but I'll probably find the most interesting part by api intercepting

It's a little bit too much but you can test it, maybe it works.

Yes, exactly. Try to make it as small as you can.

As I saw you and others (including me) are using the 'u' command mistakenly to debug 32-bit program (instead of the 'u2' or the 'u32'), HyperDbg now shows a warning message that the disassembler doesn't match with the context to notify user if the wrong command is used!

(These modifications are available in the 'dev' branch)

Hello

The final version 4 has the u32 command included?

Hi

The dev version has a new warning

Previously (even in the very first version 0.1) we had the 32-bit disassembler (it was the 'u2' command). But, as I saw you used the 'u32' instead of the 'u2', I decided to add an alias for the 'u2' which is the 'u32'. Now, in the version v0.4 you can use either the 'u2' or the 'u32'. These commands are the same.

Thanks

But in the 'dev' branch, there is an additional warning message that will notify you if you mistakenly used the 'u' command instead of the 'u32'.

A new warning was added

🙏

Is there any way to get a function's symbol name by its address in the scripting api? Looked at the docs and I couldn't find anything

I'm trying to make a script that tracks the syscalls of a thread and performs introspective tasks on specific ones

No, there isn't such a functionality in HyperDbg.

And it's kinda hard to implement

Because, the script evaluation is done in both kernel-mode and user-mode but as you're tracking the system-calls, you're using its kernel-side scripting. But the symbol interpreter is completely a user-mode module. So, connecting them is kinda hard as you just see the results of evaluation from the kernel debugger in the user-mode.

One idea to solve this problem is using the event-forwarding mechanism. You need to add your custom functions there to interpret your syscall outputs.

https://docs.hyperdbg.org/tips-and-tricks/misc/event-forwarding

For example, write a custom function that imports symbols (converting them from addresses to function names) and once the result of event forwarding is arrived in the user-mode, try to interpret them.

Here's the function @fuijio :

https://github.com/HyperDbg/HyperDbg/blob/c20e2dfc441802bebd69df6ecc9aac17b49c284a/hyperdbg/hprdbgctrl/code/debugger/communication/forwarding.cpp#L292

You can add your codes that convert address to function name here.

But, it's not a good idea to implement such functionality for the HyperDbg as it violates the design principles of not making the scripts interpretation in the user side. (only good for custom use).

ah i see

thank you so much for the fast, detailed response!

i'll have to look into this some more before starting

Yeah, I don't like your flooding. Quiet now Ricardo!

🤦‍♂️

Oh, sorry @ricnar can you send message now?

This automated bot seems to be incorrectly configured.

/flood

This chat is currently enforcing flood control upon reaching 30 messages. Any users that reach that amount of messages will be muted.
Flood clearing is enabled, so messages that trigger a flood will be deleted.

/setflood 100

Antiflood settings for HyperDbg have been updated to 100

Why this stupid Bot deleted the messages. 🫠

i have a problem with x option of monitor command

i start the packed sample again

.start path C:\Users\ricnar456\Desktop\PACKED_PRACTICA_1.exe
debuggee is running...
the target module is loaded and a breakpoint is set to the entrypoint
press 'g' to reach to the entrypoint of the main module...
00007ffb`25cf910e 0F 85 CB 3D 01 00 jnz 0x00007FFB25D0CEDF [not taken]

0: kHyperDbg> g
debuggee is running...
breakpoint 0x2 hit
00000000`00408ec0 60 pushad

it stops in entry point

the section 401000 is not paged

i type pagein 401000

0: kHyperDbg> db 401000
err, invalid address (c0000005)

0: kHyperDbg> pagein 401000
the page-fault is delivered to the target thread
press 'g' to continue debuggee (the current thread will execute ONLY one instruction and will be halted again)...

0: kHyperDbg> g
debuggee is running...
00000000`00408ec1 BE 00 80 40 00 mov esi, 0x408000

0: kHyperDbg> db 401000
00000000`00401000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000000`00401010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000000`00401020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000000`00401030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000000`00401040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000000`00401050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000000`00401060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000000`00401070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

401000 block is paged now

my process is

0: kHyperDbg> .process
process id: 10d8
process (_EPROCESS): ffffaa0f`882b3300
process name (16-Byte): PACKED_PRACTIC

pid 10d8

!monitor xw 401000 401fff pid 10d8

y put a monitor command in wx

in this block and press G

0: kHyperDbg> g
debuggee is running...
event 0x1 triggered
00000000`00408f81 89 07 mov dword ptr ds:[edi], eax

and it stops when writing

event 0x1 triggered
00000000`00408f81 89 07 mov dword ptr ds:[edi], eax

0: kHyperDbg> db 401000
00000000`00401000 55 8B EC 5D C3 CC CC CC CC CC CC CC CC CC CC CC U..]............
00000000`00401010 55 8B EC 8B 45 0C D1 E0 39 45 08 75 06 B0 01 EB U...E...9E.u....
00000000`00401020 04 EB 02 32 C0 5D C3 CC CC CC CC CC CC CC CC CC ...2.]..........
00000000`00401030 55 8B EC B8 00 00 20 18 5D C3 CC CC CC CC CC CC U..... .].......
00000000`00401040 55 8B EC 8B 45 14 50 8B 4D 10 51 8B 55 0C 52 8B U...E.P.M.Q.U.R.
00000000`00401050 45 08 50 E8 00 00 00 2C 8B 48 04 51 8B 10 52 FF E.P....,.H.Q..R.
00000000`00401060 15 00 00 10 BC 83 C4 18 5D C3 CC CC CC CC CC CC ........].......
00000000`00401070 55 8B EC 81 EC 94 00 00 00 A1 00 00 20 04 33 C5 U........... .3.

no instruction is executed in this block till now

0: kHyperDbg> event c 1

0: kHyperDbg> event

!monitor x 401000 401fff pid 10d8

now i put a monitopr command in the block

0: kHyperDbg> g
debuggee is running...

the programs runs and does not stop at all

i know the monitor command starts executing and bypass the first instructions exxecuted

but is not useful in this form

some block of the target is needed

The activation of w option is more accurate more quick

I copied all of you deleted messages @ricnar. Can you send messages here now? This Rose bot seems to be wrongly triggered by flood detection. 🤦‍♂️🤦‍♂️🤦‍♂️

Okay, as long as I see, it seems to be a problem that the event is not triggered for the 'execution'. Am I right?

Yes

In read and write is triggered more quickly

In execution it skips some instruction

I'm testing it now.

I'm currently testing this "PACKED_PRACTICA_1.exe", are we testing the same binary file?

And also, 401000 is a separate PE section. Am I right? @ricnar

I mean is it a PE section or later this program allocate it using VirtualAlloc?

Is the pe sección

The text sección

It has aslr disabled

the code section starts in 401000 till 408000

the first line executed in this section is

40146E

it jumps from here

UPX1:00409073 push 0
UPX1:00409075 cmp esp, eax
UPX1:00409077 jnz short loc_409073
UPX1:00409079 sub esp, 0FFFFFF80h
UPX1:0040907C jmp near ptr word_40146E

after unpack and write the code section

okay, I will test it now, and will let you know about the results.

thanks

the results are very different when using write or execute

write it does no skip intructions

it stops the first time the address is written

but in execution it stops later

than the first line executed in this section

it skips a lot of instructions

3: kHyperDbg> !monitor x 401000 401fff pid 2d38

2: kHyperDbg> g
debuggee is running...
fffff806`33858d62 0F 01 C1 vmcall

0: kHyperDbg> .process pid 2d38
press 'g' to continue the debuggee, if the pid or the process object address is valid then the debuggee will be automatically paused when it attached to the target process

0: kHyperDbg> g
debuggee is running...
switched to the specified process
00000000`00408ec1 90 nop

2: kHyperDbg> eb 00408ec0 60 BE 00 80

2: kHyperDbg> g
debuggee is running...
event 0x0 triggered
00000000`0040146e E8 90 03 00 00 call 0x00401803

@ricnar is it the first line that is supposed to be executed? Am I right?

Yes but it does not stop to me there

yes, because you didn't spin the thread.

This one .

As it's mentioned in the docs, HyperDbg continues the debuggee for some time in case of events. And your target thread will be continued for some time, that's why you didn't get it there.

I agree this is a really bad issue and events should be applied immediately.

BTW, I fix it with this simple command:
eb @eip 90 90 eb fc

Let me create a short video to show you what I did to get this entrypoint.

I'm gonna record it now.

You put a infinite loop

Yes

At the entry point

And then applied the !monitor.

Yes

But, please use the latest 'dev' branch commits.

There was a small problem (not related to monitor) in parsing 'eb' that is now fixed.

This is how I reached the entrypoint, I'm sure you already got the idea of infinite loop. @ricnar

And again, make sure to use the 'git pull' on the 'dev' branch. 🙂

Perfect

Thanks

🙏

Let me know, if there is any other problems.

A video is not necessary

I already sent it.

.

the checksum error is happening a lot to me now

when using .process list

when using .sym download

and is impossible to continue

this time it continues

but sometimes it not continue

Can you reproduce it? Generally, if you find a way to instruct me how to reproduce it, I can fix it easily.

Because these bugs are usually easy to investigate. But, as I never reached to these bugs, I didn't fix it.

u sometimes does not work

Are you using compiled binaries?

Or using the 'dev' branch

?

the dev from yesterday

Can you show me the signature of the debugger?

No, I mean just open HyperDbg, and there is a signature at the top of the window.

Yes

This binary is compiled on 15th July.

there is one only more new version

pulling

i will compile this

Are you sure? Because it's compiled on 15th July. Not today, or yesterday.

maybe i restore the snapshot to an old version

i will recompile now

That's exactly why you see 'invalid checksum'.

Because the structure and the headers of the newest version of HyperDbg is different from the previous versions.

This one is also in the to-do list to check the version of HyperDbg on both debuggee and debugger to make sure they match.

This will prevent such errors.

The reason why the 'u' command not worked in your case is because you use a 64-bit disassembler which might not find the target assembly as a valid opcode. And as the result, it won't show any result.

But as you know, the newest 'dev' commit will notify you about this to avoid these problems. 😉

9090ebfe is nop nop jmp to ep

is valid

but i will retry again with the last version

I'm gonna go sleep now. Let me know if there is anything wrong there. I'll fix it tomorrow. 😴🥱

the error was mine

i used eq

not eb

and the order was incorrect

last compiled version

Maybe some interconnection problem using 2 VMS

This problem does not happen using a physical machine and one only vm as target

When @ricnar joined the group, and knowing him as a professional person, I told @HughEverett, 'Prepare yourself for many challenges ahead.' 😊

Thank you guys.

hehe

The VMs serial connections should not be prone to errors. It's weird, I'll check it. 🤔

https://youtu.be/rmkEW5IVDyg

Subtitules coming

Wow, it's great.

You are doing great @ricnar. And what about your course @HughEverett?

It will be finished once the video editor makes the necessary changes.

probably next week.

did you try with two vms?

like i did in my video?

Starting from the next version, HyperDbg will check whether the build and the version of the debuggee and debugger match or not and if it didn't match then it prevents you from loading the driver. It's mainly added to prevent errors (such as yesterday's error @ricnar) with version mismatch of HyperDbg. And also, the debuggee driver won't load until it's sure that the debugger is listening to it.

yes this is great

Do you mean the interconnection error ?

but now the error happens with the same version too

yes

Okay, I'll setup and test two VMs tomorrow to find out the problem.

i think the scenario is different in serial por connection

port

🤔🤔🤔

That could be.

when you connect from a pyhisical machine to a vm and the target is disconnected the host detects the disconnection

but between two vms the host remain connected and you can restart the target and nothing happen

🤔

maybe some detection problem

and this can lead to a sincronization error

So, it means that each time you use commands like '.process list', it shows error?

not always

but it happens

and when downloading symbols too

when i made the two snapshots it does not happen

but using it, it happened more and more

Got it, maybe the problem that @prekvapko previously mentioned about physical COM port is also related to this.

maybe it is

and cannot be tried in a future a possible net connection like windbg?

I think it should be possible. A portion of the 'kdnet' is open-source:
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/kdserial-extensibility-code-samples

We could borrow the kdnet source code and use it as the wrapper for HyperDbg.

This should be great

Awesome

I need more time testing it. right now I have to finish HyperDbg course, after that, I'll get to it.

I haven't checked the panel, has a new lesson been added?

No, but probably a new addition to the previously recorded '!monitor' for the execution interception will be added.

So don't update Hyperdebug for now until the course is published. 😁

Hey guys! Amazing software you have.

Is there any way to connect 2 physical machines without the comm port, or at least fake it? none of my machines have that

Hi,
You can use HyperDbg in VMI Mode without connecting two machines. It's like Local Kernel Debugging.

But, you cannot pause or step the debuggee.

Other than that, all of the features of HyperDbg is supported in VMI Mode.

I am using it for a usermode process, is there an option to trace a threads instructions? I am checking out the documentation now

Can you use a virtual machine?

Like VMware workstation.

I cannot, the process I am using it on does not run on VM, there is far to many checks

HyperDbg is VT-x based debugger itself. So, you can test it with your process, first enter the VMI Mode and then run your target process, if it detects HyperDbg, then it means more checks are needed to be bypassed, other than that, you can trace your target process (stepping instructions is only supported in the Debugger Mode) but you can trace any memory read/write/executions. You simulate stepping through the instructions by using event short circuiting, etc.

But before that, run your debuggee along with HyperDbg and check whether it's detected or not after that you can tell us about the scenario of which you need to apply to your target debuggee (e.g., I want manipulate files accessed by this process, I want to monitor/change the network connections from this process), so we could tell you what feature of hyperdbg works best for you.

Ideally im looking to just trace a specific thread, its obfuscated heavily however I would just manually analyse the instructions as I have narrowed it down to a specific area however I cannot backtrace as the stack and stacktrace are messed up so I have no idea where the previous instructions are, IDA does not show and XREFS

let me know if you think of another way to go about doing this or what would be best for this situation

Do you know if it's deobfuscated in the memory after passing its checks?

No it doesn't get deobfuscated unfortunately

its just a mess

This is really hard, not just with HyperDbg, with other debuggers as well. If I were in you shoes, I try to monitor its interactions with the operating system. For example, most of the times, you don't need to deobfuscate a really messy binary file. Instead, you just need to manipulate its interactions. For example, this application performs dozens of check, and if it's sure that the integrity of the application is untouched, it contacts its target server. In such a scenarios, you don't need to make your hands dirty deobfuscating it, instead monitor its system-calls is enough.

Yes I know, im in a tricky situation. I know exactly what your saying as I have been doing that for a while now lol. My problem is im sure its a hearbeat which could just be a shared/global variable being used which means there is no system calls. Ill maybe check other areas but its a tricky one

Other that, you can use HyperDbg's !exception command. Once the system wants to context-switch to another process, it throws a clock-interrupt. You can simply monitor that and it has the full state of the system (registers, memory, whatever). From there you can change the flow (direction) of program or read the memory, etc.

https://docs.hyperdbg.org/commands/extension-commands/exception

Do you know the address of this shared global variable?

If you know the address of it, you can '!monitor' that in HyperDbg.

Is there any way that I can send a command to a running Hyperdbg session without the cli?
What I am looking for is basically 'reverse event fowarding' in a way - I want to send a command to a running Hyperdbg session through my own programm.

Thought I might be able to achieve this by using HPRDBGCTRL.dll, but was sadly mistaken.

HyperDbg can work over TCP in VMI mode.

Is it what you need?

https://docs.hyperdbg.org/commands/meta-commands/.connect#examples

I'm not sure. Does this allow me to connect to a debugging session?

The description is vague to me

OOOh, I think I understand it. This is pretty much what I want (I think?).
I thank you for your quick response and this powerful project!

Yes, it's like connecting to a remote instance of HyperDbg. You can use the '.listen' command and then the '.connect' command.

Take a look at this:
https://docs.hyperdbg.org/getting-started/attach-to-hyperdbg/debug#connect-to-debuggee-vmi-mode

And for the automation, you can change the source code of this file which implements the logic behind listening and connecting:

https://github.com/HyperDbg/HyperDbg/blob/master/hyperdbg/hprdbgctrl/code/debugger/communication/remote-connection.cpp

@ricnar I tested two VMs debugging over COM port.

I couldn't reproduce the error. It didn't show any checksum failed after 1 hour of continuously transmitting data.

Both '.sym reload' and '.process list' gives a correct response without 'checksum error'. I test it serveral times. Do you have any idea how can reproduce the error? probably other ways?

What version of VMware workstation do you use? Mine is 16.2.4.

The last versión

Try to create snapshots before connect

And restore snapshots and connect

And You can reproduce easily the other problem when You restart the Target the host does not detect

This happen every tome when You restart the Target the host does not notice

Did You configure the host as nat and the Target as host only?

I did the same, but it still works perfectly. (I mean transferring data, not noticing that the target is disconnected.).
But, I test it with the latest pre-compiled binaries released in the GitHub. It didn't work! But, the latest 'Dev' branch commit works perfectly.

Two/three days ago, I made some modification for handshaking between the debugger and the debuggee. In that 'commit' I made some modification on the COM timeout, etc.

I suspect that it might accidentally solve this problem!

Would you please test it with the latest dev branch commit ("remove user-mode debugger trap flag ignorance")? @ricnar

Okay, the serial connection over two virtual machines is now documented here: https://docs.hyperdbg.org/getting-started/attach-to-hyperdbg/debug#vmware-workstation-two-vms

I will test the weekend thanks

As i promised, i made a translation of VIDEO 2 about HYPERDBG, to some language similar to english, i'm not an english speaker at all, but i put a lot of effort to made it, and i think it will be understable at least.

https://www.youtube.com/watch?v=rmkEW5IVDyg

It's great. Thank you for all of your efforts. 🙏

Thanks to you

You made the real job here

Certainly not! Numerous individuals contribute to make this infrastructure run smoothly and of course I'm not the only one.

Thanks to all of them

Is the 'checksum error' problem in the connection between two VMs fixed? 🤔

i'm just compiling, copying

i will try next

seems to work perfect

it didn't fail till now

the unique problem to me is this

the lm list the symbols of the wow64 modules

is a 32 bits process

this is OK

but

That's great. @prekvapko Do you still have access to your computer with physical serial port? Can you please check HyperDbg (in the 'dev' branch) whether the problem with serial connection is solved or not?

how to use the x command with the 32 bits user modules

Yeah, I noticed it too.

maybe a x32 command can be added

like u32 to disassemble

I don't know why kernel32's symbol is problematic. Let me see it again.

No, I don't think so, because user32, ntdll, all of them except kernel32 is okay.

not ok

The same problem is with kernel32, 64 bit.

is displaying 64 bit addreses

Did you run '.sym reload pid xxx' ?

sym reload in the context

i will try with the pid

Will do!

it hangs

the target is freezed

with a 32-bit program?

and the cmd host dont response

yes the packed program

Let me check it now.

the same packed program

maybe the event enabled

could made the problem

i forgot to disable the event

i will try again

It loaded successfully for me.

On PC now, will check the physical conn now

lm with pid change context to hyperdbg

yes, the '.process' can be used to return to the previous process again.

process start like G

It won't get the context?

the packed starts and it stucks in the get()

when you enter the user name

yes, this is expected.

Well, it's actually how we implement the '.process'. Take a look at this:
https://docs.hyperdbg.org/tips-and-tricks/considerations/difference-between-process-and-thread-switching-commands

when returns after typing it forgot the symbols

You have a really cool trick to avoid this problem. Let me explain.

The way that HyperDbg grabs the execution in the '.process' command is monitoring for clock-interrupts. Once a clock-interrupt is thrown in the target process, we intercept the execution.

The problem why you can't get the execution right now, is because functions like get() will eventually call the 'WaitForSingleObject()', and the execution will go to the Windows kerenl.

Windows won't execute the target program and won't assign it a time slice as the thread is still in the waiting state (waiting for an input from user).

And the target thread won't get a chance to get executed and as the result, HyperDbg is not able to intercept the execution.

How can we fix it?

Well, we have a really cool trick for it 🙂

👍

You can use the '!monitor x' command on the target range of the packed process.

Once you provide the input to the process, the execution will be returned to the user-mode.

yes

but the 32 bits symbols does not work here

The execution will be intercepted in the user-mode. As we !monitor it for the 'x' attribute.

I verified that the 'kernel32' symbols have problem, but other modules are okay?

i start the process and it stops in the pushad

i want to put a breakpoint in user32 messagebox now

So, what's the problem? 🤨

are you sure that the 'user32' symbol is available?

This is a 32-bit version, so it needs to be re-downloaded.

Most of the times, people have symbols for user32 (64-bit) version.

Can you run '.sym download' now?

ah

i see now

👌👌👍

but it didn't work

again '.sym reload pid xxx'.

and take a look at the '.sym table'.

i made it

and it changes to hyperdbg context

rechange to my process

and ir didnt work

I don't get it, what do you mean? 🧐🤔

it didn't work

now it BSOD the target

i use sym download, next sym reload pid

next

.process pid xxx

😳😳😳

to return to my context

Let me check.

and it didn't work

and it crashes the target at the end

seems to be very complicated

and i can't catch how it works

I'm checking it now.

i will type your commands one by one

first i start the process with start path

Unfortunately still met with invalid packet received spam

now i'm in the pushad

It's correct for me.

i'm in the pushad

The problem is, the target process didn't load the user32.

oh i will try with a kernel32 api

As I traced it, the problem is with dbghelp symbol interpreter.

Oh no

I'm wrong

It works for the kernel32 as well.

yes but

is a terrible thing that the reload option starts the process

i must use a infinite loop to remain in the same instructuon

this is annoying

but works

is only an opinion

I think this can be solved. I'm not sure about the kernel part but I think I can solve it to not continue the debuggee in case of the '.sym' command.

I'll put it to the to-do list.

yes

will be great

but the checksum error did not happen anymore here

💃

At least the same problem is solved now for VMware workstation.

yes

is solved here

invalid packet spam seems to still be correlated to symbol sync

or at least gets spammed around that time

Did you use the latest 'dev' branch?

yup

🤔

wait

no

i didnt

LOL

welp time for another test

after i finish my game

i always forget that cloning from url clones master..

i think a NET connection could be great too

yes.

wouldn't you lost the ability to break in the guest?

over physical machines**

In VMware?

over physical machines

2pcs

I didn't test it right now on physical machine. But the same problem that you mentioned happened to VMWare connecting two VMs, and now we fixed it. That's why I asked you to re-test HyperDbg on your physical machine as the same problem might be solved there as well.

I'm talking about NET connections

Oh

nvm.. you can't really use anything besides com

because yo uneed __in and __out with bios directly

Yes, that's definitely possible, but I need some times before supporting this feature. Right now, a lot of critical problems are still on the to-do list that needs to be solved.

If you guys have time can helping me too. We need someone to test the KDNET project which its source code is available in Win SDK, to compile it and test it and possibly add it to HyperDbg.

It's a little bit time consuming as we need to re-test everything to make sure we didn't break anything.

still invalid checksum on first msg

and then invalid packets..

no, it's not an invalid packet

How did you connect it?

wait

com ports 115200

on debugger: .debug remote serial 115200 com2

yes

it's debug 'remote'.

and prepare on guest

yes

I followed the wiki

It won't connect at all?

This message indicates that it's not connected.

debugger will show messages

invalid checksum, invalid packets

🤦‍♂️

it did not pass handshake, packets are being sent nontheless

i run debug remote serial 115200 on my laptop com3

first

are you sure both the debuggee and debugger use the same version?

The same compilation I mean.

yup

i always download from guest where i compiled it

Something is wrong here. Let me check it with you carefully.

Because once you see some messages in debugger (not debuggee), the debuggee should also show some messages.

what if the debugger received the messages, but was unable to process them

therefore it didn't respond?

No

That's not possible.

Because the debugger should send response to debuggee.

And if this message is not received in the debuggee, it won't send any messages there.

one second

That's why I say, something is went wrong here.

multiple invalid packet prints show on debugger every time debugee is retrying

Can you use '115200' as baud rate?

I just tried 110 for test.

Used 115200, same result

okay, what's received there?

exactly the same

I will try one more thing, don't think it will have an effect

I have an extension on the com cable

This seems not to be a problem with the communication.

Please take a look at source code (put breakpoint) and see what it keeps sending there.

Because we don't have such a mechanism that keeps sending something like this

🤔

weird thing is, when i was checking it before

the packets seemed to have been very weird?

like I was receiving packets from debugee that should've came from debugger?

and I swear i did not accidentally use it the opposite ways

yes. I'm curious to know what received there that makes it show this message.

yes

aight one second i'll pull the repo on laptop

where would you like me to put the breakpoint?

welp problem is that Indicator is wrong

for every but one message

and the first message has wrong checksum

maybe I need to make the maximum size over COM smaller?

perhaps something is cut off?

what is received there in the 'BufferToReceive' and the 'LengthReceived'?

No, it won't send the entire buffer, just the length that is filled is sent.

welp looking at buffer

buffer+0x8 has following string: GDBREPY

Wait

where is H?

a bit later i see \\hyperdbg\\

missing

oh

H is after the Y

GDBREPYH

my bad

put a breakpoint here.

.

next one sends over symbols

SYSTEM32\\ntdll.dll

What is the value of the 'TheActualPacket->Indicator' and how it's compared to INDICATOR_OF_HYPERDBG_PACKET?

wait is it maybe because