-
Notifications
You must be signed in to change notification settings - Fork 24
refstr
Park Seong Bin edited this page Jul 13, 2019
·
1 revision
The refstr command is equivalent to the string search function supported by ollydbg or x64dbg.
0:000> !refstr 0007ff7`bfe610f3
00007ff7'bfe64d0b 48 89 05 16 75 01 00 mov qword ptr [rip + 0x17516], rax ; L""C:\Users\LAB\Desktop\workspace\pegasus\bin\x64\test.exe" "
00007ff7'bfe6445b 48 8b 35 be 7d 01 00 mov rsi, qword ptr [rip + 0x17dbe] ; ""C:\Users\LAB\Desktop\workspace\pegasus\bin\x64\test.exe" "
00007ff7'bfe64cfe 48 89 05 1b 75 01 00 mov qword ptr [rip + 0x1751b], rax ; ""C:\Users\LAB\Desktop\workspace\pegasus\bin\x64\test.exe" "
00007ff7'bfe631c6 48 8b 41 08 mov rax, qword ptr [rcx + 8] ; "AT"
00007ff7'bfe6337b 48 8d 42 02 lea rax, qword ptr [rdx + 2] ; "<"
00007ff7'bfe63359 c7 41 3c 0d 00 00 00 mov dword ptr [rcx + 0x3c], 0xd ; "<"
00007ff7'bfe63396 48 8d 42 02 lea rax, qword ptr [rdx + 2] ; "<"
00007ff7'bfe6337f c7 41 3c 0a 00 00 00 mov dword ptr [rcx + 0x3c], 0xa ; "A<"
00007ff7'bfe63fc9 48 89 6c 24 10 mov qword ptr [rsp + 0x10], rbp ; ":7"
00007ff7'bfe6456b 48 89 7d 38 mov qword ptr [rbp + 0x38], rdi ; "=Q"
00007ff7'bfe67f58 41 8b 4e 04 mov ecx, dword ptr [r14 + 4] ; "$p"
00007ff7'bfe68726 4c 8d 45 e0 lea r8, qword ptr [rbp - 0x20] ; "6Y"
00007ff7'bfe68ea9 48 8d 8e 19 01 00 00 lea rcx, qword ptr [rsi + 0x119] ; "d$@"
00007ff7'bfe6c0ae 48 8d 51 01 lea rdx, qword ptr [rcx + 1] ; "9B"
00007ff7'bfe6f058 48 8d 54 24 28 lea rdx, qword ptr [rsp + 0x28] ; "|$8"
00007ff7'bfe6f2c7 48 89 7c 24 20 mov qword ptr [rsp + 0x20], rdi ; "d$ "
00007ff7'bfe6f3a1 44 89 7c 24 28 mov dword ptr [rsp + 0x28], r15d ; "d$8"
00007ff7'bfe6fe56 48 8b 45 10 mov rax, qword ptr [rbp + 0x10] ; "H="
00007ff7'bfe625bd 4c 8d 0d e4 ed 00 00 lea r9, qword ptr [rip + 0xede4] ; "FlsAlloc"
00007ff7'bfe625d0 48 8d 15 d1 ed 00 00 lea rdx, qword ptr [rip + 0xedd1] ; "FlsAlloc"
00007ff7'bfe66054 48 8d 15 4d b3 00 00 lea rdx, qword ptr [rip + 0xb34d] ; "FlsAlloc"
00007ff7'bfe62610 4c 8d 0d a9 ed 00 00 lea r9, qword ptr [rip + 0xeda9] ; "FlsFree"
00007ff7'bfe62623 48 8d 15 96 ed 00 00 lea rdx, qword ptr [rip + 0xed96] ; "FlsFree"
00007ff7'bfe6609b 48 8d 15 1e b3 00 00 lea rdx, qword ptr [rip + 0xb31e] ; "FlsFree"
00007ff7'bfe660e3 48 8d 15 de b2 00 00 lea rdx, qword ptr [rip + 0xb2de] ; "FlsGetValue"
00007ff7'bfe6266a 4c 8d 0d 6f ed 00 00 lea r9, qword ptr [rip + 0xed6f] ; "FlsSetValue"
00007ff7'bfe62673 48 8d 15 66 ed 00 00 lea rdx, qword ptr [rip + 0xed66] ; "FlsSetValue"
00007ff7'bfe66126 48 8d 15 b3 b2 00 00 lea rdx, qword ptr [rip + 0xb2b3] ; "FlsSetValue"
00007ff7'bfe626d7 4c 8d 0d 1a ed 00 00 lea r9, qword ptr [rip + 0xed1a] ; "InitializeCriticalSectionEx"
00007ff7'bfe626ea 48 8d 15 07 ed 00 00 lea rdx, qword ptr [rip + 0xed07] ; "InitializeCriticalSectionEx"
00007ff7'bfe66189 48 8d 15 68 b2 00 00 lea rdx, qword ptr [rip + 0xb268] ; "InitializeCriticalSectionEx"
00007ff7'bfe63c6a 48 8d 0d 8f e1 00 00 lea rcx, qword ptr [rip + 0xe18f] ; L"(null)"
00007ff7'bfe636a3 48 8d 0d 66 e7 00 00 lea rcx, qword ptr [rip + 0xe766] ; "(null)"
00007ff7'bfe63c83 48 8d 0d 86 e1 00 00 lea rcx, qword ptr [rip + 0xe186] ; "(null)"
00007ff7'bfe64be7 48 8d 15 0a d3 00 00 lea rdx, qword ptr [rip + 0xd30a] ; L"mscoree.dll"
00007ff7'bfe64bff 48 8d 15 0a d3 00 00 lea rdx, qword ptr [rip + 0xd30a] ; "CorExitProcess"
00007ff7'bfe65df9 48 8d 15 08 c8 00 00 lea rdx, qword ptr [rip + 0xc808] ; L"api-ms-"
00007ff7'bfe65e0c 48 8d 15 05 c8 00 00 lea rdx, qword ptr [rip + 0xc805] ; L"ext-ms-"
00007ff7'bfe65f78 4c 8d 0d b1 c6 00 00 lea r9, qword ptr [rip + 0xc6b1] ; "CompareStringEx"
00007ff7'bfe65f89 48 8d 15 a0 c6 00 00 lea rdx, qword ptr [rip + 0xc6a0] ; "CompareStringEx"
00007ff7'bfe661e4 4c 8d 0d 85 c4 00 00 lea r9, qword ptr [rip + 0xc485] ; "LCMapStringEx"
00007ff7'bfe661f5 48 8d 15 74 c4 00 00 lea rdx, qword ptr [rip + 0xc474] ; "LCMapStringEx"
00007ff7'bfe662b0 4c 8d 0d d1 c3 00 00 lea r9, qword ptr [rip + 0xc3d1] ; "LocaleNameToLCID"
00007ff7'bfe662ba 48 8d 15 c7 c3 00 00 lea rdx, qword ptr [rip + 0xc3c7] ; "LocaleNameToLCID"
00007ff7'bfe65f15 4c 8d 0d 84 c7 00 00 lea r9, qword ptr [rip + 0xc784] ; "AppPolicyGetProcessTerminationMethod"
00007ff7'bfe65f28 48 8d 15 71 c7 00 00 lea rdx, qword ptr [rip + 0xc771] ; "AppPolicyGetProcessTerminationMethod"
00007ff7'bfe6821b 48 8d 05 a6 a4 00 00 lea rax, qword ptr [rip + 0xa4a6] ; "INF"
00007ff7'bfe6822e 48 8d 05 97 a4 00 00 lea rax, qword ptr [rip + 0xa497] ; "inf"
00007ff7'bfe68209 48 8d 15 c0 a4 00 00 lea rdx, qword ptr [rip + 0xa4c0] ; "NAN"
00007ff7'bfe68210 4c 8d 05 bd a4 00 00 lea r8, qword ptr [rip + 0xa4bd] ; "nan"
00007ff7'bfe6823d 48 8d 05 94 a4 00 00 lea rax, qword ptr [rip + 0xa494] ; "NAN(SNAN)"
00007ff7'bfe68248 48 8d 05 99 a4 00 00 lea rax, qword ptr [rip + 0xa499] ; "nan(snan)"
00007ff7'bfe68253 48 8d 05 9e a4 00 00 lea rax, qword ptr [rip + 0xa49e] ; "NAN(IND)"
00007ff7'bfe6825e 48 8d 05 a3 a4 00 00 lea rax, qword ptr [rip + 0xa4a3] ; "nan(ind)"
00007ff7'bfe67e37 4c 8d 05 d6 a8 00 00 lea r8, qword ptr [rip + 0xa8d6] ; "e+000"
00007ff7'bfe6a6f1 48 8d 05 28 80 00 00 lea rax, qword ptr [rip + 0x8028] ; "Sun"
00007ff7'bfe6a71e 48 8d 05 fb 7f 00 00 lea rax, qword ptr [rip + 0x7ffb] ; "Sun"
00007ff7'bfe6a751 48 8d 05 c8 7f 00 00 lea rax, qword ptr [rip + 0x7fc8] ; "Sun"
00007ff7'bfe69501 48 8b 05 98 98 00 00 mov rax, qword ptr [rip + 0x9898] ; L"ja-JP"
00007ff7'bfe695fc 48 8b 35 9d 97 00 00 mov rsi, qword ptr [rip + 0x979d] ; L"ja-JP"
00007ff7'bfe694f8 48 8b 05 a9 98 00 00 mov rax, qword ptr [rip + 0x98a9] ; L"zh-CN"
00007ff7'bfe695f3 48 8b 35 ae 97 00 00 mov rsi, qword ptr [rip + 0x97ae] ; L"zh-CN"
00007ff7'bfe694ef 48 8b 05 ba 98 00 00 mov rax, qword ptr [rip + 0x98ba] ; L"ko-KR"
00007ff7'bfe695ea 48 8b 35 bf 97 00 00 mov rsi, qword ptr [rip + 0x97bf] ; L"ko-KR"
00007ff7'bfe694e6 48 8b 05 cb 98 00 00 mov rax, qword ptr [rip + 0x98cb] ; L"zh-TW"
00007ff7'bfe695e1 48 8b 35 d0 97 00 00 mov rsi, qword ptr [rip + 0x97d0] ; L"zh-TW"
00007ff7'bfe6d7f4 4c 8d 05 e5 98 00 00 lea r8, qword ptr [rip + 0x98e5] ; "1#INF"
00007ff7'bfe6d7d5 4c 8d 05 0c 99 00 00 lea r8, qword ptr [rip + 0x990c] ; "1#QNAN"
00007ff7'bfe6d7b6 4c 8d 05 33 99 00 00 lea r8, qword ptr [rip + 0x9933] ; "1#SNAN"
00007ff7'bfe6d797 4c 8d 05 5a 99 00 00 lea r8, qword ptr [rip + 0x995a] ; "1#IND"
00007ff7'bfe6f4de 48 8d 0d 7b 7e 00 00 lea rcx, qword ptr [rip + 0x7e7b] ; L"CONOUT$"
00007ff7'bfe6fbc4 48 8d 05 d5 8f 00 00 lea rax, qword ptr [rip + 0x8fd5] ; "log10"
00007ff7'bfe610dc 48 8d 0d dd 7a 01 00 lea rcx, qword ptr [rip + 0x17add] ; "test:: %d"
00007ff7'bfe64443 48 8d 1d 86 7c 01 00 lea rbx, qword ptr [rip + 0x17c86] ; "C:\Users\LAB\Desktop\workspace\pegasus\bin\x64\test.exe"
00007ff7'bfe64462 48 89 1d c7 7d 01 00 mov qword ptr [rip + 0x17dc7], rbx ; "C:\Users\LAB\Desktop\workspace\pegasus\bin\x64\test.exe"