xAnalyzer plugin for x64dbg by ThunderCls - 2016 (From CrackLatinos Team) xAnalyzer is a plugin for the x86/x64 x64dbg debugger by @mrexodia. This plugin is based on the code by @mrfearless APIInfo-Plugin-x86 (https://github.com/mrfearless/APIInfo-Plugin-x86) although some improvements and additions have been made. xAnalyzer is capable of calling internal commands of x64dbg to make all kind of analysis and also integrates one of his own. This plugin is going to make an extensive function calls analysis to add complementary information, something close at what you get with OllyDbg. Some of the functions and improvements are: Extended WINAPI calls analysis with arguments added Analysis of indirect calls Analysis of nested calls Once the debugged application is loaded and reaches the Entrypoint, xAnalyzer is going to launch a mix of different analysis over the static code to make it even more comprehensible to the user just before starting the debuggin task. Installation: Copy xAnalyzer.dp32 and/or xAnalyzer.dp64 files and apis_def folder to x32/x64 plugins directory of x64dbg Look under the "Plugins" menu in the main x64dbg window or in the secondary menu in the Disasm window as well Features & Usage: The plugin launches automatically, no config, no nothing. If by any means you need to re-analyze the code, you can make right clic on the disassembler window and choose the option at the end "xAnalyzer"/"Extended analysis" Screenshots: Before xAnalyzer x8: After xAnalyzer x86: For more and download latest release: https://github.com/ThunderCls/xAnalyzer Regards,
New release, Some additions and improvements has been made to this version: [+] Generic arguments for undefined functions and internal subs [+] Smart function comments and arguments (only functions with arguments on stack are being processed). This allows xAnalyzer to give a cleaner sight of the code by just processing and commenting those functions with actual arguments. [+] Detection of indirect function calls with scheme CALL -> DYNAMIC_MEMORY -> API [+] Detection of indirect function calls with scheme CALL -> REGISTER/REGISTER + DISPLACEMENT -> API [+] Detection of indirect function calls with scheme CALL -> JMP -> JMP -> API [+] Automatic loops detection [+] Fixed minors bugs. [+] Code rearrangements. Download here: https://github.com/ThunderCls/xAnalyzer/releases/tag/v2.1 Regards,
New update: https://github.com/ThunderCls/xAnalyzer/releases/tag/v2.2 Added analysis progress indicator Added new analysis depth mode Now automatic analysis is only executed if no backup database is present Bugs fixed
Thank you for posting that update, the previous version crashed my x32dbg, will try this one and report back if if any issue
@ m4n0w4r: just to show you what I meant by crashing the dbg, here is a GIF image showing the issu (Note : the new version works flawlessly)
@samoray: So strange I think, you can try uncheck "System BreakPoint", only choose "Entry BreakPoint" (Options >Preferences") Regards,
Thanks for the tip, it would be much better if the 'About' shows the version number so we can track changes. just an opinion
xAnalyzer x86x64 v2.3 New features update: Added option "Analyze undefined functions". (OFF by default, anything that's not in definition files is not analyzed) Added option "Automatic analysis" (OFF by default, make analysis on launch at EP of debugged executable) Added feature "Analyze Selection" (Makes a selected instructions analysis, it supports multiple selected calls) Added feature "Analyze Function" (Makes an automatic discovery and analysis of the current function from the selected address) Added feature "Remove Analysis" from Selection/Function/Executable Added command shortcuts Added new icons Added saving configuration to .ini file Added capitalization of hexadecimal argument values Restructured feature "Analyze Executable" (Makes a full analysis of the current executable) Restructured menus New about dialog now shows the version number to keep track of updates Some small bug fixes Fixed and merged some API definition files Speed and stability improvements Download here: https://github.com/ThunderCls/xAnalyzer/releases Regards,
Thank you for your update (and for the added version number ), but I got an issue, it cannot be loaded in x64dbg nor even on x32dbg. here is some screenshots
developer forgot to put apis_def folder from repo in release. DL and put apis_def folder in plugin folder. https://github.com/ThunderCls/xAnalyzer
New release: v2.3.1 Fixed bug when launching "Analyze Selection" menu with a single line selected, what caused an abrupt dbg exception (thanks to @blaquee) Check if the definition files folder "apis_def" and definition files exist inside it before loading the plugin Changed hot keys to Ctrl+Shift+X for selection and Ctrl+X for functions Download here: https://github.com/ThunderCls/xAnalyzer/releases/tag/2.3.1 Regards m4n0w4r
New release: v2.4 Changes xAnalyzer v2.4 - New and improved API definition files with a slightly modified scheme (13,000+ API’s from almost 200 DLL’s) - Symbols recognition system for each API definition argument used (1000+ enums data types and 800+ flags) - Recognition of params data types (BOOL, NUMERIC, NON-NUMERIC) - VB "DllFunctionCall" stubs detection - Strings passed as arguments are cleaner now (debugger comments now have the address part stripped) - Execution Summary added to log window - Hotkeys feature removed (will be incorporated in future revisions) due some conflicting with x64dbg - Various bugs fixed Download link: https://github.com/ThunderCls/xAnalyzer/releases/tag/v2.4 Tks to @ThunderCls for improving this plugin! Regards,
Changes in Update 2.4.1: Added a new hotkeys scheme Added new options to control which previous analysis data should be erased. (This gives the user more control on what to keep and what to delete and also the possibility to work seamlessly with map loader plugins like SwissArmyKnife, etc). Added new commands (old ones have been deprecated) xanal selection : Performs a selection analysis xanal function : Performs a function analysis xanal exe : Performs an entire executable analysis xanalremove selection : Removes a previous selection analysis xanalremove function : Removes a previous function analysis xanalremove exe : Removes a previous entire executable analysis xanal help : Brings up to the log window some help text Fixed automatic analysis not launching on startup Fixed various api definition files. It´s recommended to download this apis_def.zip down below file and overwrite the files with the ones already downloaded or just copy the whole new fresh folder and delete the older one. Changes in update 2.4.2: Fixed BoF when argument flags comment overpassed MAX_COMMENT_SIZE Fixed function name search bug when definition lies in a second .api file Download here: https://github.com/ThunderCls/xAnalyzer/releases/tag/2.4.2 Regards,
xAnalyzer 2.4.3: Added recognition of MOV instructions on x86 Added recognition of functions with "Stub" suffix Fixed bug on "auto analysis" (added more EP check conditions) Clear Auto Comments/Auto Labels options checked now by default Download here: https://github.com/ThunderCls/xAnalyzer/releases/tag/2.4.3 Regards,
New release : xAnalyzer 2.5.0 -Removed [EBP+/-] instructions as possible function caller arguments -Removed prefix "0x" of all function arguments values since hexadecimal is inferred -Fixed arguments where pointer variables wouldn't show correctly as pointers but as base data type instead -Added recognition of stack pointer usage (ESP) as possible argument for function calls (x86) -Added use of accurate data type name in arguments instead of generic/base data type name -Added function smart tracking feature (Smart prediction and recognition of indirect function calls like: CALL {REGISTER}, CALL {POINTER}) -Added name of function pointers as parameters (the entire function name, if detected, will be used instead of just the address)
New release: xAnalyzer 2.5.2: Changes to module analysis - Used current selected disasm line for module analysis instead of cip - Modified some typing in plugin entries - Some code refactoring - Modified command "xanal/xanalremove exe" to "xanal/xanalremove module" - Closes #31
New update: xAnalyzer 2.5.3: Fix for newer x64dbg versions [+] Detection of function names in newer versions of x64dbg fixed [+] Version number updated