Added some FAQ

x64dbg · Jul 13, 2020 · 80e59ec · 80e59ec
1 parent e698e3c
commit 80e59ec
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 14 deletions.
diff --git a/commands/index.rst b/commands/index.rst
@@ -3,6 +3,13 @@ Commands
 
 This is the documentation of x64dbg commands.
 
+FAQ:
+
+# Please note that all integer constants are represented in hex. For example, after executing the following command, `$i` will be 256 (0x100): `mov $i, 100` . This also means a variable cannot begin with letters from A to F.
+# For commands with two or more arguments, a comma (,) is used to separate these arguments. Do not use a space to separate the arguments.
+# x64dbg only supports integer in expressions. Strings, Floating point numbers and SSE/AVX data is not supported. Therefore you cannot use `[eax]=="abcd"` operator to compare strings. Instead, you can compare the first DWORD/QWORD of the string, or use an appropriate plugin which provides such feature.
+# The "==" operator is used to test if both operands are equal. The "=" operator is used to transfer the value of the expression to the destination.
+
 **Contents:**
 
 .. toctree::

diff --git a/commands/misc/HideDebugger.md b/commands/misc/HideDebugger.md
@@ -1,6 +1,6 @@
 # HideDebugger/dbh/hide
 
-Hide the debugger from (very) simple detection methods.
+Hide the debugger from (very) simple detection methods. The PEB will be modified so that `IsDebuggerPresent()` will return false.
 
 ## arguments
 

diff --git a/commands/tracing/RunToParty.md b/commands/tracing/RunToParty.md
@@ -4,8 +4,12 @@ Run the program until the program reaches somewhere belonging to the party numbe
 
 ## arguments
 
-`arg1` The party number. This value cannot be an expression.
+`arg1` The party number. This value cannot be an expression. Note: `0` is user module, `1` is system module.
 
 ## results
 
 This command does not set any result variables.
+
+## see also
+
+[RunToUserCode](RunToUserCode.md)
diff --git a/gui/tips.rst b/gui/tips.rst
@@ -32,6 +32,8 @@ Select the entire function or block
 You can select the entire function by double-clicking on the checkbox next to the disassembly. This checkbox can also be used to
 fold the block into a single line.
 
+Note: when you select only 1 instruction, or if the function is not analyzed, the checkbox might not appear. In this case, please select the instruction you want to fold first.
+
 Code page
 ---------
 
@@ -40,4 +42,13 @@ You can use the codepage dialog(in the context menu of the dump view) to select
 Change Window Title
 -------------------
 
-You can rename the windows of x64dbg by renaming "x64dbg.exe" or "x32dbg.exe" to another name. You should also rename the "x64dbg.ini" or "x32dbg.ini" to keep it the same name as the debugger.
+You can rename the windows of x64dbg by renaming "x64dbg.exe" or "x32dbg.exe" to another name, if the debuggee doesn't support running in a system with a window or process named as such.
+You should also rename the "x64dbg.ini" or "x32dbg.ini" to keep it the same name as the debugger.
+
+Search for strings
+------------------
+
+You can use the following methods to search for string:
+* Search for / Pattern: you will be asked to provide a string to search, and x64dbg will search for it and display the results in the references view.
+* Search for / Strings references: x64dbg will search all pointers that look like an ANSI or Unicode string and display the results in the references view. However, it only supports string in Latin language. **If you need to search for strings in other languages, please install appropriate plugins.**
+* Search for / Constant: search for a constant that is the first DWORD/QWORD of the string.
diff --git a/introduction/Expression-functions.md b/introduction/Expression-functions.md
@@ -15,13 +15,13 @@ You may use functions in an expression. The following functions are defined by t
 
 ## Modules
 
-* `mod.party(addr)` : Get the party of the module `addr`. `0` is user module, `1` is system module.
+* `mod.party(addr)` : Get the party number of the module `addr`. `0` is user module, `1` is system module.
 * `mod.base(addr)` : Get the base address of the module `addr`.
 * `mod.size(addr)` : Get the size of the module `addr`.
 * `mod.hash(addr)` : Get the hash of the module `addr`.
 * `mod.entry(addr)` : Get the entry address of the module `addr`.
-* `mod.system(addr)` : True if the module at `addr` is a system module. No module is a user module.
-* `mod.user(addr)` : True if the module at `addr` is a user module. No module is a user module.
+* `mod.system(addr)` : True if the module at `addr` is a system module. False: module is a user module.
+* `mod.user(addr)` : True if the module at `addr` is a user module. False: module is NOT a user module.
 * `mod.main()` : Returns the base of the main module (debuggee). If this is a DLL it will return `0` until loaded.
 * `mod.rva(addr)` : Get the RVA of `addr`. If `addr` is not inside a module it will return `0`.
 * `mod.offset(addr)` : Get the file offset of `addr`. If `addr` is not inside a module it will return `0`.
@@ -35,7 +35,7 @@ You may use functions in an expression. The following functions are defined by t
 
 ## General Purpose
 
-* `bswap(value)` : Byte-swap `value`.
+* `bswap(value)` : Byte-swap `value`. For example, `bswap(44332211)` = 0x11223344.
 * `ternary(condition, val1, val2)` : If condition is nonzero, return `val1`, otherwise return `val2`.
 * `GetTickCount()` : Tick count of x64dbg.
 
@@ -74,16 +74,16 @@ You may use functions in an expression. The following functions are defined by t
 
 ## Byte/Word/Dword/Qword/Ptr
 
-* `ReadByte,Byte,byte(addr)` : Read a byte from `addr` and return the value.
-* `ReadWord,Word,word(addr)` : Read a word (2 bytes) from `addr` and return the value.
-* `ReadDword,Dword,dword(addr)` : Read a dword (4 bytes) from `addr` and return the value.
-* `ReadQword,Qword,qword(addr)` : Read a qword (8 bytes) from `addr` and return the value (only available on x64).
-* `ReadPtr,ReadPointer,ptr,Pointer,pointer(addr)` : Read a pointer (4/8 bytes) from `addr` and return the value.
+* `ReadByte(addr)`,`Byte(addr)`,`byte(addr)` : Read a byte from `addr` and return the value. Example: `byte(eax)` reads a byte from memory location `[eax]`.
+* `ReadWord(addr)`,`Word(addr)`,`word(addr)` : Read a word (2 bytes) from `addr` and return the value.
+* `ReadDword(addr)`,`Dword(addr)`,`dword(addr)` : Read a dword (4 bytes) from `addr` and return the value.
+* `ReadQword(addr)`,`Qword(addr)`,`qword(addr)` : Read a qword (8 bytes) from `addr` and return the value (only available on x64).
+* `ReadPtr(addr)`,`ReadPointer(addr)`,`ptr(addr)`,`Pointer(addr)`,`pointer(addr)` : Read a pointer (4/8 bytes) from `addr` and return the value.
 
 ## Functions
 
-* `func.start()` : Start of the function `addr` is part of, zero otherwise.
-* `func.end()` : End of the function `addr` is part of, zero otherwise.
+* `func.start()` : Return start of the function `addr` is part of, zero otherwise.
+* `func.end()` : Return end of the function `addr` is part of, zero otherwise.
 
 ## References