x64dbg

[s0me0n3]

I have mutliple HDDs, too, all splitted into seperated partitions.

I have my x64_dbg on th C drive, so please explain what you do:
Where lays the debugger? Where do you try to debug? Did you tried running the debugger as admin to ensure you have the right to read and write on every path? Does it happens with ANY file you try to debug? Do you tried it over a network path or do you simply tried debugging a file from your normal windows from another partition?

Some more info will help finding and fixing the problem.

[mr.exodia]

Hi,

I have also noticed this problem, I think there is some bug with both TitanEngine (DLLLoader) and x64_dbg. Unfortunately I cannot reproduce the bug very well.

Greetings

[ahmadmansoor]

Hi Mr.exodia
how I can get the line ( address + hex + assemble command ) at GUI ?.
and how I can refresh the GUI after change some hex value ?

[Insid3Code]

"invalid pe" Bug (Flash movie attached):

PHP Code:

http://www.mediafire.com/download/pwagwb0oppzmx5p/demo001.rar 


[mr.exodia]

@ahmadmansoor: Copying this is not yet possible, same for the plugin API. This is on the todo list however. Refreshing the GUI is possible using the following APIs:

Code:

BRIDGE_IMPEXP void GuiUpdateAllViews();
BRIDGE_IMPEXP void GuiUpdateRegisterView();
BRIDGE_IMPEXP void GuiUpdateDisassemblyView();
BRIDGE_IMPEXP void GuiUpdateBreakpointsView();

@Insid3code: please try this 'fix' the only problem I could think of was something with virtual devices, but I just cannot reproduce the bug here. https://mega.co.nz/#!H5xlDBqb!j8cRrh3r4a89vXr00yPf_jYI5Oq7Cwx5H_7dSiyCm64

Greetings

[ahmadmansoor]

Hi mr.exodia
no my friend the problem came form here ((DevicePathToPath))
specially from this command

Quote:

if(!_strnicmp(devicepath, curDevice, x)) //we match the device

I think u useing it wrong

this is how I modify the code to make it work

Quote:

bool DevicePathToPath(const char* devicepath, char* path, size_t path_size)
{
if(!devicepath or !path)
return false;
char curDrive[3]=" :";
char curDevice[MAX_PATH]="";
for(char drive='C'; drive<='Z'; drive++)
{
*curDrive=drive;
if(!QueryDosDeviceA(curDrive, curDevice, MAX_PATH))
continue;

std::string str(curDevice);
std::string str1(devicepath);
std::string temp,temp1;
int x=0;
for (int i=0;i<=str1.size();i++)
{
temp1=str1.substr(i,1);
if (temp1.compare("\\")==0){x=x+1;};
if (x==3){x=i;break;};
}
str1=str1.substr(0,x);
if(str1.compare(str)==0 )
{
//if(strlen(devicepath)-curDevice_len>=path_size)
if(strlen(devicepath)-x>=path_size)
return false;
//sprintf(path, "%s%s", curDrive, devicepath+curDevice_len);
sprintf(path, "%s%s", curDrive, devicepath+x);
return true;
}
}
return false;
}

note : I just like to work with string than other lab lab ( char -const char ...)

please try the attached files .
bs : thanks for the hint for Refreshing GUI

well, i will try to debug dos, hope it support.

[mr.exodia]

@ahmadmansoor: you code does exactly the same. You function will not work with memdisks etc. strincmp just compares the beginning of the strings with the number of character of the device name. Take a look here for the source code from Scylla of this function: http://bitbucket.org/mrexodia/devicenameresolver

@nonepe: it will not work lol

Greetings

[n00b]

@mr.exodia: I have to just say, I am truly amazed by your work so far - thus far, I have been able to work my way around several x64 targets that I probably wouldn't have been able todo properly with for instance IDA..

So thanks a million for this epic work bro, and thanks again for the testplugin that you made - really helped alot

[mr.exodia]

@n00b: glad you like it! feel free to post feature suggestions anytime, so your experience can be improved.

Greetings

[ahmadmansoor]

Hi mr.exodia :
no my friend I am sure that my code work 100% with all devices , I have try it on flash memory and the driver was V:\
and it work very fine without any problem .
I explain the problem ,why this happen with u .
Look after u make the GetMappedFileNameA

devicepath will be like this "\Device\HarddiskVolume19\T1\WinRAR\WinRAR.exe" const char *
the important thing is (( \Device\HarddiskVolume19 )) -on my PC it is S:\ Disk- this is our harddisk or flash disk name form root .
now u begin go in a loop to find the root name of each disk and make compare .
when u reach the to disk which have a name like ur hard disk name but without (( 9 )) at the end (( \Device\HarddiskVolume1 )) <<< this is G:\ disk on my PC -
and as will as ur length compare is wrong too so when u make compare with ur _strnicmp which will gave u the result = 0 so it pass the compare(if condition) and change the path of our exe to this
"G9\T1\WinRAR\WinRAR.exe" ,by this the next check will wrong too by this string of path.
then u will be not able to load the target .

please try this package again I am sure 100% it work and I can upload a movie prove that it work .

[ahmadmansoor]

Lol 163 views through 45 min ...
x64_dbg is become a very desired debugger .... very Good mr.exodia

this is full package for both x32 and x64 , so anyone can try and give us the result pls .

Quote:

https://drive.google.com/file/d/0B402C-bcZm3la1BVMXJaVTJtbTA/edit?usp=sharing

[Carbon]

@ahmadmansoor

There is still a bug with QueryDosDevice. This API cannot resolve all devices like encrypted devices.

I had the same bug in scylla https://github.com/NtQuery/Scylla/commit/67d62b4a2c4d7561b53bd595ca1fda51416ac20f

But there is still a problem with network devices.

[ahmadmansoor]

nop my friend I try it on network folder and was working very will .
did u try the package my friend ??
I think I will upload a flash movie .

[mr.exodia]

@ahmadmansoorn I think I see what was wrong with my code, but its fixed already using Aguila's code

Greetings