Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 10-13-2013, 22:04
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
Just take the last original Olly, install my plugin, turn on the mentioned protections and it should work. I'm using Win7 Pro. Related the exceptions I have the exact same settings.

Quote:
Originally Posted by sendersu View Post
Hi, thanks for details
most strange thing is that ...... it works just 1 time!
the second time and the rest the app under test is just crashing!
do you see the same behaviour?

2) I've ida/etc SW installed, but not running - does it matter?
3) what OS are you working on

P.S> here is my olly setings http://prntscr.com/1x0ldg
are you using the same?
Reply With Quote
  #17  
Old 10-14-2013, 17:07
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
Hey, I've just found the problem It's an olly config issue. You have to turn off SFX -> Unpack SFX modules automatically and will work like a charm. Per default it's enabled but it should be off...
Reply With Quote
The Following 2 Users Gave Reputation+1 to ferrit.rce For This Useful Post:
giv (10-14-2013), sendersu (10-15-2013)
  #18  
Old 10-22-2013, 13:55
quygia128's Avatar
quygia128 quygia128 is offline
Family
 
Join Date: Apr 2011
Location: SomeWhere
Posts: 108
Rept. Given: 233
Rept. Rcvd 182 Times in 47 Posts
Thanks Given: 58
Thanks Rcvd at 25 Times in 17 Posts
quygia128 Reputation: 100-199 quygia128 Reputation: 100-199
Quote:
Originally Posted by Newbie_Cracker View Post

I've found some bugs but now remember these:

- Show Symbolic address is too stupid in OD2.x for CALL DWORD[adr]. If you press space on such codes OD shows

CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>] instead of CALL DWORD PTR DS:[4080AC].

I really hate it !
I will code a plugin to Fix this problem automatic way when you run OllyDbg, please wait.

BR,
quygia128
Reply With Quote
  #19  
Old 10-23-2013, 14:25
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
New v1.6 is out. Changes:
Code:
- CreateThread
- Version information resource added
Attached Files
File Type: zip OllyExt_1.6.zip (127.6 KB, 49 views)
Reply With Quote
The Following 7 Users Gave Reputation+1 to ferrit.rce For This Useful Post:
ahmadmansoor (10-23-2013), evlncrn8 (10-24-2013), nikre (10-23-2013), quygia128 (10-23-2013), sendersu (10-23-2013), TQN (10-24-2013), wilson bibe (10-23-2013)
  #20  
Old 10-23-2013, 19:08
nikre's Avatar
nikre nikre is offline
VIP
 
Join Date: Sep 2011
Posts: 181
Rept. Given: 178
Rept. Rcvd 100 Times in 35 Posts
Thanks Given: 1
Thanks Rcvd at 8 Times in 8 Posts
nikre Reputation: 100-199 nikre Reputation: 100-199
get error when try rip recursive
Unable to find target jump address at 00000000
File: OllyExtCodeRip.cpp Line: 191
Result of GetLastError: 00000000
Reply With Quote
The Following User Gave Reputation+1 to nikre For This Useful Post:
Kla$ (10-23-2013)
  #21  
Old 10-23-2013, 23:25
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
Please send me an example binary and the range what you wanted to rip.
Quote:
Originally Posted by nikre View Post
get error when try rip recursive
Unable to find target jump address at 00000000
File: OllyExtCodeRip.cpp Line: 191
Result of GetLastError: 00000000
Reply With Quote
  #22  
Old 10-23-2013, 23:47
quygia128's Avatar
quygia128 quygia128 is offline
Family
 
Join Date: Apr 2011
Location: SomeWhere
Posts: 108
Rept. Given: 233
Rept. Rcvd 182 Times in 47 Posts
Thanks Given: 58
Thanks Rcvd at 25 Times in 17 Posts
quygia128 Reputation: 100-199 quygia128 Reputation: 100-199
@ferrit.rce:

Inside the function, i think you should use GetProclimits to get End address of function(RET) (must analysis code)

Get point of Jump command (jump XXX), calc byte lenght from XXX To End of function and copy data to clipboard.
Reply With Quote
  #23  
Old 10-24-2013, 01:47
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 830
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 168
Thanks Rcvd at 342 Times in 192 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
@author
have you seen this interesting piece of code?
http://pastebin.com/6kbt1Vka

did you already have it inside the Ext the tool?
Reply With Quote
  #24  
Old 10-24-2013, 02:36
memcpy memcpy is offline
Friend
 
Join Date: Nov 2011
Posts: 22
Rept. Given: 6
Rept. Rcvd 10 Times in 8 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
memcpy Reputation: 10
This pastebin is irrelevant, it's for Kernel debugger detection. Olly is usermode debugger. You don't have to add this mate.
Reply With Quote
The Following User Gave Reputation+1 to memcpy For This Useful Post:
sendersu (10-24-2013)
  #25  
Old 10-24-2013, 19:49
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
1. The feature must go without code analysis
2. I'm doing that what you've described but we have a possible problem with the recursive feature

Quote:
Originally Posted by quygia128 View Post
@ferrit.rce:

Inside the function, i think you should use GetProclimits to get End address of function(RET) (must analysis code)

Get point of Jump command (jump XXX), calc byte lenght from XXX To End of function and copy data to clipboard.
Reply With Quote
  #26  
Old 10-25-2013, 12:33
nikre's Avatar
nikre nikre is offline
VIP
 
Join Date: Sep 2011
Posts: 181
Rept. Given: 178
Rept. Rcvd 100 Times in 35 Posts
Thanks Given: 1
Thanks Rcvd at 8 Times in 8 Posts
nikre Reputation: 100-199 nikre Reputation: 100-199
@ferrit.rce

here example
I found one were work recursive
Code:
CALL 004053DC                                ;//00403D90:
Attached Files
File Type: rar Delphi.rar (153.0 KB, 5 views)
Reply With Quote
  #27  
Old 10-25-2013, 17:59
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
OK, I'll take a look at it...

Quote:
Originally Posted by nikre View Post
@ferrit.rce

here example
I found one were work recursive
Code:
CALL 004053DC                                ;//00403D90:
Reply With Quote
  #28  
Old 10-26-2013, 17:57
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
New v1.6.1 is out. Changes:
Code:
- Recursive code ripping fix
Attached Files
File Type: zip OllyExt_1.6.1.zip (127.7 KB, 69 views)
Reply With Quote
The Following 6 Users Gave Reputation+1 to ferrit.rce For This Useful Post:
evlncrn8 (10-28-2013), kjms (10-26-2013), nikre (10-26-2013), tonyweb (10-28-2013), wilson bibe (10-27-2013), Zipdecode (10-27-2013)
  #29  
Old 12-06-2013, 08:09
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 830
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 168
Thanks Rcvd at 342 Times in 192 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
@ferrit.rce
the OllyExt 1.6.1 does not run at all @Win2k3 server x32...
not even any line in log window of Olly201...
http://prntscr.com/290fap
http://prntscr.com/290fih
http://prntscr.com/290g8l
P.S. another v2 plugin OllyDumpEx v1.30 was successfully loaded

any ideas?
Reply With Quote
  #30  
Old 12-07-2013, 18:12
s0me0n3 s0me0n3 is offline
Family
 
Join Date: Mar 2012
Posts: 134
Rept. Given: 43
Rept. Rcvd 95 Times in 33 Posts
Thanks Given: 16
Thanks Rcvd at 43 Times in 28 Posts
s0me0n3 Reputation: 95
Quote:
Originally Posted by sendersu View Post
@author
have you seen this interesting piece of code?
http://pastebin.com/6kbt1Vka

did you already have it inside the Ext the tool?
Quote:
Originally Posted by memcpy View Post
This pastebin is irrelevant, it's for Kernel debugger detection. Olly is usermode debugger. You don't have to add this mate.
I have to disagree from what I can see on the pastebin stuff:

Quote:
//On the other hand, if KdPitchDebugger is set to false, a check for the "SeDebugPrivilege"
//privilege is conducted, a sign of presence of Kernel and/or UserMode debugger(s).
and

Quote:
else
{
printf("Kernel Debugger present\r\n");
if(retValue != 0xC0000022) printf("UserMode Debugger present as well\r\n");
}
}
Tell me where I am wrong.
Reply With Quote
Reply

Tags
anti-anti-debug, anti-debug, ollydbg, ollyext, plugin

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DEF plugin for OllyDbg 2.XX wilson bibe Community Tools 2 07-22-2014 09:01


All times are GMT +8. The time now is 00:51.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX