Environmental information​

Windows 11, x64dbg, test program

x64dbg settings​

Website: https://x64dbg.com/

GitHub: https://github.com/x64dbg/x64dbg

sourceforge: https://sourceforge.net/projects/x64dbg/files/snapshots/

Note: The latest release files can be obtained from the releases page of the x64dbg GitHub project or from sourceforge

Current version file: snapshot_2022-12-12_15-45.zip

Unpacked file directory information

图片

Note: x64dbg renamed from snapshot_2022-12-12_15-45

Installation​

Go to the release directory

图片

Run the x96dbg.exe executable to start the installation behaviour for later debugging

Note: As the installation will perform some system setup operations, a user account control prompt will be triggered

Click Install in the Launcher pop-up window to install

图片

Note: The x32dbg and x64dbg buttons can run x64dbg for the relevant platform. x64dbg and the program being debugged need to be of the same number of bits in order to debug and the additional debugging function of x64dbg will only show programs of the same platform.

The relevant installation setup options are

shell extension - selecting yes will add a right-click menu, when right-clicking on the program being debugged in this way, it will recognise the bit number of the program and open it with the same bit number as x64dbg for debugging.

图片

Note: Windows 11 systems need to right click and then click on more options (Shift F10) to see the relevant methods

Desktop —- select yes to create two shortcuts to the desktop (x64dbg for different platforms)

图片

database icon —- select yes to set a logo for the x64dbg database files (dd32, dd64) for easy identification

图片

Click OK to complete the installation

图片

Event settings

Options —- Preferences

图片

For this debugging check the following options, which can be adjusted according to different needs

图片

Language settings

Options —-languages—-target language —— will need to be restarted to take effect after the change.

The first run will set the default language according to the system

图片

Example: The system language is Chinese, the configuration file generated after the first run, the corresponding value of the language parameter is zh_CN

图片

Font settings

Options—-Appearance

图片

图片

Test procedures​

Source.c

Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <stdio.h>
int main()
{
int a;
printf("Please input a number:\n");
int x = scanf_s("%d", &a);
printf("%d\n", x);
if (a % 5 == 0 && a % 7 == 0 && a >1 && a <200)
printf("yes\n");
else
printf("no\n");
return 0;
}

图片

Start of commissioning​

Entry breakpoint.

Note: The linker entry is shown at this point so it is not the same as the assembly corresponding to the code, and it is not yet running to the virtual memory address corresponding to the representative

图片

Some of the debugging information generated by the software can be viewed in Log

图片

In the case of a program database file (.pdb), you can quickly locate the main function in the Symblos area

图片

The assembly code area corresponding to the main function

图片

Locating the “relevant” assembly representation area

Some debugging may be carried out without the relevant program database file (.pdb), in which case some strings or displayed functions may be used to guess that certain functions are used to locate the relevant area, or may be decompiled to aid debugging

Example: After running the program the following string is displayed —-Please input a number:

图片

CPU disassembly code area right click —- Search —- All user modules —- String type

图片

You can see the relevant string information and the corresponding virtual memory address

图片

Double click on the relevant area to go quickly to the relevant assembly code area

图片

At this point, you can use the progress bar or the mouse wheel to move up to view the relevant assembly code

图片

Based on the information displayed in the assembly area, you can see that the virtual address for the string Please input a number: is 140002260

You can go to this address to change the data

图片

Data modification​

Right click on the region box

图片

Edit the content of the interface to see the information corresponding to the parsing of the UTF-8 region

图片

Modify

图片

Modified state

图片

Note: Because the default of the disassembly area is to read and parse the content in memory into the relevant assembly code, but in reality these are data content non-relevant instructions, so in the edit interface to string code parsing characters and the expected effect

or modify the parsing method in some areas to match the expected situation

图片

Restore modifications​

At this point you can click the Restore button to restore the modified data to the pre-modification data

图片

Temporary modification test, click the restart button to reload the program

图片

After the entry breakpoint is paused because I compiled with the address random protection turned off, so enter the previous address can be, the following figure is the effect of the modification

Note: If there is a relevant protection function, you need to search again before going to edit

图片

Exporting changes​

Export the modified binary file

File button

图片

If no changes are made, just click on the Patch File button.

图片

Afterwards, just name it and save it

Note: Do not name it the same as the original name, so it is being used at the time.

图片

图片

图片

Modify the execution flow, by observing the assembly code, see a jne judgment, analysis and some output related, at this time can be in the relevant command under the breakpoint

图片

Pause at the jne judgment command after the input value is confirmed

图片

The result after execution

图片

You can double click on the relevant call to go to the entry address of the called function to see the relevant analysis of the assembly code

图片

Simple analysis​

When jne is executed it will read the “no\n” data into rcx and then call 140001020 to process it (see the symbolic parsing call to the printf function to print out the string) and implement the function to output the read data

Modify the assembly instruction.

According to the previous analysis we know that when the two jne in this area do not jump, jump at jbe can output yes

Right click on the line where the instruction needs to be modified and select assembly

图片

Modifying assembly instructions​

Modify jne to judge the opposite assembly instruction je

Modify jbe to reverse the assembly instruction ja/jbne

图片

图片

Test verification

Jump not execute

图片

Jump not executed

图片

Execute on jump

图片

Resulting output

图片

Changing the flag register​

Of course, you can also change the value of the corresponding flag register to influence the result of the instruction to test the purpose

zf=0 jne jumps

图片

zf=1 jne does not jump

图片

Note information​

To facilitate debugging, comments are also added to the relevant command lines to record the relevant functions tested/guessed for subsequent analysis

Right click on the line where the command is located

图片

The result of adding the comment is the same as the comment information that can be modified by selecting the relevant function here after it has been added:

图片