Skip to content
This repository has been archived by the owner on Feb 28, 2022. It is now read-only.

It's too messy. #5

Open
nihuai opened this issue Jul 1, 2019 · 1 comment
Open

It's too messy. #5

nihuai opened this issue Jul 1, 2019 · 1 comment

Comments

@nihuai
Copy link

nihuai commented Jul 1, 2019
edited
Loading

1.The grammar is complicated

The original grammar:
mov FixAddr,ref.addr(i)
Plug-in Syntax:
mov eax,ref.addr($i)
setx $FixAddr,{eax}

The original grammar:
mov FunOffset,[FixAddr+2]
Plug-in Syntax:
mov eax,[$FixAddr+2]
setx $FunOffset,{eax}

....

2.Grammar is getting Messier
//setx( Not belonging to C grammar )
setx and movx
//if( There is a big difference between C grammar )
if and cmp

3.By the way, BUG was discovered.

//Always the same value
A6)31_3Q9K8239@}S~W@9UE
image
@Ahmadmansoor
Copy link
Owner

Ahmadmansoor commented Jul 1, 2019
edited
Loading

Hi
and many thanks for try :
For this
/////////////////////////////// 1
The original grammar:

mov FixAddr,ref.addr(i)
Plug-in Syntax:
mov eax,ref.addr($i)
setx $FixAddr,{eax}
//
you can write it like this :

setx $FixAddr,{ref.addr($i)} or $FixAddr={ref.addr($i)}

/////////////////////////////// 1

/////////////////////////////// 2

mov FunOffset,[FixAddr+2]
Plug-in Syntax:
mov eax,[$FixAddr+2]
setx $FunOffset,{eax}

//
you can write it like this :

$FunOffset=$FixAddr+2 or setx $FunOffset,$FixAddr+2

/////////////////////////////// 2

explanation:
you have to know that there are 2 commands
mov : which is normal command from x64dbg system ,it will not handle any variable from this plugin.
and
movx : which is parallel command of mov but in this (first parameter will not analyzed, just the second one.) like this movx rax,$x , it mean its same mov just the second parameter can analyzed that all.
in this command (movx rax,$x) we didn't put like this {rax} , because as I told u , movx is modified command of mov , so movx at the end will executed mov command after analyzed the second parameter.
so with example will be like this :
movx eax ,{eax}
this will be proceed like this : plugin will analyzed second parameter which is {eax} =1
then command will be like this : mov eax,1 then it will executed .
I hope u got the process and this apply to all (parallel commands of x64dbg ).

in other hand you will note that movx is opposite of setx command , because setx get value
after analyzed then it assigned to the variable of AdvancedScript System.

note : in new version no need to use setx command u can write directly like this :

$FixAddr={eax} >>>which is >>> setx $FixAddr,{eax}

for the bug u mention can u share the script u have?
the command u have problem is
mov command So just replace it with movx to be able to fix it as I explain before.
and why u use ref.addr($i) ? if u get the result form findallmemx then it will assigned directly in array that
u defined .
so u can reach to all element of this array .
I think I miss some update of the ReadMe I will reupdate it soon with more samples.
Thanks for support and try
any question feel free to ask .
BR

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ahmadmansoor @nihuai