xAnalyzer

[m4n0w4r]

xAnalyzer plugin for x64dbg
by ThunderCls - 2016 (From CrackLatinos Team)

xAnalyzer is a plugin for the x86/x64 x64dbg debugger by @mrexodia. This plugin is based on the code by @mrfearless APIInfo-Plugin-x86 (https://github.com/mrfearless/APIInfo-Plugin-x86) although some improvements and additions have been made. xAnalyzer is capable of calling internal commands of x64dbg to make all kind of analysis and also integrates one of his own. This plugin is going to make an extensive function calls analysis to add complementary information, something close at what you get with OllyDbg.
Some of the functions and improvements are:
Extended WINAPI calls analysis with arguments added

• Analysis of indirect calls
• Analysis of nested calls

Once the debugged application is loaded and reaches the Entrypoint, xAnalyzer is going to launch a mix of different analysis over the static code to make it even more comprehensible to the user just before starting the debuggin task.

Installation:

• Copy xAnalyzer.dp32 and/or xAnalyzer.dp64 files and apis_def folder to x32/x64 plugins directory of x64dbg
• Look under the "Plugins" menu in the main x64dbg window or in the secondary menu in the Disasm window as well

Features & Usage:

• The plugin launches automatically, no config, no nothing.
• If by any means you need to re-analyze the code, you can make right clic on the disassembler window and choose the option at the end "xAnalyzer"/"Extended analysis"

Screenshots:
Before xAnalyzer x8:

After xAnalyzer x86:

For more and download latest release:
https://github.com/ThunderCls/xAnalyzer

Regards,

 

[m4n0w4r]

New release, Some additions and improvements has been made to this version:

• [+] Generic arguments for undefined functions and internal subs
• [+] Smart function comments and arguments (only functions with arguments on stack are being processed). This allows xAnalyzer to give a cleaner sight of the code by just processing and commenting those functions with actual arguments.
• [+] Detection of indirect function calls with scheme CALL -> DYNAMIC_MEMORY -> API
• [+] Detection of indirect function calls with scheme CALL -> REGISTER/REGISTER + DISPLACEMENT -> API

• [+] Detection of indirect function calls with scheme CALL -> JMP -> JMP -> API

• [+] Automatic loops detection

• [+] Fixed minors bugs.
• [+] Code rearrangements.

Download here: https://github.com/ThunderCls/xAnalyzer/releases/tag/v2.1

Regards,

 

[m4n0w4r]

New update: https://github.com/ThunderCls/xAnalyzer/releases/tag/v2.2

• Added analysis progress indicator
• Added new analysis depth mode
• Now automatic analysis is only executed if no backup database is present
• Bugs fixed
  

 

[samoray]

Thank you for posting that update, the previous version crashed my x32dbg, will try this one and report back if if any issue

 

[m4n0w4r]

Thank you for posting that update, the previous version crashed my x32dbg, will try this one and report back if if any issue

Oh, i haven't received any issue until now

 

[samoray]

@ m4n0w4r:
just to show you what I meant by crashing the dbg, here is a GIF image showing the issu
(Note : the new version works flawlessly)

 

[m4n0w4r]

@samoray:
So strange
I think, you can try uncheck "System BreakPoint", only choose "Entry BreakPoint" (Options >Preferences")

Regards,

 

[samoray]

Thanks for the tip,
it would be much better if the 'About' shows the version number so we can track changes. just an opinion

 

[m4n0w4r]

xAnalyzer x86x64 v2.3
New features update:

• Added option "Analyze undefined functions". (OFF by default, anything that's not in definition files is not analyzed)
• Added option "Automatic analysis" (OFF by default, make analysis on launch at EP of debugged executable)
• Added feature "Analyze Selection" (Makes a selected instructions analysis, it supports multiple selected calls)

• Added feature "Analyze Function" (Makes an automatic discovery and analysis of the current function from the selected address)

• Added feature "Remove Analysis" from Selection/Function/Executable
• Added command shortcuts
• Added new icons
• Added saving configuration to .ini file
• Added capitalization of hexadecimal argument values
• Restructured feature "Analyze Executable" (Makes a full analysis of the current executable)
• Restructured menus
• New about dialog now shows the version number to keep track of updates
• Some small bug fixes
• Fixed and merged some API definition files
• Speed and stability improvements

Download here:
https://github.com/ThunderCls/xAnalyzer/releases

Regards,

 

[samoray]

Thank you for your update (and for the added version number ), but I got an issue, it cannot be loaded in x64dbg nor even on x32dbg.
here is some screenshots

 

[Storm Shadow]

View attachment 707 View attachment 708 Thank you for your update (and for the added version number ), but I got an issue, it cannot be loaded in x64dbg nor even on x32dbg.
here is some screenshots

developer forgot to put apis_def folder from repo in release.
DL and put apis_def folder in plugin folder.
https://github.com/ThunderCls/xAnalyzer

 

[samoray]

@storm shadow:
Thank you, now it works great

 

[m4n0w4r]

New release: v2.3.1

• Fixed bug when launching "Analyze Selection" menu with a single line selected, what caused an abrupt dbg exception (thanks to @blaquee)
• Check if the definition files folder "apis_def" and definition files exist inside it before loading the plugin
• Changed hot keys to Ctrl+Shift+X for selection and Ctrl+X for functions
  

Download here: https://github.com/ThunderCls/xAnalyzer/releases/tag/2.3.1

Regards
m4n0w4r

 

[m4n0w4r]

New release: v2.4

Some important features were added in this version, so be sure to check it out. Also a new API Definition File Scheme has been implemented hence you should delete the old folder and download the new one attached down below.

Changes xAnalyzer v2.4
- New and improved API definition files with a slightly modified scheme (13,000+ API’s from almost 200 DLL’s)
- Symbols recognition system for each API definition argument used (1000+ enums data types and 800+ flags)
- Recognition of params data types (BOOL, NUMERIC, NON-NUMERIC)
- VB "DllFunctionCall" stubs detection

- Strings passed as arguments are cleaner now (debugger comments now have the address part stripped)
- Execution Summary added to log window

- Hotkeys feature removed (will be incorporated in future revisions) due some conflicting with x64dbg
- Various bugs fixed

Download link: https://github.com/ThunderCls/xAnalyzer/releases/tag/v2.4

Tks to @ThunderCls for improving this plugin!

Regards,

 

[m4n0w4r]

Changes in Update 2.4.1:

• Added a new hotkeys scheme

• Added new options to control which previous analysis data should be erased. (This gives the user more control on what to keep and what to delete and also the possibility to work seamlessly with map loader plugins like SwissArmyKnife, etc).
• Added new commands (old ones have been deprecated)
  xanal selection : Performs a selection analysis
  xanal function : Performs a function analysis
  xanal exe : Performs an entire executable analysis
  xanalremove selection : Removes a previous selection analysis
  xanalremove function : Removes a previous function analysis
  xanalremove exe : Removes a previous entire executable analysis
  xanal help : Brings up to the log window some help text
• Fixed automatic analysis not launching on startup
• Fixed various api definition files. It´s recommended to download this apis_def.zip down below file and overwrite the files with the ones already downloaded or just copy the whole new fresh folder and delete the older one.

Changes in update 2.4.2:

• Fixed BoF when argument flags comment overpassed MAX_COMMENT_SIZE
• Fixed function name search bug when definition lies in a second .api file

Download here:
https://github.com/ThunderCls/xAnalyzer/releases/tag/2.4.2

Regards,

 

[m4n0w4r]

xAnalyzer 2.4.3:

• Added recognition of MOV instructions on x86
• Added recognition of functions with "Stub" suffix
• Fixed bug on "auto analysis" (added more EP check conditions)
• Clear Auto Comments/Auto Labels options checked now by default

Download here:
https://github.com/ThunderCls/xAnalyzer/releases/tag/2.4.3

Regards,

 

[m4n0w4r]

New release :

xAnalyzer 2.5.0
-Removed [EBP+/-] instructions as possible function caller arguments
-Removed prefix "0x" of all function arguments values since hexadecimal is inferred
-Fixed arguments where pointer variables wouldn't show correctly as pointers but as base data type instead
-Added recognition of stack pointer usage (ESP) as possible argument for function calls (x86)
-Added use of accurate data type name in arguments instead of generic/base data type name
-Added function smart tracking feature (Smart prediction and recognition of indirect function calls like: CALL {REGISTER}, CALL {POINTER})
-Added name of function pointers as parameters (the entire function name, if detected, will be used instead of just the address)​

 

[m4n0w4r]

New release:
xAnalyzer 2.5.2:
Changes to module analysis
- Used current selected disasm line for module analysis instead of cip
- Modified some typing in plugin entries
- Some code refactoring
- Modified command "xanal/xanalremove exe" to "xanal/xanalremove module"
- Closes #31

 

[m4n0w4r]

New update:
xAnalyzer 2.5.3:
Fix for newer x64dbg versions
[+] Detection of function names in newer versions of x64dbg fixed
[+] Version number updated