Converting to x64

[counted]

I am working on converting my bot to x64. I started with converting my offset "tracking/finding" app to read and find offsets in the x64 binary. So right off the bat I found that things are very different in x64. For instance the LEA instruction does not use the absolute address as it does in x86. The address appears to be an offset (32 bit) to the address it is referring to so you need to add it to the address of the instruction (64 bit) to get the address of interest. I guess this makes sense, if MS used the absolute 64 bit address the binary files would bloat with a bunch of 0x0000 0000 0000 0001 xxxx xxxx xxxx xxxx addresses.

Is there a good reference to other differences like this? I am expecting Call address calculations to have a similar flavor.

I got to the point where I can load the x64 binary in and search for byte patterns and find all of the Lua Names and addresses.

I started to work on converting my descriptor label and size dumper to x64 and needed to fire up the ida debugger to trouble shoot that.

BLAM....

I could not get the debugger to work and obviously the win32 debugger is not an option in x64. Ollydbg is 32 bit only. there is a reference on the Olly site to a 64 bit version, but i could not find a binary. I found x64dbg and that worked, but I found it very hard and limited in functionality.

I then tried the windbg debugger but kept getting errors.

What I found is that I needed to download the latest version (10) of the windows debugging tools.

WDK and WinDbg downloads - Windows Hardware Dev Center

After I installed that still no worky worky.

I found a pdf that said I needed to add the install path the the ida.cfg file.

I tried pointing to the root Windows Kits, that did not work.
Then the "10" folder, still not working.
Then the x64 folder, still not working.

In the end, this worked.

DBGTOOLS = "C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x86\\";


It turns out that ida32 and ida64 both use the x86 debugger.

Once i had that set, IDA then asked me to locate the dbgsrv.exe file, which i found in the x64 folder.

Once all of that was set, I could successfully attach to the wow64 process and debug it.

Is there a better way to debug x64 binaries? Please let me know.

If anyone has any handy info that helps with converting to x64 please post in this thread.

Thanks,


-counted

[lolp1]

I found x64dbg and that worked, but I found it very hard and limited in functionality.

What did you find hard about it and what functionality did it lack?

[counted]

I only messed around with it for about 30 mins. when i wanted to follow address chains I had to copy the instruction that contained the address I wanted to follow, and remove all the non address information, select goto address and manually paste the address. I guess I like just double clicking on the address.

[lolp1]

Well, my first piece of advice would be to invest more time in learning something like x64dbg, rather than spending 30 minutes of casual double clicking around before getting annoyed and giving up. It is a great piece of software.

Aside from that, could you give any more specifics on exactly what it is you need help with? Your post is a little scattered and I am not really sure what it is you want help with that I or some one else could provide.