x64dbg/x64dbg
x64dbg
/
x64dbg
1
0
Fork 0
Code Releases 4 Activity
x64dbg/help/Input.htm

85 lines
4.1 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Input</title>
<meta name="GENERATOR" content="WinCHM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style>
html,body {
/* Default Font */
font-family: Courier New;
font-size: 11pt;
}
</style>
</head>
<body>
<P class=rvps3><STRONG>Input</STRONG><BR>This program accepts
various options of input:</P>
<P class=rvps3><U>commands</U>:
Commands have the following format: "command[space]arg1,[optional
space]arg2,argN".</P>
<P class=rvps3><U>variables</U>:
Variables optionally start with a $ and can only store one DWORD (QWORD on
x64).</P>
<P class=rvps3><U> registers</U>: All
registers (of all sizes) can be used as variables.</P>
<P class=rvps3><U>memory locations</U>: You can read from a memory location by using one of the
following expressions:<BR>[addr]&nbsp;&nbsp;&nbsp; - read a
DWORD/QWORD, depending on the architecture.<BR>@addr&nbsp;&nbsp;&nbsp;&nbsp; - same as
above.<BR><EM>n</EM>:[addr]&nbsp;&nbsp;- read <EM>n</EM> bytes.<BR>
@<EM>n</EM>:addr&nbsp;&nbsp; - same as
above.<BR><STRONG>REMARKS</STRONG>:<BR>- <EM>n</EM> is the amount of bytes to
read, this can be anything smaller than 4 on x32 and smaller than 8 on x64 when
specified, otherwise there will be an error.<BR>- addr is directly interpreted
as a value, when you want to read [addr+1] you should use
brackets:<BR>
@(addr+1), @addr+1 will read: [addr]+1.</P>
<P class=rvps3><U>flags</U>: Debug
flags (interpreted as integer) can be used as input. Flags are prefixed with a
'!' following the flag name. Valid flags are: !cf, !pf, !af, !zf, !sf, !tf, !if,
!df, !of, !rf, !vm, !ac, !vif, !vip and !id.</P>
<P class=rvps3><U>numbers</U>: All
numbers are interpreted as hex by default. If you want to be sure, you can use
the "x" prefix or the "0x" prefix. Decimal numbers can be used by prefixing the
number with a "." (.123=7B).</P>
<P class=rvps3><U>basic calculations</U>: See "Calculations" for more information.</P>
<P class=rvps3><U>Module Data</U>:</P>
<OL>
<LI>
<DIV class=rvps3><U>DLL exports</U>:
Type 'GetProcAddress' and it will automatically be
resolved to the actual address of the function.
To explicitly define from which module to load the API, use:
"[module].dll:[api]" or "[module]:[api]". In a similar way you can resolve ordinals, try "[module]:[ordinal]". Another
macro allows you to get the loaded
base of a module. When "[module]" is an empty string (":GetProcAddress" for example), the
module that is currently selected in the CPU will be
used.</DIV><U> </U>
<LI><U>Loaded Module&nbsp;Bases</U>:
If you want to access the loaded module base, you can write: "[module]:0",
"[module]:base", "[module]:imagebase" or "[module]:header".
<LI><U>RVA/File Offset</U>: If you
want to access a module RVA you can either write "[module]:0+[rva]" or you can
write "[module]:$[rva]". If you want to convert a file offset to a VA you can
use "[module]:#[offset]". When "[module]" is an empty string (":0" for
example), the module that is currently selected in the CPU will be used.
<LI><U>Module Entry Points</U>: To
access a module entry point you can write "[module]:entry", "[module]:oep" or
"[module]:ep". Notice that when there are exports with the names "entry",
"oep" or "ep" the address of these will be returned
instead.<BR><BR><STRONG>Notice</STRONG>: Instead of the ':' delimiter you can
also use a '.' If you need to query module information such as
"[module]:imagebase" or "[module]":entry" you are adviced to
use a '?' as delimiter instead ("[module]?entry"). The '?'&nbsp;does
checking for named exports later, so it will still work when there is an
export called "entry" in the module.</LI></OL>
<P class=rvps3><U>labels/symbols</U>:
user-defined labels and symbols&nbsp;are a valid expressions.</P>
<P class=rvps3><STRONG>Input for arguments can always be done in any of
the above forms, except if stated otherwise.</STRONG></P></body></HTML>
View Git Blame Copy Permalink