Hébergeur de fichiers indépendant


À propos

Type de fichier
Fichier TXT de 30 Ko (text/plain)
Fichier public, envoyé le 12 juin 2017 à 13:51, depuis l'adresse IP 83.76.x.x (CH)
Ne contient aucun Virus ou Malware connus - Dernière vérification: 2 jours
La présente page de téléchargement a été vue 468 fois depuis l'envoi du fichier
Page de téléchargement

Aperçu du fichier

CrySearch Memory Scanner

evolution536, www.unknowncheats.me

	- Added scanning for values that are in between of two user-entered values;
	- Fixed an inconsistency in comparing floats and doubles, not being rounded to the nearest integer;
	- Fixed bug in the new scan window where the hexadecimal view option was not correctly toggled when selecting float or double types;
	- Fixed bug in the imports window in CrySearch x64 where non-WOW64 modules were not removed in the module droplist;
	- Some improvements to the View Handles window:
		- Fixed bug where some handle access masks would cause CrySearch to hang;
		- Fixed bug where handles would not be displayed when the name could not be queried;
		- Now queries mount points using QueryDosDevice to present drive letters rather than native device paths.
	- Fixed byte masking for the signature generation window:
		- Added an option in the signature generation window to choose for automatic masking, and a corresponding default option in the settings window.
		- Control transfer instructions and instructions with an immediate value are masked.
	- Improved some cosmetics for windows and controls.

	- Added right-click option to dump heaps in heap walk dialog (whatever is readable from the memory of the heap will be dumped);
	- Revised memory scanner, performance changes should be noticable:
		- In very big scans, performance improvement is negligible, because I/O still is the bottleneck. However, less time is wasted in not writing anything;
		- Out-of-memory exceptions that used to occur are very unlikely to occur again;
		- Improved value comparison, reducing processing overhead in scanning.
	- Fixed bug where opening an x64 process with CrySearch x86 would give two error messages instead of one;
	- Slight performance improvement in the import address table parser;
	- Fixed bug in the import table parser that could cause a crash when resolving modules with an empty export table;
	- Put a limit of 512 entries on the address table. If this limit is violated, nothing will be added. Instead, it will show you how many entries may be added;
	- Fixed bug in disassembler with incorrect disassembly by reducing number of threads to 1;
	- Started using BeaEngine v5.0 dev in CrySearch x86 because Windows Defender is annoyingly and falsely detecting BeaEngine.dll as malicious.

	- Added the version number of the U++ trunk used to compile CrySearch to the about dialog;
	- Fixed bug in the plugin system where loading a plugin with the same name would cause undefined behavior;
	- Added support for plugin-defined core routines (An example plugin has been added in OverrideTestPlugin):
		- Opening a process;
		- Reading from process memory;
		- Writing to process memory;
		- Changing process memory protection constants.
	- Fixed bug where the "NOP Selected" button in the disassembler window was visible in read-only mode;
	- Added an error message for when no modules could be retrieved. This is useful to know because only half of CrySearch will work in this case;
	- Changes in the module system:
		- Fixed a bug where enumerating WOW64 modules would not work properly anymore in newer Windows versions;
		- Added an option for x64 mode to hide modules that are not wow64, which is enabled by default for comfort.
	- Fixed a bug in retrieving the .NET section of a process, where invalid data would crash CrySearch;
	- Fixed possible buffer overrun bugs in several parts of CrySearch;
	- Fixed bug in retrieving function addresses from modules that were previously hidden, that could crash CrySearch.

	- Added feature to NOP out selected rows using right-click menu in the disassembly window;
	- Fixed a bug in the PE window where the image base of an x64 process would be truncated to 32-bits;
	- Fixed a bug where freezing and thawing addresses in the address table would not work properly anymore;
	- Added the possibility to edit multiple selected address table entries at the same time, only by right-clicking and excluding editing the address;
	- Reduced the timeout for retrieving window icons in the open process window;
	- Improved the disassembler window:
		- Added an option to go back to the entrypoint in the toolstrip and the right-click menu;
		- Added resolving of intermodular function calls to functions in the import address table;
		- Added heavy parallellism to the disassembler, greatly increasing processing speeds.
	- Added a threshold to the amount of rows that can be selected for signature or byte array generation. This threshold is set to 256;
	- Partially added masking for signature generation in the disassembly window.

	- Some changes were made to the command line process analysis automation:
		- Fixed a bug where a zombie process would still be succesfully opened for automated analysis using command line options;
		- Added the name of the containing module to the start address of outputted threads.
	- Fixed a few small bugs in the debugger:
		- Fixed a bug where the attached process crashing after setting a write breakpoint would also crash CrySearch;
		- Fixed a bug where very frequent refreshes of the call stack on breakpoint hit would crash CrySearch.
	- Added a read-only operation mode:
		- Setting available from the Settings window;
		- Behavioral warning when changing the setting while a process is opened;
		- Every component that writes to the opened process or requires writing permissions is disabled at user interface level.
	- Changed the size of most input fields and buttons. Some operating systems showed them to be too small;
	- Fixed a bug in the new scan window where selecting unknown initial value followed by string or array of bytes would render the window unusable.

	- Added a view option to the right-click menu for search results to manually switch view of formatting to hexadecimal;
	- Fixed bug where Null integer values 0x80000000(00000000) were not propely formatted in views;
	- Fixed a bug where it was not possible to enter relative addresses in:
		- The memory dissector component;
		- The disassembler, to to address dialog.
	- Fixed bug where clearing the scan results would not disable the next scan button accordingly;
	- Made some changes to toolbars and menu bars:
		- Moved heap walk from disassembly window button to Tools menu bar;
		- Added signature and byte array generation buttons to disassembly window toolbar as well;
		- Added page size indicator in the disassembly window toolbar, on the right.

	- Fixed bug in disassembler where going to an address from a search result may crash the application;
	- Fixed serious bug in next scans: unchanged, changed, increased and decreased value.

	- Fixed a bug in the crash handler window where the module names of stack trace entries would not correctly resolve;
	- Added support for Windows 10:
		- Fixed OS version detection for Windows 10;
		- Added support for Windows 10 ApiSetSchema;
		- Support for UHD displays was added due to a major U++ update. Therefore the toolbar icons are smaller than they used to be;
	- Added a tool to fill the memory with a specific value or randomized values. This tool can be found in the Tools menu.

A new revision is released after v1.18. Major improvements were implemented and XP support is discontinued. CrySearch may still work on Windows XP but support may be removed in the future.

	- Improved memory dissector:
		- Fixed bug where row offsets did not change correctly when changing its size;
		- Added option to right-click address in memory dissection window to add it to the address table;
		- Added option to edit the value of the row inline.
	- Fixed bug in next scan where array of bytes and string sizes were not set, resulting in null searches;
	- Fixed bug in disassembler where disassembling would stop on error, not covering the whole page;
	- Improved debugger:
		- Fixed bug for breakpoints that were set on branch instructions. They could not be resolved after the branch was taken;
		- Fixed bug where closing the application with breakpoints active could freeze the execution.
	- Fixed bug with address table where freezing a value would not work properly anymore due to previous optimizations;
	- Fixed bug in memory scanner where it was possible, very rarely, for a data race to occur when counting the results;
	- Fixed bug where subsequent next scans could crash the application;
	- Added about dialog detection for instruction sets AVX2, FMA3 and TSX;
	- Improved performance of string, wstring and aob scans by eliminating the values file dependency;
	- Optimized the way readable memory is assigned to workers, increasing memory scanner speed;
	- Fixed bug in imports window where loaded modules with an empty import table would return false information or potentially crash application;
	- Added function counter in the imports window that displays the amount of functions imported from the selected module;
	- Fixed bug in main window where hiding and showing the bottom pane would eliminate the drag limit;
	- Fixed bug in code generator where generating code for static addresses could possibly crash the application;
	- Fixed bug in main window where hiding and showing the disassembly window would crash the application.

	- Added multiple selection possibility for search results. Select multiple and right-click to add them to the address table;
	- Added possibility to select multiple address table entries and remove them all at once;
	- Fixed bug in registering CrySearch as default program for opening address tables where the registry key could not be read;
	- Fixed bug where dump failure in module section dump window would unwantedly close the window;
	- Added CrySearch version number to the crash dump for more accurate reporting of bugs;
	- Fixed bug where entering a bigger string in an address table entry would not alter the same search result simultaniously;
	- Added option to match strings until a null terminator character is found. 256 characters is the maximum string length;
	- Added command line options. This allows to automate the use of CrySearch as an analysis application (See command help);
	- Added an option to use the DEL key on the keyboard to delete multiple items at once from the address table;
	- Following a debugger breakpoint hit instruction now scrolls down further, and selects the address in case;
	- Changed the disassembler to load any readable, writable and executable memory page in the process instead of only readable and executable.

	- Improved overall performance of the application:
		- Improved user interface performance in several places due to replacement of slow formatting functions;
		- Improved memory usage and performance of the memory dissector by enabling dynamic reading of values;
		- Improved debugger performance slightly by optimizing the stack view;
		- Improved module window performance by optimizing the way modules are saved and retrieved.
	- Fixed bug where detaching the debugger would not accurately remove all breakpoints;
	- Fixed existing bug where changing the size of the first memory dissection row would make the second row not size properly;
	- Fixed bug where loading 64-bit address table in 32-bit CrySearch could possible crash the application;
	- Added indicator labels in the modules window and threads window to indicate the amount of modules that are being displayed;
	- Fixed a few bugs related to rare occasion sanity checking in the PE parser that would have led to crashing the application;
	- Fixed bug where changing the relative address of an address table entry to another module would not actually change the module name;
	- Added user interface warning for failed lookup of NTDLL functions used by CrySearch;
	- Fixed bug where crash handler window would not function properly when exception occured inside child thread;
	- Added option to hide bottom pane of the application main window. This option is available in the Window menu;
	- Fixed code generator to take relative addresses into account;
	- Added retrieval of command line, working directory and window title inside PEB window.

	- The icon of CrySearch has changed, thanks to Daax. He crafted a wonderful new icon for CrySearch;
	- Improved part of the plugin SDK documentation;
	- Made a few changes, bug fixes and improvements to the memory dissection window:
		- Customized drawing of the memory dissection window, now drawing the address/offset in black and the type in grey;
		- Fixed bug caused in the changes of last version where the address table file was not properly saved to file anymore;
		- Fixed bug where float values would always be displayed as 0.0000000 values;
		- Fixed bug where CrySearch did not save memory dissection contents in the address table file. Custom row types need this;
		- Fixed bug where altering the type or size of a row would mangle the offset of the second entry in the wrong way;
		- Fixed bug where changing the view mode of dissection rows when there are no dissections loaded would crash CrySearch;
		- Fixed bug where setting hexadecimal view mode and default hexadecimal view mode were interfering.
	- Changed plugin about box title to match the plugin name. This looks better than the default title;
	- Added possibility to scan a process' memory for hexadecimal values. This option applies for byte, short, int and long;
	- Changed thread window to resolve thread start addresses to a module and function if the opened process provides symbols;
	- Greatly improved disassembler;
		- Fixed bug where selecting multiple rows of disassembly to operate on a breakpoint would cause undefined behavior;
		- Disassembler dynamically refreshes with user interface flow. This greatly reduces memory usage and indirectly fixes related bugs;
		- Fixed bug where escaping the 'Go to address' dialog would refresh the disassembly. This was overhead.
	- Added additional icons for existing operations in some tab windows to signify their existence in CrySearch;
	- Greatly improved memory usage and performance of the memory scanner. Values are dynamically built by the display;
	- Fixed bug in the dialog for modifying an address table entry where relative addresses could be duplicated in the table.

	- Added event procedure to plugin system. CrySearch calls the event procedure for default in-app events like process open/close;
	- Small user interface detail modifications and improvements:
		- Changed width of the plugin window. Users may make plugins that require longer names or descriptions;
		- Changed padding of address table control in the main window to fit the wireframe of the main window better;
		- Changed array display controls to have a minimum column width. This prevents columns to be dragged out of range.
	- Added user interface value updating for the search results. The update interval is the same as the address table update interval;
	- Improved process creation from process selection window. You can now input arguments and start a process in suspended state;
	- Fixed bug in imports window where setting a hook on some functions would crash the application;
	- Added thread hijacking injection method for DLL files. Works for both x86 and x64 and the injection method is selectable from the Settings dialog;
	- Cleared up the progress of setting a hook in the import table. When the function fails, it will display an error now;
	- Greatly improved debugger and fixed bugs:
		- Fixed bug in stack view where selecting a stack size higher than 1024 would cause undefined behavior;
		- Fixed major bug in breakpoint set by the debugger not being reset after being hit;
		- Fixed disabled breakpoints views (red colors) not being properly cleared after the breakpoint list goes empty;
		- Fixed hardware breakpoints being set incorrectly resulting in undefined behavior depending on the process;
		- Fixed instability where very fast subsequent breakpoint hits would result in crashing the application;
		- Fixed instability where removing a breakpoint during very fast subsequent breakpoint hits would result in crashing the application.
	- Renamed the 'General' tabpage in the Settings window to 'Internals';
	- Improved error messaging using the module dumper more clear for when there is no dumper available;
	- Fixed bug where String and WString updating sequences would result in unpredicted data and high cpu utilization;
	- Fixed bug where float values in the search results or address table would always be truncated to 0.

	- Changed about dialog to show a list of loaded libraries including their runtime versions;
	- Added thread context snapshot feature. Right-click thread in thread window to open the snapshot window;
	- Finally fixed process window closure bug. Wait cursor is displayed and window closure is delayed until next possible break oppertunity;
	- Fixed dialog bug where tab no key other than the ESC key could be used;
	- Fixed tab indices of controls in new scan dialog being wrong;
	- Added memory dissection feature containing the following functionality:
		- Basic dissection of memory blocks. Click Tools->Memory Dissection;
		- Time-based updating of display-visible memory region. The interval is configurable;
		- Right-click address table entry and create a dissection from it with a single click;
		- Typing of dissection entries where type and length are selectable per row.
	- Improved performance of memory scan that was decreased by the relative addresses feature;
	- Fixed bug in address table where relative address weren't resolved if process was loaded after address table file was loaded;
	- Fixed bug in address table where saving address table entries that didn't correctly resolve on load as invalid relative address crashed CrySearch;
	- Fixed bug in main window where 'Edit'->'Clear Address List' would crash CrySearch if process was closed before clearing;
	- Fixed bug in main window where closing a process would not refresh address table correctly;
	- Fixed bug in process environment block window where x64 PEB address was not displayed correctly;
	- Added Anti-Anti-Debugging with NtGlobalFlags. Attempting to hide the debugger from PEB option utilizes this feature.

	- Fixed bug in process selection window where search box may reveal duplicate processes in the list;
	- Added possibility to disable a breakpoint before removing it from the list to allow the breakpoint data to be available when the breakpoint is inactive. Available from right-click in debugger window;
	- Changed the way the debugger catches unhandled exceptions:
		- Added an option in the 'Settings' window to toggle whether exceptions should be caught;
		- Changed exception message dialog to present 'Ignore' or 'Abort' choices to the user.
	- Added toolstrip to the 'Debugger' tab window including button to clear breakpoints;
	- Partial implementation of relative addresses:
		- Search results that appear static are displayed in green. The appearance of an address is assumed based on address ranges;
		- Address tables handle and persist offsets and address relativity, display as well as user input.
	- Fixed implementation of editing hotkeys inside the 'Settings' window. It was never complete but it is now;
	- Fixed bug in internal function improving performance and preventing possible memory leaks;
	- Added byte-array generation for C++ and C# programming languages. Available from 'Disassembly' window by right-clicking multiple selected rows;
	- Added CrySearch version number to address table file for future use;
	- Fixed bug in address table file causing the process name to be incorrect in certain situations;
	- Fixed bug in process selection window crashing when window is closed rapidly with callbacks running.

	- Fixed bug with searching for processes in process selection dialog, not filtering because of previous async fix;
	- Changed 'manually add address' dialog to support type selection too, as well as the title has changed slightly (Also affects edit address table entry);
	- Fixed array of bytes' search results not being the correct length after being double-clicked;
	- Added signature generation in FindPattern and bytearray (Evo) format. Available from 'Disassembly' window by right-clicking multiple selected rows.

	- Added crash reporting system. When CrySearch crashes a crash report is generated for support;
	- Changed data windows for module sections, heaps and handles to be sizeable and added count label;
	- Added customizable routines in Settings window for ReadProcessMemory, WriteProcessMemory and VirtualProtectEx;
	- Added CrySearch library, dissecting functionality from the executable to a library for plugin and future use;
	- Added plugin system:
		- Plugins folder for both architectures;
		- Plugins window under 'Tools' with information and diagnostic options;
		- Shipped plugin SDK to write own plugins.
	- Changed module section dumper (default dumper) to be a plugin for CrySearch that is shipped by default, and fixed its file alignment;
	- Changed loading and unloading of modules via the module window not to block in case the DLL entrypoint is blocking; (5 seconds timeout)
	- Changed process opening window to asynchronously enumerate icons for available windows to avoid blocking the ui thread;
	- Added possibility to jump to disassembler from call stack entry using right-click.

	- Applied several performance fixes, increasing overall performance and memory usage. The disassembler is noticably faster;
	- Added option to manually associate the .csat file extension with CrySearch (elevation is necessary);
	- Added button to 'Save' address table instead of 'Save As' every time. 'Save' is enabled whenever a table is opened;
	- Fixed an issue with the restoration of the EAT address of a function in the Imports window;
	- Added system handle enumeration dialog in Tools menu:
		- Close a remote handle inside the target process;
		- View its access mask in human readable MSDN constants.
	- Extended imports window to feature view of imports of every module in the loaded process;
	- Fixed a bug with checking for ordinal imported functions skipping the name where it shouldn't be skipped;
	- Changed memory allocation during memory scans to reduce aggressive allocation resulting in out-of-memory exceptions;
	- Added .NET sections to lower right pane of General window. Allows dumping of .NET sections.

	- Changed the forum link in the about dialog to resolve to the CrySearch thread instead of the forum home page;
	- Added option to format input value in hexadecimal when changing the integer value of an address table entry;
	- Added process name to save file for future use;
	- Changed the debugger window to effectively support multiple breakpoints, which was a major flaw in the first version;
	- Added the breakpoint trigger address to the debugger window, with 'follow in disassembler' feature on click;
	- Implemented 'Unknown Initial Value' as scanning type for the memory scanner;
	- Added customizable stack read limit on breakpoint hit, editable from the Settings dialog;
	- Refactored the Settings dialog to specialize certain settings;
	- Added feature to suspend and resume the entire process. This feature does not provide distinction between suspended and running threads;
	- Fixed bug that caused CrySearch to crash when a process contains more than 256 modules;
	- Dropped Toolhelp32 as library in favor of NtQuerySystemInformation;
	- Added feature to thread window where CrySearch is able to identify suspended threads;
	- Changed the window title to contain the process identifier when a process is opened;
	- Added possibility to enter API function as start address for a new thread. Format: (name.dll!function);
	- Added option to randomize window title. Located under the menu 'Window';
	- Changed the amount of search results visible in the user interface to 100.000 to reduce memory usage.

	- Added key accelerators to disassembly window to quicken certain actions;
	- Added heap walking feature in disassembly window to view the heaps associated with the opened process;
	- Changed the margin for resizing the splitter vertically in the main window to be smaller;
	- Fixed unicode string option to be invisible when string or wstring data type is not selected in change record dialog;
	- Added option to set CrySearch's main window to be always on top. Added to the 'Window' menu;
	- Fixed bug in IAT procedure to crash on ordinal lookup failure for some processes;
	- Fixed bug in general PE information not being reset on process closure;
	- Fixed bug in CrySearch x64 where GetClassLongPtr had to be used in order to succesfully retrieve the window icon;
	- Fixed bug where CrySearch would crash when the PE headers are destroyed;
	- Changed restore PE headers from file in module window to search working directory of module as starting directory.

	- Changed right-click selectable to set breakpoints from invisible to disabled in case the debugger is not attached;
	- Added option in module window to open the working directory of a module in the Windows Explorer;
	- Added possibility to sort the processes in the process selection window per column by clicking the desired column header;
	- Changed the 'Go to Address' button in the Disassembly window to go to the lower neighbor in case the address is not exact;
	- Added column in process selection window to display icon associated to main window of a process;
	- Added option in process selection window to hide processes that do not have a main window;
	- Added dragging area in process selection window that allows the user to drag the mouse to the window of the desired process;
	- Added button in module window to dump entire process into folder which includes all modules of the process;
	- Added feature to dump specific sections of a module inside the opened process using right-click in the module window.

	- Fixed major crash when opening processes which executable's IAT is mangled or modified;
	- Fixed dump issue with section dump, where raw section size may be 0. If so, normal section size is used;
	- Added basic disassembly using BeaEngine, showing address, bytes and OPcodes;
	- Added debugger supporting:
		- Software breakpoints;
		- Hardware breakpoints;
		- Hiding itself from PEB;
		- Handling symbols with option to invade process.
	- Added versioning information to the PE resources;
	- Added checkbox in context menu of address table that indicates whether hexadecimal view is enabled;
	- Due to a recent addition in the U++ framework, the overal application size reduced by 130 kb;
	- Reduced size of toolbar images, to also reduce size of the toolbar itself;
	- Fixed bug in ApiSetSchema resolving that would cause a crash in a small amount of situations;
	- About dialog:
		- Added U++ support link;
		- Added CPUID display that shows hardware supported processor extensions.

	- Fixed dumping of modules in module window, forcing to dump .dll when trying to dump the main executable module;
	- Added ApiSetSchema resolving for Windows 8.1 and fixed a bug samiliar to its implementation for Windows 7;
	- Changed definition of PEB and TEB to be more complete and accurate;
	- Fixed crash when restoring address in IAT, case-sensitive comparing was necessary;
	- Fixed crash when restoring address of virtualized API from imports window;
	- Added correct address resolving and restoring of forwarded functions, now retrieving address from forwarded endpoint module;
	- Changed about dialog with a clickable link to the unknowncheats forum and richer text;
	- Added button to manually add addresses to the address table;
	- Fixed bug with dumping a module, where occasionally the string length is incorrect, resulting in a mismatch;
	- Fixed bug with ordinal import resolving where invalid address would be returned and added warning on invalid addresses.

	- Fixed IAT module name, being too short with 32 bytes, now 48 bytes;
	- Added TEB view for threads in opened process;
	- Added IAT hooking, allowing user to overwrite function address in IAT;
	- Added IAT unhooking, restoring the address of a previously hooked function from module's EAT;
	- Added ordinal import name lookup in IAT window, ordinal imports are now displayed by foreign function name;
	- Hooked imports are displayed in red to indicate the user that it is possibly hooked;
	- Optimized PE operations by purging calls to ReadProcessMemory, speeding up the initialization process of CrySearch;
	- Added button to refresh IAT manually;
	- Added ApiSetSchema resolving for Windows 7+, redirected API's are resolved to its logical dll (This does not work on Windows 8.1);
	- Added PEB window with a table view of the PEB contents, including a button to reset the BeingDebugged flag.

	- Added hotkey configuration feature, for a basic set of keys and actions and keys;
	- Fixed process open window search function not being able to press return to open first search result;
	- Fixed terminated process not being detected, leaving CrySearch in a blind state (improvement for bugfix in v1.01);
	- Added possibility to create process from file instead of opening an existing one;
	- Added next scan conditions for increased and decreased value;
	- Improved check against x64 processes when using x86 CrySearch;
	- Changed CrySearch x64 for it to be fully compatible with Wow64 processes;
	- Added several code size optimizations;
	- Added IAT viewing (in tabpage: Imports);
	- Removed warning at first startup, default settings are silently restored instead.

	- Fixed x86 and x64 settings file conflicting;
	- Fixed scanning bug when process was terminated outside CrySearch;
	- Fixed instability/crash when XML in settings file is modified unexpectedly;
	- Fixed bug when closing and reoping 'General' window, where old section entries were not deleted;
	- Fixed bug where opening a x86 process from x64 CrySearch, image base is incorrect;
	- Added search box in process window to simplify loading of processes;
	- Added shortcut closing of tool windows using Escape.

	- First release.

Partager le fichier

Télécharger Release.txt

Télécharger Release.txt