Environmental information
Windows 11, x64dbg, test programx64dbg settings
Website: https://x64dbg.com/GitHub: https://github.com/x64dbg/x64dbg
sourceforge: https://sourceforge.net/projects/x64dbg/files/snapshots/
Note: The latest release files can be obtained from the releases page of the x64dbg GitHub project or from sourceforge
Current version file: snapshot_2022-12-12_15-45.zip
Unpacked file directory information
Note: x64dbg renamed from snapshot_2022-12-12_15-45
Installation
Go to the release directoryRun the x96dbg.exe executable to start the installation behaviour for later debugging
Note: As the installation will perform some system setup operations, a user account control prompt will be triggered
Click Install in the Launcher pop-up window to install
Note: The x32dbg and x64dbg buttons can run x64dbg for the relevant platform. x64dbg and the program being debugged need to be of the same number of bits in order to debug and the additional debugging function of x64dbg will only show programs of the same platform.
The relevant installation setup options are
shell extension - selecting yes will add a right-click menu, when right-clicking on the program being debugged in this way, it will recognise the bit number of the program and open it with the same bit number as x64dbg for debugging.
Note: Windows 11 systems need to right click and then click on more options (Shift F10) to see the relevant methods
Desktop --- select yes to create two shortcuts to the desktop (x64dbg for different platforms)
database icon --- select yes to set a logo for the x64dbg database files (dd32, dd64) for easy identification
Click OK to complete the installation
Event settings
Options --- Preferences
For this debugging check the following options, which can be adjusted according to different needs
Language settings
Options ---languages---target language ---- will need to be restarted to take effect after the change.
The first run will set the default language according to the system
Example: The system language is Chinese, the configuration file generated after the first run, the corresponding value of the language parameter is zh_CN
Font settings
Options---Appearance
Test procedures
Source.cCode:
Code:
#include <stdio.h>
int main()
{
int a;
printf("Please input a number:\n");
int x = scanf_s("%d", &a);
printf("%d\n", x);
if (a % 5 == 0 && a % 7 == 0 && a >1 && a <200)
printf("yes\n");
else
printf("no\n");
return 0;
}
Start of commissioning
Entry breakpoint.Note: The linker entry is shown at this point so it is not the same as the assembly corresponding to the code, and it is not yet running to the virtual memory address corresponding to the representative
Some of the debugging information generated by the software can be viewed in Log
In the case of a program database file (.pdb), you can quickly locate the main function in the Symblos area
The assembly code area corresponding to the main function
Locating the "relevant" assembly representation area
Some debugging may be carried out without the relevant program database file (.pdb), in which case some strings or displayed functions may be used to guess that certain functions are used to locate the relevant area, or may be decompiled to aid debugging
Example: After running the program the following string is displayed ---Please input a number:
CPU disassembly code area right click --- Search --- All user modules --- String type
You can see the relevant string information and the corresponding virtual memory address
Double click on the relevant area to go quickly to the relevant assembly code area
At this point, you can use the progress bar or the mouse wheel to move up to view the relevant assembly code
Based on the information displayed in the assembly area, you can see that the virtual address for the string Please input a number: is 140002260
You can go to this address to change the data
Data modification
Right click on the region boxEdit the content of the interface to see the information corresponding to the parsing of the UTF-8 region
Modify
Modified state
Note: Because the default of the disassembly area is to read and parse the content in memory into the relevant assembly code, but in reality these are data content non-relevant instructions, so in the edit interface to string code parsing characters and the expected effect
or modify the parsing method in some areas to match the expected situation
Restore modifications
At this point you can click the Restore button to restore the modified data to the pre-modification dataTemporary modification test, click the restart button to reload the program
After the entry breakpoint is paused because I compiled with the address random protection turned off, so enter the previous address can be, the following figure is the effect of the modification
Note: If there is a relevant protection function, you need to search again before going to edit
Exporting changes
Export the modified binary fileFile button
If no changes are made, just click on the Patch File button.
Afterwards, just name it and save it
Note: Do not name it the same as the original name, so it is being used at the time.
Modify the execution flow, by observing the assembly code, see a jne judgment, analysis and some output related, at this time can be in the relevant command under the breakpoint
Pause at the jne judgment command after the input value is confirmed
The result after execution
You can double click on the relevant call to go to the entry address of the called function to see the relevant analysis of the assembly code
Simple analysis
When jne is executed it will read the "no\n" data into rcx and then call 140001020 to process it (see the symbolic parsing call to the printf function to print out the string) and implement the function to output the read dataModify the assembly instruction.
According to the previous analysis we know that when the two jne in this area do not jump, jump at jbe can output yes
Right click on the line where the instruction needs to be modified and select assembly
Modifying assembly instructions
Modify jne to judge the opposite assembly instruction jeModify jbe to reverse the assembly instruction ja/jbne
Test verification
Jump not execute
Jump not executed
Execute on jump
Resulting output
Changing the flag register
Of course, you can also change the value of the corresponding flag register to influence the result of the instruction to test the purposezf=0 jne jumps
zf=1 jne does not jump
Note information
To facilitate debugging, comments are also added to the relevant command lines to record the relevant functions tested/guessed for subsequent analysisRight click on the line where the command is located
The result of adding the comment is the same as the comment information that can be modified by selecting the relevant function here after it has been added:
