Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   OllyDBG v2.xx plugin - OllyExt (https://forum.exetools.com/showthread.php?t=15258)

ferrit.rce 09-20-2013 20:35

OllyDBG v2.xx plugin - OllyExt
 
1 Attachment(s)
OllyExt is a plugin for Olly 2.xx debugger.

The main intention of this plugin is to provide the biggest anti-anti debugging features and bugfixes for Olly 2.xx. Updates will come... :)

VMProtect support!

The currently available commands are the following:
- Code Rip to Clipboard

The currently supported protections are the following:
- IsDebuggerPresent
- NtGlobalFlag
- HeapFlag
- ForceFlag
- CheckRemoteDebuggerPresent
- OutputDebugString
- CloseHandle
- SeDebugPrivilege
- BlockInput
- ProcessDebugFlags
- ProcessDebugObjectHandle
- TerminateProcess
- NtSetInformationThread
- NtQueryObject
- FindWindow
- NtOpenProcess
- Process32First
- Process32Next
- ParentProcess
- GetTickCount
- timeGetTime
- QueryPerformanceCounter
- ZwGetContextThread
- NtSetContextThread
- KdDebuggerNotPresent
- KdDebuggerEnabled
- NtSetDebugFilterState
- ProtectDRX
- HideDRX
- DbgPrompt

The currently supported bugfixes are the following:
- Caption change
- Kill Anti-Attach ( dll integrity check )

Requirements:
- Microsoft Visual C++ 2010 Redistributable Package (x86)

OS support:
- WinXP x32
- WinXP WoW64
- Win7 x32
- Win7 WoW64

Limitations:
-

If you have any problem just notify me.

About the author:

Created by Ferrit
Send your bugreports/comments to ferrit.rce@gmail.com

Enjoy :P

Additional download page

sendersu 09-21-2013 02:37

was it tested @Win8, 8.1?
thanks

ferrit.rce 09-21-2013 16:48

Never tested with 8.

ferrit.rce 09-24-2013 02:22

v1.4 is out
 
1 Attachment(s)
New v1.4 is out. Changes:

Code:

        - Disassembler changed
        - Configurable ripping syntax
        - Recursive code ripping


ferrit.rce 09-28-2013 05:00

1 Attachment(s)
New v1.5 is out. Changes:
Code:

- Data ripping( because of missing PDK function ONLY 2.01 latest supported )

ferrit.rce 09-30-2013 01:00

1 Attachment(s)
New v1.5.1 is out. Changes:
Code:

- Code ripping newline fix
- Data ripping VERSION 2.01  (27-Sep-2013) support
- Data ripping relocation fix


Newbie_Cracker 10-03-2013 03:36

Why you don't write this plugin for OllyDbg v1.10?
Phantom and OllyAdvanced are incompatible with x64 OS.

ferrit.rce 10-03-2013 05:36

I've debugged thousands of hours with 1.1 and that was the reason why I've decided to use the new version :)
Even if it has also some bugs it has 2 advantages for me:
1. It's not crashing so much
2. Oleh will fix these problems

Newbie_Cracker 10-03-2013 15:43

Quote:

Originally Posted by ferrit.rce (Post 87178)
I've debugged thousands of hours with 1.1 and that was the reason why I've decided to use the new version :)
Even if it has also some bugs it has 2 advantages for me:
1. It's not crashing so much
2. Oleh will fix these problems

I agree with you, but lack of some features pushes me to use v1.10, specially for unpacking. But because of lack of comprehensive workable anti-anti plugin, I'm in trouble :(

I think you need do some modification in you code for OD1.1 PDK, API patching is the same. Isn't it?

ferrit.rce 10-03-2013 18:38

API patching is exactly the same but the PDK interface and feature set is really different. A lot of used new features doesn't exist on 1.1. I can take a look at once again but can't promise anything...
BTW what is missing from 2.x?

Quote:

Originally Posted by Newbie_Cracker (Post 87184)
I agree with you, but lack of some features pushes me to use v1.10, specially for unpacking. But because of lack of comprehensive workable anti-anti plugin, I'm in trouble :(

I think you need do some modification in you code for OD1.1 PDK, API patching is the same. Isn't it?


Newbie_Cracker 10-04-2013 01:27

Quote:

Originally Posted by ferrit.rce (Post 87190)
API patching is exactly the same but the PDK interface and feature set is really different. A lot of used new features doesn't exist on 1.1. I can take a look at once again but can't promise anything...
BTW what is missing from 2.x?

Thanks for checking the possibility.

For the features, it's not the right topic to discuss about the features missing but small things that I use heavily:

- Mem BP on Write on PE sections,memory regions (very handy for unpacking, reversing)
- Handles window button (I hate extra clicks)
- Patches window (not critical, but comes handy sometimes)


I've found some bugs but now remember these:

- Show Symbolic address is too stupid in OD2.x for CALL DWORD[adr]. If you press space on such codes OD shows

CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>] instead of CALL DWORD PTR DS:[4080AC].

I really hate it !

- Some unknown exception while loading packed files.
- OD2.x fails to show pe sections seperately in Execryptor packed files, even in unpacked files (interesting bug)

and all plugins which exist for OD 1.1 ;)

So I still use OD1.10 :cool:

Newbie_Cracker 10-04-2013 02:00

Quote:

Patches window (not critical, but comes handy sometimes)
I mean patches window button

I forgot to say... there is no Copy to clipboard in Pane window.

Why?

sendersu 10-12-2013 05:31

Regarding hiding from VMProtect
whats is the set of options need to be used?
here is a sample app protected nicely by vmp and I fail to get the correct set of options on OllyExt using 2.01 release of Olly
it is either file corrupted or debugger detected
http://www.sendspace.com/file/cdq1ga

thanks

ferrit.rce 10-13-2013 03:55

I've just tried the binary and it's running without getting detected. You need the following protections:
- IsDebuggerPresent
- CheckRemoteDebuggerPresent
- CloseHandle
- ProcessDebugFlags
- NtSetContextThread
- Caption Change
Please check that no other debugger is installed, and the only plugin is OllyExt. Some plugins are interfering with my one.

Quote:

Originally Posted by sendersu (Post 87340)
Regarding hiding from VMProtect
whats is the set of options need to be used?
here is a sample app protected nicely by vmp and I fail to get the correct set of options on OllyExt using 2.01 release of Olly
it is either file corrupted or debugger detected
http://www.sendspace.com/file/cdq1ga

thanks


sendersu 10-13-2013 18:09

Hi, thanks for details
most strange thing is that ...... it works just 1 time!
the second time and the rest the app under test is just crashing!
do you see the same behaviour?

2) I've ida/etc SW installed, but not running - does it matter?
3) what OS are you working on

P.S> here is my olly setings http://prntscr.com/1x0ldg
are you using the same?


All times are GMT +8. The time now is 17:04.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX