String Formatting¶
This section explains the simple string formatter built into x64dbg.
The basic syntax is {?:expression}
where ?
is the optional type of the expression. To output {
or }
in the result, escape them as {{
or }}
.
Types¶
d
signed decimal:-3
u
unsigned decimal:57329171
p
zero prefixed pointer:0000000410007683
s
string pointer:"this is a string"
(not recommended, use{utf8@address}
instead)x
hex:3C28A
(default for integer values)a
address info:00401010 <module.EntryPoint>
i
instruction text:jmp 0x77ac3c87
f
single precision floating-point pointer or register: If10001234
is an address of a single precision floating-point number 3.14,{f:10001234}
will print3.14
. It can also accept XMM and YMM registers:{f:XMM0}
prints the single precision floating-point number at XMM0 bit 31:0,{f:YMM7[7]}
prints the single precision floating-point number at YMM7 bit 255:224. x87 and AVX-512 registers are currently not supported.F
double precision floating-point pointer or register: Similar tof
, except that the data is interpreted as double precision floating-point number. It can also accept XMM and YMM registers:{F:YMM7[3]}
prints the double precision floating-point number at YMM7 bit 255:192.
Note: XMM and YMM registers may only be used with the f
/F
floating-point type. (Issue 2826 links to details about why)
Complex Type¶
{mem;size@address}
will print thesize
bytes starting ataddress
in hex.{winerror@code}
will print the name of windows error code(returned withGetLastError()
) and the description of it(withFormatMessage
). It is similar to ErrLookup utility.{ntstatus@code}
will print the name of NTSTATUS error code and the description of it(withFormatMessage
).{ascii[;length]@address}
will print the ASCII string ataddress
with an optionallength
(in bytes).{ansi[;length]@address}
will print the ANSI (local codepage) string ataddress
with an optionallength
(in bytes).{utf8[;length]@address}
will print the UTF-8 string ataddress
with an optionallength
(in bytes).{utf16[;length]@address}
will print the UTF-16 string ataddress
with an optionallength
(in words).{disasm@address}
will print the disassembly ataddress
(equivalent to{i:address}
).{modname@address}
will print the name of the module ataddress
.{bswap[;size]@value}
will byte-swapvalue
for a specifiedsize
(size of pointer per default).{label@address}
will print the (auto)label ataddress
.{comment@address}
will print the (auto)comment ataddress
.
Examples¶
rax: {rax}
formats torax: 4C76
password: {utf16@4*ecx+0x402000}
formats topassword: s3cret
function type: {mem;1@[ebp]+0xa}
formats tofunction type: 01
{x:bswap(rax)}
whererax=0000000078D333E0
formats toE033D37800000000
because of bswap fun which reverse the hex value{bswap;4@rax}
whererax=1122334455667788
formats to88776655
mnemonic: {dis.mnemonic(dis.sel())}
formats tomnemonic: push
Logging¶
When using the log
command you should put quotes around the format string (log "{mem;8@rax}"
) to avoid ambiguity with the ;
(which separates two commands). See issue #1931 for more details.
Plugins¶
Plugins can use _plugin_registerformatfunction
to register custom string formatting functions. The syntax is {type;arg1;arg2;argN@expression}
where type
is the name of the registered function, argN
is any string (these are passed to the formatting function as arguments) and expression
is any valid expression.