Reverse Engineering b10g | REM

Author     Exile
Description     Choice is, it will add the window corresponding to the process of src and bin.

Window, the process of selection, OD automatically minimize the window, select the target

window, then maximize the window, OD.

Note: Some versions of the OD program may cover an open button, can be changed according to

their own circumstances, under source code, do not change it, no big problem.

http://letitbit.net/download/0185.fea03c8fe180283b90a2e5af6/ODDragAttach_v1.1.rar.html

This is a really small plugin that I have written for improving attach feature of OllyDbg.

With this plugin, you can attach to process by identifying its PID directly, not only selecting process list. In addition, you can find PID of process by dragging a small cursor on each window (This can be used on some protection which remove process from process list like GameGuard).

by hero

http://letitbit.net/download/3236.38c30a80eb9c23920ac9a2de1/AttachExtended_v0.1.rar.html

Author     takerZ

Description     This is an open source OllyDbg plugin which will help you to import map files

exported by IDA or Dede. There are many plugins using which you can perform similar actions, but

mapimp:

- Recognizes debugged file segments and applies names correctly
- Has an option to overwrite or skip names that intersect already defined
- Has a filter option which gives you great name demangling potential

• Filter
The main idea is to apply series of masks to every single name loaded. Mask syntax goes.
as follows:

/key[/]regex

Key “c” cuts the matched substring selected by regular expression.

[SAMPLE]
name: System::__linkproc__ GetMem(int)
mask: /c__linkproc__
applied: System::GetMem(int)
[/SAMPLE]

Key “s” skips the name if regular expression succeeds. It may be useful if you want to skip some

dummy or incorrect names.

[SAMPLE]
name: unknown_libname_2519
mask: /sunknown_libname_
applied:
[/SAMPLE]

Key “r” replaces the substring selected by regular expression with your own.

/rsubstring/regex

As you can see slash character delims your substring from the regular expression. Use double

slash to define slash as a character of your substring.

[SAMPLE]
name: System@Function(System@AnsiString;System@AnsiString)
mask: /rsys::/System@
applied: sys::Function(sys::AnsiString;sys::AnsiString)

name: System@Function(System@AnsiString;System@AnsiString)
mask: /r//_/@
applied: System/_Function(System/_AnsiString;System/_AnsiString)
[/SAMPLE]

Remember that if the name met the mask condition it will be changed, then the second mask is

applied to the changed name and so on. The order of mask applying is undefined so be careful,

because some masks may intersect.

As about regular expressions, the plugin uses pcre library which syntax is compatible with perl

regular expression. Check www.pcre.org for docs and sources.
http://letitbit.net/download/4104.4c9d1a75c7d9867799b30b069/Mapimp_v0.4.rar.html

Author     RaMMicHaeL
A multi-line (dis)assembler tool, perfect for writing code caves. It supports:

- labels and data (C-style string)
- external jumps and calls.
http://letitbit.net/download/6671.c63ed09074b57c49b4cd2067e/MUltimate_Assembler_v1.2.rar.html

Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate – Single Step

This works like previous command, but does one transformation at a time

_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F
0087439F 90 NOP
008743A0 90 NOP
008743A1 90 NOP

to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP
0087439F 90 NOP
008743A0 90 NOP
008743A1 90 NOP

Limitations: it breaks all jumps and calls pointing inwards

________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful for situations, when program jumps here and there and here and there… When it encounters some instruction, that can’t be followed, it stop and copies all parsed instruction to an allocated place in memory.

Use settings to set some parameters:

Step over calls – if set, it will step over calls, otherwise it will follow them
Step over jccs – dtto, but for Jccs
Deobfuscate – it will deobfuscate instruction, when it encounters Jcc, RET, JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B |43 INC EBX
0087438C |41 INC ECX
0087438D |42 INC EDX
0087438E |EB 07 JMP SHORT somesoft.00874397
00874390 \B8 07000000 MOV EAX,7
00874395 ^ EB F4 JMP SHORT somesoft.0087438B
00874397 C3 RET

Result:
003B0000 B8 07000000 MOV EAX,7
003B0005 43 INC EBX
003B0006 41 INC ECX
003B0007 42 INC EDX
003B0008 C3 RET

________________________________________________________

6) Rebuild RSRC and Realign

This function has some limited use when unpacking. It opens the debugged file from disc. Then it retrieves all resources and rebuilds them to one place (currently it rebuilds them only to original place in exe). Then it realigns file and saves it under new name.

When is this useful? For example when unpacking aspack/asprotect or some other packers. These steal some resources from original place and put them to its own section, therefore increasing overall size and preventing you from cutting packer’s section. It also prevents Resource hacker from displaying these resouces. This puts all resources to one place.

I’m sure there are better tools for this, but it may come handy sometimes.

_____________________________________________________

7) AsProtect Unpacker

This will unpack file packed by AsProtect, fix it, dump asprotect.dll and print various information to text file. Please report targets, where it fails.

Limitations:
1) Doesn’t find or fix SDK functions in 1.x versions (you need to find these manually).

There are two types of these. One has a form of one or more functions called before OEP, that do various initializations. If they are not run, the program may appear expired or not run at all. Find them and run them

The second type is run after OEP and hides behind GetProcAddress with special parameters, which AsProtect (if available) redirects to its own code. You need to deal with these manually.

2) in 2.30 – 2.51, there are two types of stolen functions – one is PolyOEP style, the other is virtualized; it can fix only the former, while the latter is used in AsProtect itself only

3) it doesn’t find CRC or envelope checks, but it can prevent one type of envelope check, which checks for E8 in jumps to API

4) it doesn’t decrypt encrypted parts or sections

5) it doesn’t find serial, fix trial etc.

6) if it has overlay, it may be broken after unpacking (for example if it needs to be in fixed offset in file or if it’s a certificate)

Bugs:
- doesn’t work with certain 1.10 variations, I will fix this when I have time

Notes:
- after unpacking files protected by AsProtect 2.x, you may need aspr_ide.dll; get it from aspack.com and modify if needed

by Hnedka

http://letitbit.net/download/6926.6f92506c265686d06475011a2/CodeDoctor_v0.90.rar.html

ODbgScript is a plugin for OllyDbg, which is, in our opinion, the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. ODbgScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using my plugin you can write a script once and for all.

http://letitbit.net/download/3316.36752f6bb46e115cd0783f9ce/Scripad_v1.0.rar.html

http://letitbit.net/download/8134.80ce16ba4868818583ea8d745/ODbgScript_v1.77.3.rar.html

This will be a seperate download of StrongOD as of version 0.2.4.350 because – as strange as it sounds – the developer has protected it!

This plugin will now require a key for it to run and be used. You can obtain a valid key by emailing: StrongOD©safengine.com
http://letitbit.net/download/9563.9f5459d00eca80b4993740279/StrongOD_v0.2.6.415.rar.html

This is my OllyDbg mod named HOlly. I will be constantly adding features as I require them or they are requested. Currently it only has a multiline assembler that needs some work but I would like some input.

So if I could get some input on the following that would be great.

http://letitbit.net/download/3997.d3730400452d29f3a615da1f7/HOlly_v0.2_Build_81.rar.html

hi
HOlly v0.2
LabelArgs v0.1
MUltimate Assembler v0.3
ODbgScript v1.75.3
Olly Advanced v1.27
Plugins Manager v1.2
StrongOD v0.2.6.415

http://letitbit.net/download/6309.6577fabcf64e4c420746565f5/olly_plugins.rar.html