Some my experiences with OllyDbg

[TQN]

- OllyDbg can not find and stop at the entry point of a EXE which did not have IAT (did not contain any import functions). The exception will throw in NTDLL.DLL and the exe will terminate. IDA debugger, WinDbg are same. They can not debug this exe, and seem that the OS can not run this kind of EXE.
- If we have installed Visual Studio 6, we will have the MFC42.pdb file in System32 directory. When OllyDbg load a exe which uses MFC42.dll, OllyDbg will load and read debug information from the MFC42.pdb and it will take a long time (seem to hang). So I must move the MFC42.pdb to my symbols directory.
- If we rename OllyDbg.exe to another name (to anti anti-OllyDbg), almost plugins will not run. So I think we need modify plugin.h to dynamic load OllyDbg export functions by GetModuleHandle(NULL) and GetProcAddress(xxx).
- We can develop OllyDbg plugin with Delphi. I know we have many Delphi Coder in this forum here, so why we can not use Delphi to write plugin ?. I am porting plugin.h to plugin.pas for Delphi 6 and 7. I am finished 50%. Wait for few days. I attached a simple plugin with source, written with Delphi 7. Hope you will enjoy, test and reuse it for your plugins written in Delphi.
Regards

[Jay]

Quote:

- If we rename OllyDbg.exe to another name (to anti anti-OllyDbg), almost plugins will not run.

I've renamed it, also renaming every internal reference and no probs at all as long as length of newname is same as original.

Thanks for those tips, i've had some weird issues in Olly sometimes too, like on Sunday when i was working I had code like:

Code:

cmp dword ptr [dwBreak], 1
jnz NoBreak
int 3
NoBreak:
jmp dword ptr [dwFullOEP]

and when I hit my breakpoint it seemed olly couldn't recognize the jnz and int 3 and innterperted it as sub esp, 4 so had too pad with nops.