Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-20-2013, 20:35
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
OllyDBG v2.xx plugin - OllyExt

OllyExt is a plugin for Olly 2.xx debugger.

The main intention of this plugin is to provide the biggest anti-anti debugging features and bugfixes for Olly 2.xx. Updates will come...

VMProtect support!

The currently available commands are the following:
- Code Rip to Clipboard

The currently supported protections are the following:
- IsDebuggerPresent
- NtGlobalFlag
- HeapFlag
- ForceFlag
- CheckRemoteDebuggerPresent
- OutputDebugString
- CloseHandle
- SeDebugPrivilege
- BlockInput
- ProcessDebugFlags
- ProcessDebugObjectHandle
- TerminateProcess
- NtSetInformationThread
- NtQueryObject
- FindWindow
- NtOpenProcess
- Process32First
- Process32Next
- ParentProcess
- GetTickCount
- timeGetTime
- QueryPerformanceCounter
- ZwGetContextThread
- NtSetContextThread
- KdDebuggerNotPresent
- KdDebuggerEnabled
- NtSetDebugFilterState
- ProtectDRX
- HideDRX
- DbgPrompt

The currently supported bugfixes are the following:
- Caption change
- Kill Anti-Attach ( dll integrity check )

Requirements:
- Microsoft Visual C++ 2010 Redistributable Package (x86)

OS support:
- WinXP x32
- WinXP WoW64
- Win7 x32
- Win7 WoW64

Limitations:
-

If you have any problem just notify me.

About the author:

Created by Ferrit
Send your bugreports/comments to [email protected]

Enjoy :P

Additional download page
Attached Files
File Type: zip OllyExt_1.3.zip (84.0 KB, 83 views)
Reply With Quote
The Following 10 Users Gave Reputation+1 to ferrit.rce For This Useful Post:
ahmadmansoor (09-21-2013), alekine322 (09-21-2013), chessgod101 (09-28-2013), lordi (09-28-2013), niculaita (09-21-2013), quygia128 (09-23-2013), wilson bibe (09-21-2013), zeuscane (09-21-2013), Zipdecode (09-29-2013)
  #2  
Old 09-21-2013, 02:37
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 831
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 168
Thanks Rcvd at 343 Times in 193 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
was it tested @Win8, 8.1?
thanks
Reply With Quote
  #3  
Old 09-21-2013, 16:48
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
Never tested with 8.
Reply With Quote
  #4  
Old 09-24-2013, 02:22
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
v1.4 is out

New v1.4 is out. Changes:

Code:
	- Disassembler changed
	- Configurable ripping syntax
	- Recursive code ripping
Attached Files
File Type: zip OllyExt_1.4.zip (125.9 KB, 47 views)
Reply With Quote
The Following 7 Users Gave Reputation+1 to ferrit.rce For This Useful Post:
Av0id (09-24-2013), chessgod101 (09-28-2013), nikre (09-24-2013), Wannabe (09-24-2013), wilson bibe (09-24-2013), XorRanger (09-24-2013), zeuscane (09-24-2013)
  #5  
Old 09-28-2013, 05:00
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
New v1.5 is out. Changes:
Code:
- Data ripping( because of missing PDK function ONLY 2.01 latest supported )
Attached Files
File Type: zip OllyExt_1.5.zip (126.9 KB, 46 views)
Reply With Quote
The Following 7 Users Gave Reputation+1 to ferrit.rce For This Useful Post:
Antelox (09-29-2013), chessgod101 (09-28-2013), lordi (09-28-2013), N0P (09-29-2013), quygia128 (09-28-2013), TQN (09-28-2013), Zipdecode (09-29-2013)
  #6  
Old 09-30-2013, 01:00
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
New v1.5.1 is out. Changes:
Code:
- Code ripping newline fix
- Data ripping VERSION 2.01  (27-Sep-2013) support
- Data ripping relocation fix
Attached Files
File Type: zip OllyExt_1.5.1.zip (126.9 KB, 88 views)
Reply With Quote
The Following 13 Users Gave Reputation+1 to ferrit.rce For This Useful Post:
ahmadmansoor (09-30-2013), Av0id (09-30-2013), besoeso (09-30-2013), Mok (10-09-2013), Newbie_Cracker (10-03-2013), nikre (10-03-2013), quygia128 (09-30-2013), Shub-Nigurrath (09-30-2013), TQN (09-30-2013), user1 (10-12-2013), Wannabe (09-30-2013), wilson bibe (09-30-2013), zeuscane (09-30-2013)
  #7  
Old 10-03-2013, 03:36
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 223
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 37
Thanks Rcvd at 19 Times in 15 Posts
Newbie_Cracker Reputation: 26
Why you don't write this plugin for OllyDbg v1.10?
Phantom and OllyAdvanced are incompatible with x64 OS.
__________________
In memory of UnREal RCE...

Last edited by Newbie_Cracker; 10-03-2013 at 03:43.
Reply With Quote
  #8  
Old 10-03-2013, 05:36
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
I've debugged thousands of hours with 1.1 and that was the reason why I've decided to use the new version
Even if it has also some bugs it has 2 advantages for me:
1. It's not crashing so much
2. Oleh will fix these problems
Reply With Quote
The Following User Gave Reputation+1 to ferrit.rce For This Useful Post:
Newbie_Cracker (10-03-2013)
  #9  
Old 10-03-2013, 15:43
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 223
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 37
Thanks Rcvd at 19 Times in 15 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by ferrit.rce View Post
I've debugged thousands of hours with 1.1 and that was the reason why I've decided to use the new version
Even if it has also some bugs it has 2 advantages for me:
1. It's not crashing so much
2. Oleh will fix these problems
I agree with you, but lack of some features pushes me to use v1.10, specially for unpacking. But because of lack of comprehensive workable anti-anti plugin, I'm in trouble

I think you need do some modification in you code for OD1.1 PDK, API patching is the same. Isn't it?
__________________
In memory of UnREal RCE...
Reply With Quote
  #10  
Old 10-03-2013, 18:38
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
API patching is exactly the same but the PDK interface and feature set is really different. A lot of used new features doesn't exist on 1.1. I can take a look at once again but can't promise anything...
BTW what is missing from 2.x?

Quote:
Originally Posted by Newbie_Cracker View Post
I agree with you, but lack of some features pushes me to use v1.10, specially for unpacking. But because of lack of comprehensive workable anti-anti plugin, I'm in trouble

I think you need do some modification in you code for OD1.1 PDK, API patching is the same. Isn't it?
Reply With Quote
The Following User Gave Reputation+1 to ferrit.rce For This Useful Post:
Newbie_Cracker (10-04-2013)
  #11  
Old 10-04-2013, 01:27
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 223
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 37
Thanks Rcvd at 19 Times in 15 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by ferrit.rce View Post
API patching is exactly the same but the PDK interface and feature set is really different. A lot of used new features doesn't exist on 1.1. I can take a look at once again but can't promise anything...
BTW what is missing from 2.x?
Thanks for checking the possibility.

For the features, it's not the right topic to discuss about the features missing but small things that I use heavily:

- Mem BP on Write on PE sections,memory regions (very handy for unpacking, reversing)
- Handles window button (I hate extra clicks)
- Patches window (not critical, but comes handy sometimes)


I've found some bugs but now remember these:

- Show Symbolic address is too stupid in OD2.x for CALL DWORD[adr]. If you press space on such codes OD shows

CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>] instead of CALL DWORD PTR DS:[4080AC].

I really hate it !

- Some unknown exception while loading packed files.
- OD2.x fails to show pe sections seperately in Execryptor packed files, even in unpacked files (interesting bug)

and all plugins which exist for OD 1.1

So I still use OD1.10
__________________
In memory of UnREal RCE...
Reply With Quote
  #12  
Old 10-22-2013, 13:55
quygia128's Avatar
quygia128 quygia128 is offline
Family
 
Join Date: Apr 2011
Location: SomeWhere
Posts: 108
Rept. Given: 233
Rept. Rcvd 182 Times in 47 Posts
Thanks Given: 58
Thanks Rcvd at 25 Times in 17 Posts
quygia128 Reputation: 100-199 quygia128 Reputation: 100-199
Quote:
Originally Posted by Newbie_Cracker View Post

I've found some bugs but now remember these:

- Show Symbolic address is too stupid in OD2.x for CALL DWORD[adr]. If you press space on such codes OD shows

CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>] instead of CALL DWORD PTR DS:[4080AC].

I really hate it !
I will code a plugin to Fix this problem automatic way when you run OllyDbg, please wait.

BR,
quygia128
Reply With Quote
  #13  
Old 10-04-2013, 02:00
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 223
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 37
Thanks Rcvd at 19 Times in 15 Posts
Newbie_Cracker Reputation: 26
Quote:
Patches window (not critical, but comes handy sometimes)
I mean patches window button

I forgot to say... there is no Copy to clipboard in Pane window.

Why?
__________________
In memory of UnREal RCE...
Reply With Quote
  #14  
Old 10-12-2013, 05:31
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 831
Rept. Given: 324
Rept. Rcvd 216 Times in 110 Posts
Thanks Given: 168
Thanks Rcvd at 343 Times in 193 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Regarding hiding from VMProtect
whats is the set of options need to be used?
here is a sample app protected nicely by vmp and I fail to get the correct set of options on OllyExt using 2.01 release of Olly
it is either file corrupted or debugger detected
http://www.sendspace.com/file/cdq1ga

thanks
Reply With Quote
The Following User Gave Reputation+1 to sendersu For This Useful Post:
Conquest (10-12-2013)
  #15  
Old 10-13-2013, 03:55
ferrit.rce's Avatar
ferrit.rce ferrit.rce is offline
VIP
 
Join Date: Sep 2013
Location: Switzerland
Posts: 42
Rept. Given: 10
Rept. Rcvd 101 Times in 23 Posts
Thanks Given: 0
Thanks Rcvd at 5 Times in 4 Posts
ferrit.rce Reputation: 100-199 ferrit.rce Reputation: 100-199
I've just tried the binary and it's running without getting detected. You need the following protections:
- IsDebuggerPresent
- CheckRemoteDebuggerPresent
- CloseHandle
- ProcessDebugFlags
- NtSetContextThread
- Caption Change
Please check that no other debugger is installed, and the only plugin is OllyExt. Some plugins are interfering with my one.

Quote:
Originally Posted by sendersu View Post
Regarding hiding from VMProtect
whats is the set of options need to be used?
here is a sample app protected nicely by vmp and I fail to get the correct set of options on OllyExt using 2.01 release of Olly
it is either file corrupted or debugger detected
http://www.sendspace.com/file/cdq1ga

thanks
Reply With Quote
Reply

Tags
anti-anti-debug, anti-debug, ollydbg, ollyext, plugin

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DEF plugin for OllyDbg 2.XX wilson bibe Community Tools 2 07-22-2014 09:01


All times are GMT +8. The time now is 21:26.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX