When using x64dbg you can often use various things as input.
Commands have the following format:
command arg1, arg2, argN
Variables optionally start with a $ and can only store one DWORD (QWORD on x64).
All registers (of all sizes) can be used as variables.
_x87CW_UMCAX , CBX , CCX , CDX , CSP , CBP , CSI , CDI , CIP. These registers are mapped to 32-bit registers on 32-bit platform, and to 64-bit registers on 64-bit platform. For example, CIP is EIP on 32-bit platform, and is RIP on 64-bit platform. This feature is intended to support architecture-independent code.You can read/write from/to a memory location by using one of the following expressions:
[addr] read a DWORD/QWORD from addr.n:[addr] read n bytes from addr.seg:[addr] read a DWORD/QWORD from a segment at addr.byte:[addr] read a BYTE from addr.word:[addr] read a WORD from addr.dword:[addr] read a DWORD from addr.qword:[addr] read a QWORD from addr (x64 only).n is the amount of bytes to read, this can be anything smaller than 4 on x32 and smaller than 8 on x64 when specified, otherwise there will be an error.seg can be gs, es, cs, fs, ds, ss. Only fs and gs have an effect.Debug flags (interpreted as integer) can be used as input. Flags are prefixed with an _ followed by the flag name. Valid flags are: _cf, _pf, _af, _zf, _sf, _tf, _if, _df, _of, _rf, _vm, _ac, _vif, _vip and _id.
All numbers are interpreted as hex by default! If you want to be sure, you can x or 0x as a prefix. Decimal numbers can be used by prefixing the number with a dot: .123=7B.
See the expressions section for more information.
User-defined labels and symbols are a valid expressions (they resolve to the address of said label/symbol).
Type GetProcAddress and it will automatically be resolved to the actual address of the function. To explicitly define from which module to load the API, use: [module].dll:[api] or [module]:[api]. In a similar way you can resolve ordinals, try [module]:[ordinal]. Another macro allows you to get the loaded base of a module. When [module] is an empty string :GetProcAddress for example, the module that is currently selected in the CPU will be used.
If you want to access the loaded module base, you can write: [module]:0, [module]:base, [module]:imagebase or [module]:header.
If you want to access a module RVA you can either write [module]:0+[rva] or you can write [module]:$[rva]. If you want to convert a file offset to a VA you can use [module]:#[offset]. When [module] is an empty string :0 for example, the module that is currently selected in the CPU will be used.
To access a module entry point you can write [module]:entry, [module]:oep or [module]:ep. Notice that when there are exports with the names entry, oep or ep the address of these will be returned instead.
Instead of the : delimiter you can also use a . If you need to query module information such as [module]:imagebase or [module]:entry you are advised to use a ? as delimiter instead: [module]?entry. The ? delimiter does checking for named exports later, so it will still work when there is an export called entry in the module.
Input for arguments can always be done in any of the above forms, except if stated otherwise.
字符格式
This section explains the simple string formatter built into x64dbg.
The basic syntax is {?:expression} where ? is the optional type of the expression. The default type is x. To output { or } in the result, escape them as {{ or }}.
d signed decimal: -3u unsigned decimal: 57329171p zero prefixed pointer: 0000000410007683s string pointer: this is a stringx hex: 3C28Aa address info: 00401010 <module.EntryPoint>i instruction text: jmp 0x77ac3c87// "[]" 中括号表示可选的意思
{mem;size@address} will print the size bytes starting at address in hex.
{winerror@code} will print the name of windows error code(returned with GetLastError()) and the description of it(with FormatMessage). It is similar to ErrLookup utility.
{ntstatus@code} will print the name of NTSTATUS error code and the description of it(with FormatMessage).
{ascii[;length]@address} will print the ASCII string at address with an optional length (in bytes).
{ansi[;length]@address} will print the ANSI string at address with an optional length (in bytes).
{utf8[;length]@address} will print the UTF-8 string at address with an optional length (in bytes).
{utf16[;length]@address} will print the UTF-16 string at address with an optional length (in words).
{disasm@address} will print the disassembly at address (equivalent to {i:address}).
{modname@address} will print the name of the module at address.
{bswap[;size]@value} will byte-swap value for a specified size (size of pointer per default).
rax: {rax} formats to rax: 4C76password: {s:4*ecx+0x402000} formats to password: L"s3cret"{x:bswap(rax)} where rax=0000000078D333E0 formats to E033D37800000000 because of bswap fun which reverse the hex value{bswap;4@rax} where rax=1122334455667788 formats to 88776655When using the log command you should put quotes around the format string (log "{mem;8@rax}") to avoid ambiguity with the ; (which separates two commands). See https://github.com/x64dbg/x64dbg/issues/1931 for more details.
Plugins can use _plugin_registerformatfunction to register custom string formatting functions. The syntax is {type;arg1;arg2;argN@expression} where type is the name of the registered function, argNis any string (these are passed to the formatting function as arguments) and expression is any valid expression.
条件断点
This section describes the conditional breakpoint capability in x64dbg.
When a breakpoint is hit, x64dbg will do the following things:
$breakpointexceptionaddressto the exception address;$breakpointcounter to the value of hit counter;1);0:
1);1 (or any value other than ‘0’):
1 (or any value other than ‘0’):
1:
$breakpointcondition to the break condition;$breakpointlogcondition to the log condition;$breakpointcondition. So if you modify this system variable in the script, you will be able to control whether the debuggee would break.1 (or any value other than ‘0’):
If any expression is invalid, the condition will be triggered (That is, an invalid expression as condition will cause the breakpoint to always break, log and execute command).
A hit counter records how many times a breakpoint has been reached. It will be incremented unconditionally, even if fast resume is enabled on this breakpoint. It may be viewed at breakpoint view and reset with ResetBreakpointHitCount.
The log can be formatted by x64dbg to log the current state of the program. See formatting on how to format the log string.
You can set a conditional breakpoint with GUI by setting a software breakpoint(key F2) first, then right-click on the instruction and select “Edit breakpoint” command from the context menu. Fill in the conditional expression and/or other information as necessary, then confirm and close the dialog.
You should not use commands that can change the running state of the debuggee (such as run) inside the breakpoint command, because these commands are unstable when used here. You can use break condition, command condition or $breakpointcondition instead.
If you don’t know where the condition will become true, try conditional tracing instead!
A conditional breakpoint which never breaks
break condition: 0
A conditional breakpoint which breaks only if EAX and ECX both equal to 1
break condition: EAX==1 && ECX==1
A conditional breakpoint which breaks only if EAX is a valid address
break condition: mem.valid(EAX)
A conditional breakpoint which breaks on the third hit
break condition: $breakpointcounter==3 or ($breakpointcounter%3)==0
A conditional breakpoint which breaks only if executed by the thread 1C0
break condition: tid()==1C0
原文:https://www.cnblogs.com/DirWang/p/13490106.html