine first over those obfuscation/mutations.)
<raven224> Haha that'd much easier (re @SWaNk: Right Click protector line in DIE and hit del... Easy like that πŸ˜‚πŸ‘)