x64dbg/x64dbg
x64dbg
/
x64dbg
1
0
Fork 0
Code Releases 4 Activity
x64dbg/help/Input.htm

80 lines
4.0 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Input</title>
<meta name="GENERATOR" content="WinCHM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style>
html,body {
/* Default Font */
font-family: Courier New;
font-size: 11pt;
}
</style>
</head>
<body>
<P class=rvps3><STRONG>Input</STRONG><BR>This program accepts
various options of input:</P>
<P class=rvps3><U>commands</U>:
Commands have the following format: "command[space]arg1,[optional
space]arg2,argN".</P>
<P class=rvps3><U>variables</U>:
Variables optionally start with a $ and can only store one DWORD (QWORD on
x64).</P>
<P class=rvps3><U> registers</U>: All
registers (of all sizes) can be used as variables.</P>
<P class=rvps3><U>memory locations</U>:
You can read/write from/to a memory location by using one of the
following expressions:<BR>[addr]&nbsp;&nbsp;&nbsp;&nbsp; - read a
DWORD/QWORD, depending on the
architecture.<BR><EM>n</EM>:[addr]&nbsp;&nbsp; - read <EM>n</EM> bytes from.<BR><EM>seg</EM>:[addr] -
read a DWORD/QWORD from&nbsp;a
segment.<BR><STRONG>REMARKS</STRONG>:<BR>- <EM>n</EM> is the amount of bytes to read, this can be anything
smaller than 4 on x32 and smaller than 8 on x64 when specified, otherwise there
will be an error.<BR>- <EM>seg</EM>
can be gs, es, cs, fs, ds, ss. Only fs and gs have an effect.</P>
<P class=rvps3><U>flags</U>: Debug flags
(interpreted as integer) can be used as input. Flags are prefixed with an '_'
followed by the flag name. Valid flags are: _cf, _pf, _af, _zf, _sf, _tf, _if,
_df, _of, _rf, _vm, _ac, _vif, _vip and _id.</P>
<P class=rvps3><U>numbers</U>: All
numbers are interpreted as hex by default. If you want to be sure, you can use
the "x" prefix or the "0x" prefix. Decimal numbers can be used by prefixing the
number with a "." (.123=7B).</P>
<P class=rvps3><U> expressions</U>: See "Expressions" for more information.</P>
<P class=rvps3><U>Module Data</U>:</P>
<OL>
<LI>
<DIV class=rvps3><U>DLL exports</U>:
Type 'GetProcAddress' and it will automatically be
resolved to the actual address of the function.
To explicitly define from which module to load the API, use:
"[module].dll:[api]" or "[module]:[api]". In a similar way you can resolve ordinals, try "[module]:[ordinal]". Another
macro allows you to get the loaded
base of a module. When "[module]" is an empty string (":GetProcAddress" for example), the
module that is currently selected in the CPU will be
used.</DIV><U> </U>
<LI><U>Loaded Module&nbsp;Bases</U>:
If you want to access the loaded module base, you can write: "[module]:0",
"[module]:base", "[module]:imagebase" or "[module]:header".
<LI><U>RVA/File Offset</U>: If you
want to access a module RVA you can either write "[module]:0+[rva]" or you can
write "[module]:$[rva]". If you want to convert a file offset to a VA you can
use "[module]:#[offset]". When "[module]" is an empty string (":0" for
example), the module that is currently selected in the CPU will be used.
<LI><U>Module Entry Points</U>: To
access a module entry point you can write "[module]:entry", "[module]:oep" or
"[module]:ep". Notice that when there are exports with the names "entry",
"oep" or "ep" the address of these will be returned
instead.<BR><BR><STRONG>Notice</STRONG>: Instead of the ':' delimiter you can
also use a '.' If you need to query module information such as
"[module]:imagebase" or "[module]":entry" you are advised to
use a '?' as delimiter instead ("[module]?entry"). The '?'&nbsp;does
checking for named exports later, so it will still work when there is an
export called "entry" in the module.</LI></OL>
<P class=rvps3><U>labels/symbols</U>:
user-defined labels and symbols&nbsp;are a valid expressions.</P>
<P class=rvps3><STRONG>Input for arguments can always be done in any of
the above forms, except if stated otherwise.</STRONG></P></body></HTML>
View Git Blame Copy Permalink