I want to evaluate an expression on IDA Pro. Look at this code:
mov rex, [rbp + var_XYZ]
If I put my cursor on [rbp + var_XYZ], it will show me the value of the address and content, but I would like to see individually rbp value and var_XYZ.
I also want to change values of var_XYZ. I have tried a lot of things.
Thanks
Related
It says that Jump out of range by 60 bytes
To solve my problem.
Conditional jumps in 8086 Assembly (and most assembly languages) have a limited distance they can jump. In other words, there's too much code between your jump instruction and the destination (in this case, 60 bytes too many). You didn't post your code so I can't tell you exactly what line to fix, but in general the solution is straightforward.
cmp ax,bx
jnz goHere
; more code is here than the conditional jump will allow
goHere:
; finish up what we were doing
ret
In order to fix the above code, we have to reverse the condition and JMP, since JMP isn't as limited as Jxx is.
cmp ax,bx
jz continue:
jmp goHere
continue:
; finish up what we were doing
ret
goHere:
; now we can get here even though we have too much code for a conditional jump
jmp continue ;this will also have enough range to go there.
There's several ways to re-arrange your code to allow conditional jumps to work as intended, and still get the desired outcome. This is just one technique for it.
I coded a C program in vistual studio and complied in 64 bit
#include<stdio.h>
int main()
{
printf("Hello World!!!\n");
return 0;
}
And I use IDA freeware to disassembly it, I didn't see main but follow
public start
start proc near
jmp start_0
start endp
after I clicked start_0, The following code showed
start_0 proc near
arg_0= qword ptr 8
mov [rsp+arg_0], rcx
sub rsp, 28h
call sub_7FF691D52000
add rsp, 28h
retn
start_0 endp
obviously not main too, and I also didn't find main in function table and also I found a answer in the internet
Windows --> Exports
But I only saw start function in the result
how to find main? where to find it? or do I need to set somethings?
To find functions by name used in sources, you can load your programs symbols in IDA (pdb file).
Without symbols you can open strings view, find there "Hello World!!!\n" string and double-click it.
IDA View opens with the cursor on the strings address. Open XREFS window (Ctrl+X) of this string. It should contain only one entry - your printf function.
Double-click this entry and you will land on printf in your main.
I want to use the 4 buttons above the numpad for data entry, with the "calc" button as a sort of modifier, so I can do multiple things with them. I'm having trouble making key combos work.
Here are a few different versions of the code I've tried, to get a way to type the "(" character, but none of these work.
Launch_App2 & Volume_Down:: ( ;- fails
Launch_App2 & Volume_Down::SendInput, ( ;- fails
vkB7 & vkAE::SendInput, ( ;- fails
SC121 & SC12E::SendInput, ( ;- fails
Here's some more information about the individual keys.
; row above numpad, from left to right
; VK SC Type Key
; ----------------------------------
; AD 120 a Volume_Mute
; AE 12E a Volume_Down
; AF 130 a Volume_Up
; B7 121 a Launch_App2
What I can do however is to remap any one of those keys individually, for example with Volume_Mute:: Esc but I don't seem able to combine them using &. How can I use the keys in combination? I'm using the latest versions of AutoHotKey and Windows 10.
There is certainly a problem with media keys on USB keyboards that doesn't happen on ps2 ports, and it involves the keyboard hook (which undoubtedly you are using with other hotkeys). https://autohotkey.com/board/topic/85889-issues-with-keywait-media-play-pause/
Maybe try something like this to get the quasi-combination you want:
SC121:: ; 121 is Logitech Calc key (use your key's value).
KeyWait, sc110, D L ; 110 is the Logitech media-back key
MsgBox, %A_ThisHotkey% was pressed. ; SC121
return
So now, if you press the Calc button, nothing happens until you release it and then press the media-back key. That's when you will see the message box. You can also press and hold the Calc key, then press and hold the media-back key and release the Calc key to get the MsgBox.
Hth,
Today I was wondering why the GFlags option Stop on hung GUI appears in the Kernel Flags tab of the GFlags user interface. Does the kernel have a GUI which could hang?
So I tried to get some information from Microsoft, but MSDN just says:
The Stop on hung GUI flag appears in GFlags, but it has no effect on Windows.
So I wonder even more: a kernel flag for a kernel which has a GUI, but it's not the Windows kernel?
Although it seems not of practical use, can anyone explain this?
I also tried to get more information from WinDbg .hh !gflag, but it doesn't even give the statement that this won't work on Windows.
Kernel flag indicates flag takes effect immediately without requiring a reboot
Registry flag requires a reboot for the flags to take effect
the kernel does not have any gui that could hang.
the term windows doesnt mean kernel but the gui windows of the running application
check NtSetSystemInformation in your os to understand why 0x8 does not take effect
basically there are a few hardcoded magic numbers inside this api which tests each request for GlobalFlag changes and allows them or disallows them
in xp-sp3 this magic value is 0B2319BF0 so any flag that is < 0x10 will be disallowed
and stop on hung gui is 0x8 so it isnt effective and you cant set this from registry tab
so effectively no way of setting this flag
nt!NtSetSystemInformation+0x193:
80606009 8b03 mov eax,dword ptr [ebx] ds:0023:001285f8=00000008 <---- +shg
8060600b 25f09b31b2 and eax,0B2319BF0h < magic value in nt
80606010 8945a0 mov dword ptr [ebp-60h],eax ss:0010:fb569cf0=00000000
80606013 8b0d6c125580 mov ecx,dword ptr [nt!NtGlobalFlag (8055126c)] ds:0023:8055126c=00000000
80606019 81e10f64ce4d and ecx,4DCE640Fh <--another magic value both these magic values orred together
will be 0xffffffff covers the whole range of flags
8060601f 0bc1 or eax,ecx
80606021 8945a0 mov dword ptr [ebp-60h],eax ss:0010:fb569cf0=00000000
80606024 a36c125580 mov dword ptr [nt!NtGlobalFlag (8055126c)],eax ds:0023:8055126c=00000000
I have set a breakpoint which should print a pointer and then continue, because I don't want to stop there.
bu 410cc8 ".printf \"Class: %08lX Filebuffer: %08X\\n\", eax, edx; g"
The problem with this is now, when I singlestep and such a breakpoint is fired, like here:
1 mov eax, [ebp+var_10]
2 lea edx, [eax+2Ch]
3 mov eax, ebx
4 call ReadFileFkt_2
5 mov eax, [ebp+var_10]
So when I'm on line 4, and step over it, the above breakpoint is fired and the message is printed. But then the debugger never comes back, because in the breakpoint I use "g" to continue, so the single step is erased.
If I don't use "g" then the breakpoint will be hit and the debugger stops there, so I have to track my way back to where I came from. Of course I could set a breakpoint after the call, but then I would have to remember doing this in other parts of the code as well, because I don't know when the breakpoint is fired from deep within some calling hierarchy.
Use 'gc' (go from conditional breakpoint) instead of 'g' (go).
This command was designed specifically for the problem you have.