Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 01:34
    Paliha commented #2261
  • 01:34
    Paliha commented #2261
  • 00:38
    Paliha commented #2261
  • 00:33
    Paliha commented #2261
  • 00:32
    Paliha commented #2261
  • 00:31
    UnlimitedChild commented #2284
  • Feb 23 20:46
    mrexodia commented #2261
  • Feb 23 16:25
    mrexodia commented #2284
  • Feb 23 15:25
    mrexodia closed #2296
  • Feb 23 15:25

    mrexodia on development

    DBG: improvements to initializa… DBG: move DbLoad from cbCreateP… (compare)

  • Feb 23 15:19
    mrexodia unlabeled #1899
  • Feb 23 15:17
    alex-shr commented #2296
  • Feb 23 15:12
    mrexodia commented #2296
  • Feb 23 15:08
    mrexodia commented #2296
  • Feb 23 13:34
    alex-shr commented #2296
  • Feb 22 20:59
    mrexodia commented #2296
  • Feb 22 20:50
    blaquee commented #2296
  • Feb 22 19:56
    mrexodia commented #2296
  • Feb 22 18:32
    alex-shr commented #2296
  • Feb 22 18:29
    alex-shr commented #2296
x64dbgbot
@x64dbgbot
<mrexodia> Also multimate assembler is a great plugin worth mentioning
x64dbgbot
@x64dbgbot
<billy-jon> there seems to be a bug relating to int3 bps and remapping. bps get to a point where the disassembly view does not show them as present, but the bp window says they are and enabled. when that happens, i cannot delete them, or enable/disable
<billy-jon> it seems like it has something to do with how bps are stored. if i create them after the remapping, im guessing that the debugger doesn't know to store them as relative to a particular module's base address and instead stores absolute addresses
<billy-jon> but if i restart the process and there now IS a module there, even though the literal address is unchanged, things bug out
x64dbgbot
@x64dbgbot
<mrexodia> Remapping?
<mrexodia> Breakpoints are stored as module+rva or if there is no module as an absolute address
x64dbgbot
@x64dbgbot
<billy-jon> sorry, i had been under the impression that you have looked at the blizzard anti debug stuff. they will remap the binary with CreateFile(), memcpy, MapViewOfFile() or some such thing to give SEC_NO_CHANGE to the whole binary. just like what is described here: https://github.com/changeofpace/Self-Remapping-Code
<billy-jon> incidentally it would be awesome if the db files for each program could be plaintext like json or something so i could go and remove those bps manually
<Nukem> they are plaintext/json if compression is disabled
<billy-jon> once the debugger encounters an int3 bp it doesnt expect to be there, i cant figure out how to get execution to continue
<billy-jon> oh look at that, thanks
x64dbgbot
@x64dbgbot
<billy-jon> okay so yeah the problematic bps seem to be ones that i created after the remap
<billy-jon> they are in the dd64 file for the binary as absolute addresses
<billy-jon> if i start the process, paused at the entry point, i cannot delete those bps
<billy-jon> it says: No such breakpoint "0x<address>"
<billy-jon> erm, no 0x
x64dbgbot
@x64dbgbot
<billy-jon> if i allow the app to execute until the remap happens, and use the ForcePageProtection plugin, i can disable, but not enable the bp. when i try to re-enable the bp in this case it says: Could not enable breakpoint <address> (SetBPX)
x64dbgbot
@x64dbgbot
<billy-jon> it seems like there is some kind of sanity check on whether an int3 is due to a bp created by the debugger, and that sanity check does not support remapped code. something like this: "is_my_int3(ea) { if is_in_module(ea) and rva_bp_exists(ea_to_rva(ea)) { return true; } else if abs_bp_exists(ea) { return true; } else { return false; }"
<billy-jon> but probably when the bp is first applied it should remember the ea and check against that later on
x64dbgbot
@x64dbgbot
<mrexodia> Did you try using a virtual module? (re @x64dbg_bot: <billy-jon> okay so yeah the problematic bps seem to be ones that i created after the remap)
x64dbgbot
@x64dbgbot
This message was deleted
x64dbgbot
@x64dbgbot
<billy-jon> mrexodia, no i dont think i knew that x64dbg could do that
<mrexodia> “Can do that” haha
<mrexodia> More like kinda can do it maybe
x64dbgbot
@x64dbgbot
<Nukem> quality 👏 software 👏
x64dbgbot
@x64dbgbot
<levitanious> (free and open-source, tho)
<levitanious> (also pretty badass)
<levitanious> A wise old man once said: "You make a punchline of what i cannot do and berate me for what i can... send, patches young one!" 😂
<kaens> People would even berate the wise men :<
x64dbgbot
@x64dbgbot
<levitanious> I mean, i'm no wise man and i guess the old man was clearly trying to make it into reddit's fp at a time
<levitanious> But the idea! That matters.
<levitanious> <attempt at humour, badum-tsss>
<kaens> A wisecracker is one who can make em patches, amirite?
<Nukem> lol
<kaens> Wish I could chat to the Chinese community. Keep seeing so many weird protections for minor engines
x64dbgbot
@x64dbgbot
<billy-jon> im not making jokes about it. i just didnt know it could.
x64dbgbot
@x64dbgbot
<shepz> Hi, who know StrongOD where can buy ? :)
x64dbgbot
@x64dbgbot
<shepz> who have plugin or bypass vmprotect on x64 ( ScyllaHide dont work on my file ) PM
<mrexodia> Just read the ScyllaHide issues or use titanhide
x64dbgbot
@x64dbgbot
<hans_> wonders how to check if one is banned from a github issue tracker or not
x64dbgbot
@x64dbgbot
<hans__> any idea if TitanHide constantly has an open handle to C:\TitanHide.log or if it's just opened when it needs to be?
<hans__> nvm, it's the latter
x64dbgbot
@x64dbgbot
<firelegend> Does x64dbg implement mem bp on execution via PAGE_GUARD or removing the PAGE_EXECUTE_READWRITE flag?
<firelegend> I was grepping through thecode to figure that out.
x64dbgbot
@x64dbgbot
<levitanious> Have you tried opening the x64dbg itself and going to breakpoints tab?
<levitanious> There's conditional breakpoints context menu.
<levitanious> Maybe it has what you're looking for.
<ARCHANGEL_ahteam> Why do you need this info? (re @x64dbg_bot: <firelegend> Does x64dbg implement mem bp on execution via PAGE_GUARD or removing the PAGE_EXECUTE_READWRITE flag?)
x64dbgbot
@x64dbgbot
<firelegend> Just writing my own memory tracer tool for a project.
<ARCHANGEL_ahteam> Use page guard, it will work