jump to navigation

OllyDbg 2.00.01 (Final) July 26, 2010

Posted by reversengineering in DEBUGGER, TOOLS.
add a comment

OllyDbg 2.0 is a 32-bit assembler-level analyzing Degugger with intuitive interface. It is especially useful if source code is not available or when you experience problems with your compiler.

Requirements. Developed and tested mainly under Windows 2000 and Windows XP, but should work under any Windows version: 95, 98, ME, NT, 2000, XP, 2003 Server, Vista, Windows 7 and so on. For a comfortable debugging you will need at least 500-MHz processor. OllyDbg is memory hungry. If you debug large application with all features enabled, it may allocate 200-300 megabytes for backup and analysis data.

Supported instruction sets. OllyDbg 2.0 supports all existing 80×86-compatible CPUs: MMX, 3DNow!, including Athlon extentions, and SSE instructions up to SSSE3 and SSE4.

Configurability. More than 120 options (oh, no! This time it’s definitely too much!) control OllyDbg’s behaviour and appearance.

Data formats. Dump windows display data in all common formats: hexadecimal, ASCII, UNICODE, 16 and 32-bit signed/unsigned/hexadecimal integers, 32/64/80-bit floats, addresses, disassembly (MASM, IDEAL, HLA or AT&T). It also decodes and comments many Windows-specific structures, including PE headers, PEB, Thread data blocks and so on.

Help. OllyDbg 2.0 includes built-in help on all 80×86 integer and floating-point commands. If you possess Windows API help (win32.hlp, not included due to copyright reasons), you can attach it and get instant help on system API calls.

Startup. You can specify executable file in command line, select it from menu, drag-and-drop file to OllyDbg, restart last debugged program or attach to already running application. OllyDbg supports just-in-time debugging and debugging of child processes. You can detach from the debugged process, and it will continue execution. Installation is not necessary!

Code highlighting. Disassembler can highlight different types of commands (jumps, conditional jumps, pushes and pops, calls, returns, privileged and invalid) and different operands (general, FPU/SSE or segment/system registers, memory operands on stack or in other memory, constants). You can create custom highlighting schemes.

Threads. OllyDbg can debug multithread applications. You can switch from one thread to another, suspend, resume and kill threads or change their priorities. Threads window displays errors for each thread (as returned by call to GetLastError).

Analysis. Analyzer is one of the most significant parts of OllyDbg. It recognizes procedures, loops, switches, tables, constants and strings embedded in code, tricky constructs, calls to API functions, number of function’s arguments, import sections and so on. It attempts to determine not only the number of stack arguments in the unknown functions, but even their meaning. Analysis makes binary code much more readable, facilitates debugging and reduces probability of misinterpretations and crashes. It is not compiler-oriented and works equally good with any PE program.

Full UNICODE support. All operations available for ASCII strings are also available for UNICODE, and vice versa. OllyDbg is able to recognize UTF-8 strings.

Names. OllyDbg knows symbolic names of many (currently 7700) constants, like window messages, error codes or bit fields, and decodes them in calls to known functions.

Known functions. OllyDbg recognizes by name more than 2200 frequently used Windows API functions and decodes their arguments. You can add your own descriptions. You may set logging breakpoint on a known or guessed function and protocol arguments to the log.

Calls. OllyDbg can backtrace nested calls on the stack even when debugging information is unavailable and procedures use non-standard prologs and epilogs.

Stack. In the Stack window, OllyDbg uses heuristics to recognize return addresses and stack frames. Notice however that they can be remnants from the previous calls. If program is paused on the known function, stack window decodes arguments of known and guessed functions. Stack also traces and displays the chain of SE handlers.

Search. Plenty of possibilities! Search for command (exact or imprecise) or sequence of commands, for constant, binary or text string (not necessarily contiguous), for all commands that reference address, constant or address range, for all jumps to selected location, for all referenced text strings, for all intermodular calls, for masked binary sequence in the whole allocated memory and so on. If multiple locations are found, you can quickly navigate between them.

Breakpoints. OllyDbg supports all common kinds of breakpoints: INT3, memory and hardware. You may specify number of passes and set conditions for pause. Breakpoints may conditionally protocol data to the log. Number of INT3 and memory breakpoints is unlimited: in the extreme case of hit trace, OllyDbg sometimes sets more than 100000 INT3 breakpoints. On a fast CPU, OllyDbg can process up to 20-30 thousand breakpoints per second.

Watches. Watch is an expression evaluated each time the program pauses. You can use registers, constants, address expressions, boolean and algebraical operations of any complexity.

Execution. You can execute program step-by-step, either entering subroutines or executing them at once. You can run program till next return, to the specified location, or backtrace it from the deeply nested system API call back to the user code. When application runs, you keep full control over it. For example, you can view memory, set breakpoints and even modify code “on-the-fly”. At any time, you can pause or restart the debugged program.

Hit trace. Hit trace shows which commands or procedures were executed so far, allowing you to test all branches of your code. Hit trace starts from the actual location and sets INT3 breakpoints on all branches that were not traced so far. The breakpoints are removed when command is reached (hit).

Run trace. Run trace executes program in the step-by-step mode and protocols execution to the large circular buffer. Run trace is fast: when fast command emulation is enabled, OllyDbg traces up to 1 million commands per second! Run trace protocols registers (except for SSE), flags, contents of accessed memory, thread errors and – for the case that your code is self-modifying – the original commands. You may specify the condition to stop run trace, like address range, expression or command. You can save run trace to the file and compare two independent runs. Run trace allows to backtrack and analyse history of execution in details, millions and millions of commands.

Profiling. Profiler calculates how many times some instruction is listed in the run trace buffer. With profiler, you know which part of the code takes most of execution time.

Patching. Built-in assembler automatically selects the shortest possible code. Binary editor shows data simultaneously in ASCII, UNICODE and hexadecimal form. Old good copy-and-paste is also available. Automatical backup allows to undo changes. You can copy modifications directly to executable file, OllyDbg will even adjust fixups.

UDD. OllyDbg saves all program and module-related information to the individual file and restores it when module is reloaded. This information includes labels, comments, breakpoints, watches, analysis data, conditions and so on.

Customization. You can specify custom fonts, colour and highlighting schemes.

And much more! This list is far from complete, there are many features that make OllyDbg 2.0 the friendly debugger.

Author website http://www.ollydbg.de/

PROTECTiON iD 6.4.0 July 26, 2010

Posted by reversengineering in DETECTOR, TOOLS.
add a comment


- detection of every major PC ISO Game / Application protection
- currently covers 475 detections, including win32/64 exe protectors & packers, .net protectors, dongles, licenses & installers
- sector scanning CDs / DVDs for Copy Protections
- files / folders can simply be drag & droped into pid
- strong scanning routines allowing it to detect multiple protections
- easy scanning via shell context menu
- usefully misc tools included
- coded 100% in Win32 assembly language
- fully 32bit & 64bit compliant
- working from Win9x to Windows 7

Author website http://pid.gamecopyworld.com/

StrongOD July 26, 2010

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

Make your OllyDbg Strong!

This plug-in provides three kinds of ways to initiate the process:

1, Normal – And the same manner as the original start, the STARTUPINFO inside unclean data
2, CreateAsUser – User with a mandate to initiate the process of the user, so that the process running under the purview of the User, unable to establish the process Admin operation.

Running is such a need in the local security strategy – the user rights assignment inside your users will join the two powers:

1, the replacement process-level marks (SeAssignPrimaryTokenPrivilege)
2, the operating system mode operations (SeTcbPrivilege)

If the home version of the windows, unable to set up, then you can try to use SuperMode and reopen the OD to upgrade the competence and strongly does not recommend the use of this option

3, CreateAsRestrict – The second option the user with User authority to initiate the process more restricted areas, and increase the third function to a explicit Admin users to initiate proceedings.

The procedure is initiated Admin user, but power users only some of the default User authority, all authority to delete some risk (including SeDebugPrivilege, SeLoadDriverPrivilege, etc.), this procedure will not run OD cause great harm. In this way the proposed commencement of the proceedings.


Broken links ! لینکهایی که کار نمی کند July 26, 2010

Posted by reversengineering in NEWS.
add a comment


دوستان لینکهایی که کار نمی کند را در این  بخش اعلام نمایند تا پس از یافتن آنها در سیستم مجدد اپلودشان نمایم

همه لینکها در این پست اعلام خواهد شد


dear friends tell me about broken links in this post i will find it on my system and after that i will try to upload it

all of them will RLZ here

tnx in adv.

با تشکر فراروان

Trial Reset 4 Final July 26, 2010

Posted by reversengineering in OTHER, TOOLS.
add a comment

Trial Reset 4 Final

Tnx fly to his programmer


you know what to do;)

The newest NOD32 keys with MVGM NOD32 Licence v1.0 May 21, 2010

Posted by reversengineering in OTHER, TOOLS.
add a comment


The newest NOD32 keys with MVGM NOD32 Licence v1.0

احتمالا شما نیز از آنتی ویروس قدرتمند


استفاده نموده اید و بطور یقین برای شما اتفاق افتاده است که برای آپدیت آن نیاز به یوزر و پسورد داشته باشید که باید تقریبا وقت زیادی را صرف بدست آوردن جدیدترین یوزر و پسوردهای این برنامه نمایید تا بتوانید آنتی ویروس آپدی را آپدیت نمایید.
بالاخره پس مدتی که نسخه آزمایشی برنامه به دلیل برخی مشکلات فنی از کار افتاده بود نسخه جدید برنامه که مشکلات نسخه قبلی آن رفع شده است و آماده عرضه می باشد.
با استفاده از برنا

NOD32 Licences

که محصولی از گروه نرم افزار


می باشد در کوتاه ترین زمان ممکن تنها با اجرا کردن برنامه جدیدترین کلید های آنتی ویروس قدرتمند


را دریافت نمایید.
این برنامه بطور خودکار پس از اجرا جدیدترین کلیدها را از سرور دریافت و به شما نمایش می دهد و لازم به ذکر است که برنامه برای اجرا نیاز به اینترنت دارد (باید به اینترنت متصل باشید)

قابلیتهای کلیدی برنامه
جلوگیری از اتلاف وقت و جسجو
آپدیت جدیدترین یوزر و پسوردها به صورت روزانه
حجم بسیار پایین برنامه (500 کیلوبایت)
قابلیتهای افزوده در ورژن 1.0
سرعت بالاتر در دریافت کلیدها
محیط زیبا و کاربر پسند


TrialReset 4.0 Final (Public) May 21, 2010

Posted by reversengineering in OTHER, TOOLS.
1 comment so far

hi to all

i am here again :) thank u for ur supporting

سلام به همه  دوستان مخصو صا دوستانم در  تیم آنریل نیوبای، سودا،سینا،بلک بایت و معین وبقیه

امیدوارم همه سلامت و خوب باشید

The small program for remove trial of apps. Works with all the widespread systems of protection. The interface is very simple: scanning of object, removal of corresponding record, backup object, reception of the information.

Supported Protector:












ICE License


Manco Licensing



NTkrnl Protector








Protexis Licensing

Safengine Licensor















Xheo Licensing





System Requirements

Trial-Reset requires a PC running Windows 95/98/ME/NT4/2000/XP/2003/Vista/7 with minimum of 16MB memory and about 0.2 MB of free hard disk space.

To use this program the VB6 run time and Windows Common Controls ActiveX 6 (MSCOMCTL.OCX) must be installed on your computer.

What’s new v4.0 Final (Public):

-Fixed auto-backup
-Fixed some minor bugs


ODDragAttach 1.1 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.

Author     Exile
Description     Choice is, it will add the window corresponding to the process of src and bin.

Window, the process of selection, OD automatically minimize the window, select the target

window, then maximize the window, OD.

Note: Some versions of the OD program may cover an open button, can be changed according to

their own circumstances, under source code, do not change it, no big problem.


Attach Extended 0.1 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

This is a really small plugin that I have written for improving attach feature of OllyDbg.

With this plugin, you can attach to process by identifying its PID directly, not only selecting process list. In addition, you can find PID of process by dragging a small cursor on each window (This can be used on some protection which remove process from process list like GameGuard).

by hero


Mapimp 0.4 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

Author     takerZ

Description     This is an open source OllyDbg plugin which will help you to import map files

exported by IDA or Dede. There are many plugins using which you can perform similar actions, but


- Recognizes debugged file segments and applies names correctly
- Has an option to overwrite or skip names that intersect already defined
- Has a filter option which gives you great name demangling potential

• Filter
The main idea is to apply series of masks to every single name loaded. Mask syntax goes.
as follows:


Key “c” cuts the matched substring selected by regular expression.

name: System::__linkproc__ GetMem(int)
mask: /c__linkproc__
applied: System::GetMem(int)

Key “s” skips the name if regular expression succeeds. It may be useful if you want to skip some

dummy or incorrect names.

name: unknown_libname_2519
mask: /sunknown_libname_

Key “r” replaces the substring selected by regular expression with your own.


As you can see slash character delims your substring from the regular expression. Use double

slash to define slash as a character of your substring.

name: System@Function(System@AnsiString;System@AnsiString)
mask: /rsys::/System@
applied: sys::Function(sys::AnsiString;sys::AnsiString)

name: System@Function(System@AnsiString;System@AnsiString)
mask: /r//_/@
applied: System/_Function(System/_AnsiString;System/_AnsiString)

Remember that if the name met the mask condition it will be changed, then the second mask is

applied to the changed name and so on. The order of mask applying is undefined so be careful,

because some masks may intersect.

As about regular expressions, the plugin uses pcre library which syntax is compatible with perl

regular expression. Check http://www.pcre.org for docs and sources.


Obsidium 1.4.x.x OEP Finder + IAT Repair v0.1 November 20, 2009

Posted by reversengineering in Scripts, TOOLS.
add a comment


Author     Pavka

MUltimate Assembler 1.2 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

Author     RaMMicHaeL
A multi-line (dis)assembler tool, perfect for writing code caves. It supports:

- labels and data (C-style string)
- external jumps and calls.


VMProtect 1.7 – 1.8 OEP Finder + Unpack Helper v1.0 November 20, 2009

Posted by reversengineering in Scripts, TOOLS.
1 comment so far



CodeDoctor 0.90 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment


1) Deobfuscate

Select instructions in disasm window and execute this command. It will try to clear the code from junk instructions.


00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

00874372 83C3 04 ADD EBX,4


2) Deobfuscate – Single Step

This works like previous command, but does one transformation at a time


3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F
0087439F 90 NOP
008743A0 90 NOP
008743A1 90 NOP

to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP
0087439F 90 NOP
008743A0 90 NOP
008743A1 90 NOP

Limitations: it breaks all jumps and calls pointing inwards


4) Undo / Redo

Undo or Redo last operation (from one of the above functions)


5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful for situations, when program jumps here and there and here and there… When it encounters some instruction, that can’t be followed, it stop and copies all parsed instruction to an allocated place in memory.

Use settings to set some parameters:

Step over calls – if set, it will step over calls, otherwise it will follow them
Step over jccs – dtto, but for Jccs
Deobfuscate – it will deobfuscate instruction, when it encounters Jcc, RET, JMP reg/exp, CALL reg/exp; useful for multi-branch


00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B |43 INC EBX
0087438C |41 INC ECX
0087438D |42 INC EDX
0087438E |EB 07 JMP SHORT somesoft.00874397
00874390 \B8 07000000 MOV EAX,7
00874395 ^ EB F4 JMP SHORT somesoft.0087438B
00874397 C3 RET

003B0000 B8 07000000 MOV EAX,7
003B0005 43 INC EBX
003B0006 41 INC ECX
003B0007 42 INC EDX
003B0008 C3 RET


6) Rebuild RSRC and Realign

This function has some limited use when unpacking. It opens the debugged file from disc. Then it retrieves all resources and rebuilds them to one place (currently it rebuilds them only to original place in exe). Then it realigns file and saves it under new name.

When is this useful? For example when unpacking aspack/asprotect or some other packers. These steal some resources from original place and put them to its own section, therefore increasing overall size and preventing you from cutting packer’s section. It also prevents Resource hacker from displaying these resouces. This puts all resources to one place.

I’m sure there are better tools for this, but it may come handy sometimes.


7) AsProtect Unpacker

This will unpack file packed by AsProtect, fix it, dump asprotect.dll and print various information to text file. Please report targets, where it fails.

1) Doesn’t find or fix SDK functions in 1.x versions (you need to find these manually).

There are two types of these. One has a form of one or more functions called before OEP, that do various initializations. If they are not run, the program may appear expired or not run at all. Find them and run them :-)

The second type is run after OEP and hides behind GetProcAddress with special parameters, which AsProtect (if available) redirects to its own code. You need to deal with these manually.

2) in 2.30 – 2.51, there are two types of stolen functions – one is PolyOEP style, the other is virtualized; it can fix only the former, while the latter is used in AsProtect itself only

3) it doesn’t find CRC or envelope checks, but it can prevent one type of envelope check, which checks for E8 in jumps to API

4) it doesn’t decrypt encrypted parts or sections

5) it doesn’t find serial, fix trial etc.

6) if it has overlay, it may be broken after unpacking (for example if it needs to be in fixed offset in file or if it’s a certificate)

- doesn’t work with certain 1.10 variations, I will fix this when I have time

- after unpacking files protected by AsProtect 2.x, you may need aspr_ide.dll; get it from aspack.com and modify if needed

by Hnedka


Themida + WinLicense – Dumper + IAT Repair + CodeEncrypt Repair v2.6.0 November 20, 2009

Posted by reversengineering in Scripts, TOOLS.

by Quosego


Scripad 1.0 + ODBGScript 1.77.3 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

ODbgScript is a plugin for OllyDbg, which is, in our opinion, the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. ODbgScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using my plugin you can write a script once and for all.



StrongOD November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

This will be a seperate download of StrongOD as of version because – as strange as it sounds – the developer has protected it!

This plugin will now require a key for it to run and be used. You can obtain a valid key by emailing: StrongOD©safengine.com

PDF Protection Remover 3.0 November 20, 2009

Posted by reversengineering in TOOLS, Uncategorized.
add a comment


pass :www.2baksa.net

HOlly 0.2 Build 81 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

This is my OllyDbg mod named HOlly. I will be constantly adding features as I require them or they are requested. Currently it only has a multiline assembler that needs some work but I would like some input.

So if I could get some input on the following that would be great.


Themida+WL1.1.0.0- Repair+CodeEncryptRepair_v2.6.0 November 20, 2009

Posted by reversengineering in TOOLS, UNPACKERS.
1 comment so far

Themida+WL1.1.0.0- Repair+CodeEncryptRepair_v2.6.0

By [SND]quosego

Hi all,

It’s time to make a final stand. Oreans it’s your turn now.
This package includes the following;

A script to unpack all known versions of Winlicense and Themida using any options.

The script will unpack all known Themida and Winlicense applications
using virtual machine antidump on Windows XP. (v1.8x –

Known issues;
-Version retrieving can error, switch it off when neccesary.
-VM oeps are not always retrieved you must rebuild or find them yourself.
-Memory loaded dll’s are not dumped.
-The script stops after asking for the new antidump locations, just resume the script when it does.

Step 1: Unpack an application using this script.
(Start at system entrypoint, EP break must be available,
no other breakpoints)
Step 2: When neccesary attach the dumped VM. Fix VM oep.
Step 3: Dump and Imprec.

Always read the log it holds vital information. Also there are several options that can be modified in the first few lines of this script.
Tinker with it if it doesn’t unpack your app.

An article covering all antidumps, including more newer ones.

An article on how to run Winlicense protected apps without licenses.

I owe my gratitude to the whole of the webscene for support,
inspiration , ideas and the supply of information/executables.


-A lot of suppliers.
-ARteam for being rumored to be the first to have found the first antidumps.
-An unnamed American.
-Lena for showing so many people the way.
-Teddy, for supplying us tuts4you.
-Team SND old and new members.

And most of all just have fun with this all. Use it for knowledge, the challenge and fun.
Monetary gain is never to be aspired.



the page of debuggers updated October 14, 2009

Posted by reversengineering in NEWS.

look here for more info


Trial Reset version 3 , 3.2 & 3.4 October 14, 2009

Posted by reversengineering in OTHER, TOOLS.
1 comment so far

all of them cheked by NOD32 version 4490 (20091008)


VB Decompiler Pro 7.6 October 14, 2009

Posted by reversengineering in Decompilers, TOOLS.

Highest respect to the GPcH
only for testing
if u like it buy it


Unpacker ExeCryptor RC2 October 14, 2009

Posted by reversengineering in TOOLS, UNPACKERS.
add a comment


dup 2.19 October 14, 2009

Posted by reversengineering in OTHER, TOOLS.
add a comment


Quick Unpack 2.2 October 14, 2009

Posted by reversengineering in TOOLS, UNPACKERS.
1 comment so far

by tPORt


3 new tutors October 14, 2009

Posted by reversengineering in execryptor, MUPS, Themida.
add a comment


thanx fly to them

new olly moded October 14, 2009

Posted by reversengineering in DEBUGGER, TOOLS.
add a comment


RLPack 1.21 VM Code Translater 1.0, Unpacking RLPack 1.21 October 14, 2009

Posted by reversengineering in MUPS, other protectors and packers.
add a comment

thanx flys to FEUERRADER [AHTeam]


odbg110 moded by Sabre-Gold October 14, 2009

Posted by reversengineering in DEBUGGER, TOOLS.
add a comment



Get every new post delivered to your Inbox.

Join 45 other followers