OllyDBG v2.xx plugin - OllyExt
1 Attachment(s)
OllyExt is a plugin for Olly 2.xx debugger.
The main intention of this plugin is to provide the biggest anti-anti debugging features and bugfixes for Olly 2.xx. Updates will come... :) VMProtect support! The currently available commands are the following: - Code Rip to Clipboard The currently supported protections are the following: - IsDebuggerPresent - NtGlobalFlag - HeapFlag - ForceFlag - CheckRemoteDebuggerPresent - OutputDebugString - CloseHandle - SeDebugPrivilege - BlockInput - ProcessDebugFlags - ProcessDebugObjectHandle - TerminateProcess - NtSetInformationThread - NtQueryObject - FindWindow - NtOpenProcess - Process32First - Process32Next - ParentProcess - GetTickCount - timeGetTime - QueryPerformanceCounter - ZwGetContextThread - NtSetContextThread - KdDebuggerNotPresent - KdDebuggerEnabled - NtSetDebugFilterState - ProtectDRX - HideDRX - DbgPrompt The currently supported bugfixes are the following: - Caption change - Kill Anti-Attach ( dll integrity check ) Requirements: - Microsoft Visual C++ 2010 Redistributable Package (x86) OS support: - WinXP x32 - WinXP WoW64 - Win7 x32 - Win7 WoW64 Limitations: - If you have any problem just notify me. About the author: Created by Ferrit Send your bugreports/comments to ferrit.rce@gmail.com Enjoy :P Additional download page |
was it tested @Win8, 8.1?
thanks |
Never tested with 8.
|
v1.4 is out
1 Attachment(s)
New v1.4 is out. Changes:
Code:
- Disassembler changed |
1 Attachment(s)
New v1.5 is out. Changes:
Code:
- Data ripping( because of missing PDK function ONLY 2.01 latest supported ) |
1 Attachment(s)
New v1.5.1 is out. Changes:
Code:
- Code ripping newline fix |
Why you don't write this plugin for OllyDbg v1.10?
Phantom and OllyAdvanced are incompatible with x64 OS. |
I've debugged thousands of hours with 1.1 and that was the reason why I've decided to use the new version :)
Even if it has also some bugs it has 2 advantages for me: 1. It's not crashing so much 2. Oleh will fix these problems |
Quote:
I think you need do some modification in you code for OD1.1 PDK, API patching is the same. Isn't it? |
API patching is exactly the same but the PDK interface and feature set is really different. A lot of used new features doesn't exist on 1.1. I can take a look at once again but can't promise anything...
BTW what is missing from 2.x? Quote:
|
Quote:
For the features, it's not the right topic to discuss about the features missing but small things that I use heavily: - Mem BP on Write on PE sections,memory regions (very handy for unpacking, reversing) - Handles window button (I hate extra clicks) - Patches window (not critical, but comes handy sometimes) I've found some bugs but now remember these: - Show Symbolic address is too stupid in OD2.x for CALL DWORD[adr]. If you press space on such codes OD shows CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>] instead of CALL DWORD PTR DS:[4080AC]. I really hate it ! - Some unknown exception while loading packed files. - OD2.x fails to show pe sections seperately in Execryptor packed files, even in unpacked files (interesting bug) and all plugins which exist for OD 1.1 ;) So I still use OD1.10 :cool: |
Quote:
I forgot to say... there is no Copy to clipboard in Pane window. Why? |
Regarding hiding from VMProtect
whats is the set of options need to be used? here is a sample app protected nicely by vmp and I fail to get the correct set of options on OllyExt using 2.01 release of Olly it is either file corrupted or debugger detected http://www.sendspace.com/file/cdq1ga thanks |
I've just tried the binary and it's running without getting detected. You need the following protections:
- IsDebuggerPresent - CheckRemoteDebuggerPresent - CloseHandle - ProcessDebugFlags - NtSetContextThread - Caption Change Please check that no other debugger is installed, and the only plugin is OllyExt. Some plugins are interfering with my one. Quote:
|
Hi, thanks for details
most strange thing is that ...... it works just 1 time! the second time and the rest the app under test is just crashing! do you see the same behaviour? 2) I've ida/etc SW installed, but not running - does it matter? 3) what OS are you working on P.S> here is my olly setings http://prntscr.com/1x0ldg are you using the same? |
Just take the last original Olly, install my plugin, turn on the mentioned protections and it should work. I'm using Win7 Pro. Related the exceptions I have the exact same settings.
Quote:
|
Hey, I've just found the problem :) It's an olly config issue. You have to turn off SFX -> Unpack SFX modules automatically and will work like a charm. Per default it's enabled but it should be off...
|
Quote:
BR, quygia128 |
1 Attachment(s)
New v1.6 is out. Changes:
Code:
- CreateThread |
get error when try rip recursive
Unable to find target jump address at 00000000 File: OllyExtCodeRip.cpp Line: 191 Result of GetLastError: 00000000 |
Please send me an example binary and the range what you wanted to rip.
Quote:
|
@ferrit.rce:
Inside the function, i think you should use GetProclimits to get End address of function(RET) (must analysis code) Get point of Jump command (jump XXX), calc byte lenght from XXX To End of function and copy data to clipboard. |
@author
have you seen this interesting piece of code? http://pastebin.com/6kbt1Vka did you already have it inside the Ext the tool? :) |
This pastebin is irrelevant, it's for Kernel debugger detection. Olly is usermode debugger. You don't have to add this mate.
|
1. The feature must go without code analysis
2. I'm doing that what you've described but we have a possible problem with the recursive feature Quote:
|
1 Attachment(s)
@ferrit.rce
here example I found one were work recursive Code:
CALL 004053DC ;//00403D90: |
OK, I'll take a look at it...
Quote:
|
1 Attachment(s)
New v1.6.1 is out. Changes:
Code:
- Recursive code ripping fix |
@ferrit.rce
the OllyExt 1.6.1 does not run at all @Win2k3 server x32... not even any line in log window of Olly201... :( http://prntscr.com/290fap http://prntscr.com/290fih http://prntscr.com/290g8l P.S. another v2 plugin OllyDumpEx v1.30 was successfully loaded any ideas? |
Quote:
Quote:
Quote:
Quote:
|
First of all win2k3 is not supported at all! Maybe it's working but absolutely no guarantee. See readme.txt...
Quote:
Quote:
Quote:
|
I've a test code for this and it's relevant only in some rare circumstances. The user mode debugger can be detected only if a kernel mode debugger is installed, running and the program debugged under the user mode debugger. I've never seen this protection in any protector but I can implement it in no time :) This will be done in the next release...
Quote:
|
1 Attachment(s)
@sendersu: If you want win2k3 support do the steps in the attached file.
|
@ferrit.rce
Info carefully collected & sent by PM pls review |
Quote:
It's not a reliable detection method. |
Great job as always!
|
1 Attachment(s)
New v1.7 is out. Changes:
Code:
13.01.2014 |
1 Attachment(s)
New v1.71 is out to solve some annoying problems. Changes:
Code:
09.02.2014 |
Quote:
My OS: Win 8.1 x 64 |
OK, I'll fix it ASAP...
|
All times are GMT +8. The time now is 01:37. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX