jump to navigation

StrongOD 0.3.4.639 July 26, 2010

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

Make your OllyDbg Strong!

This plug-in provides three kinds of ways to initiate the process:

1, Normal – And the same manner as the original start, the STARTUPINFO inside unclean data
2, CreateAsUser – User with a mandate to initiate the process of the user, so that the process running under the purview of the User, unable to establish the process Admin operation.

Running is such a need in the local security strategy – the user rights assignment inside your users will join the two powers:

1, the replacement process-level marks (SeAssignPrimaryTokenPrivilege)
2, the operating system mode operations (SeTcbPrivilege)

If the home version of the windows, unable to set up, then you can try to use SuperMode and reopen the OD to upgrade the competence and strongly does not recommend the use of this option

3, CreateAsRestrict – The second option the user with User authority to initiate the process more restricted areas, and increase the third function to a explicit Admin users to initiate proceedings.

The procedure is initiated Admin user, but power users only some of the default User authority, all authority to delete some risk (including SeDebugPrivilege, SeLoadDriverPrivilege, etc.), this procedure will not run OD cause great harm. In this way the proposed commencement of the proceedings.

http://www.unpack.cn/viewthread.php?tid=28854

ODDragAttach 1.1 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
2 comments

Author     Exile
Description     Choice is, it will add the window corresponding to the process of src and bin.

Window, the process of selection, OD automatically minimize the window, select the target

window, then maximize the window, OD.

Note: Some versions of the OD program may cover an open button, can be changed according to

their own circumstances, under source code, do not change it, no big problem.

http://letitbit.net/download/0185.fea03c8fe180283b90a2e5af6/ODDragAttach_v1.1.rar.html

Attach Extended 0.1 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

This is a really small plugin that I have written for improving attach feature of OllyDbg.

With this plugin, you can attach to process by identifying its PID directly, not only selecting process list. In addition, you can find PID of process by dragging a small cursor on each window (This can be used on some protection which remove process from process list like GameGuard).

by hero

http://letitbit.net/download/3236.38c30a80eb9c23920ac9a2de1/AttachExtended_v0.1.rar.html

Mapimp 0.4 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

Author     takerZ

Description     This is an open source OllyDbg plugin which will help you to import map files

exported by IDA or Dede. There are many plugins using which you can perform similar actions, but

mapimp:

- Recognizes debugged file segments and applies names correctly
– Has an option to overwrite or skip names that intersect already defined
– Has a filter option which gives you great name demangling potential

• Filter
The main idea is to apply series of masks to every single name loaded. Mask syntax goes.
as follows:

/key[/]regex

Key “c” cuts the matched substring selected by regular expression.

[SAMPLE]
name: System::__linkproc__ GetMem(int)
mask: /c__linkproc__
applied: System::GetMem(int)
[/SAMPLE]

Key “s” skips the name if regular expression succeeds. It may be useful if you want to skip some

dummy or incorrect names.

[SAMPLE]
name: unknown_libname_2519
mask: /sunknown_libname_
applied:
[/SAMPLE]

Key “r” replaces the substring selected by regular expression with your own.

/rsubstring/regex

As you can see slash character delims your substring from the regular expression. Use double

slash to define slash as a character of your substring.

[SAMPLE]
name: System@Function(System@AnsiString;System@AnsiString)
mask: /rsys::/System@
applied: sys::Function(sys::AnsiString;sys::AnsiString)

name: System@Function(System@AnsiString;System@AnsiString)
mask: /r//_/@
applied: System/_Function(System/_AnsiString;System/_AnsiString)
[/SAMPLE]

Remember that if the name met the mask condition it will be changed, then the second mask is

applied to the changed name and so on. The order of mask applying is undefined so be careful,

because some masks may intersect.

As about regular expressions, the plugin uses pcre library which syntax is compatible with perl

regular expression. Check http://www.pcre.org for docs and sources.

http://letitbit.net/download/4104.4c9d1a75c7d9867799b30b069/Mapimp_v0.4.rar.html

MUltimate Assembler 1.2 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

Author     RaMMicHaeL
A multi-line (dis)assembler tool, perfect for writing code caves. It supports:

- labels and data (C-style string)
– external jumps and calls.

http://letitbit.net/download/6671.c63ed09074b57c49b4cd2067e/MUltimate_Assembler_v1.2.rar.html

CodeDoctor 0.90 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

Functions:

1) Deobfuscate

Select instructions in disasm window and execute this command. It will try to clear the code from junk instructions.

Example:

Original:
00874372 57 PUSH EDI
00874373 BF 352AAF6A MOV EDI,6AAF2A35
00874378 81E7 0D152A41 AND EDI,412A150D
0087437E 81F7 01002A40 XOR EDI,402A0001
00874384 01FB ADD EBX,EDI
00874386 5F POP EDI

Deobfuscated:
00874372 83C3 04 ADD EBX,4

________________________________________________________

2) Deobfuscate – Single Step

This works like previous command, but does one transformation at a time

_______________________________________________________

3) Move NOPs to bottom

Converts this:

00874396 50 PUSH EAX
00874397 90 NOP
00874398 90 NOP
00874399 52 PUSH EDX
0087439A BA 3F976B00 MOV EDX,somesoft.006B973F
0087439F 90 NOP
008743A0 90 NOP
008743A1 90 NOP

to this:

00874396 50 PUSH EAX
00874397 52 PUSH EDX
00874398 BA 3F976B00 MOV EDX,somesoft.006B973F
0087439D 90 NOP
0087439E 90 NOP
0087439F 90 NOP
008743A0 90 NOP
008743A1 90 NOP

Limitations: it breaks all jumps and calls pointing inwards

________________________________________________________

4) Undo / Redo

Undo or Redo last operation (from one of the above functions)

________________________________________________________

5) Retrieve Jumpy function

This will statically parse instructions and follow all jumps. This is useful for situations, when program jumps here and there and here and there… When it encounters some instruction, that can’t be followed, it stop and copies all parsed instruction to an allocated place in memory.

Use settings to set some parameters:

Step over calls – if set, it will step over calls, otherwise it will follow them
Step over jccs – dtto, but for Jccs
Deobfuscate – it will deobfuscate instruction, when it encounters Jcc, RET, JMP reg/exp, CALL reg/exp; useful for multi-branch

Example:

Original:
00874389 /EB 05 JMP SHORT somesoft.00874390
0087438B |43 INC EBX
0087438C |41 INC ECX
0087438D |42 INC EDX
0087438E |EB 07 JMP SHORT somesoft.00874397
00874390 \B8 07000000 MOV EAX,7
00874395 ^ EB F4 JMP SHORT somesoft.0087438B
00874397 C3 RET

Result:
003B0000 B8 07000000 MOV EAX,7
003B0005 43 INC EBX
003B0006 41 INC ECX
003B0007 42 INC EDX
003B0008 C3 RET

________________________________________________________

6) Rebuild RSRC and Realign

This function has some limited use when unpacking. It opens the debugged file from disc. Then it retrieves all resources and rebuilds them to one place (currently it rebuilds them only to original place in exe). Then it realigns file and saves it under new name.

When is this useful? For example when unpacking aspack/asprotect or some other packers. These steal some resources from original place and put them to its own section, therefore increasing overall size and preventing you from cutting packer’s section. It also prevents Resource hacker from displaying these resouces. This puts all resources to one place.

I’m sure there are better tools for this, but it may come handy sometimes.

_____________________________________________________

7) AsProtect Unpacker

This will unpack file packed by AsProtect, fix it, dump asprotect.dll and print various information to text file. Please report targets, where it fails.

Limitations:
1) Doesn’t find or fix SDK functions in 1.x versions (you need to find these manually).

There are two types of these. One has a form of one or more functions called before OEP, that do various initializations. If they are not run, the program may appear expired or not run at all. Find them and run them :-)

The second type is run after OEP and hides behind GetProcAddress with special parameters, which AsProtect (if available) redirects to its own code. You need to deal with these manually.

2) in 2.30 – 2.51, there are two types of stolen functions – one is PolyOEP style, the other is virtualized; it can fix only the former, while the latter is used in AsProtect itself only

3) it doesn’t find CRC or envelope checks, but it can prevent one type of envelope check, which checks for E8 in jumps to API

4) it doesn’t decrypt encrypted parts or sections

5) it doesn’t find serial, fix trial etc.

6) if it has overlay, it may be broken after unpacking (for example if it needs to be in fixed offset in file or if it’s a certificate)

Bugs:
– doesn’t work with certain 1.10 variations, I will fix this when I have time

Notes:
– after unpacking files protected by AsProtect 2.x, you may need aspr_ide.dll; get it from aspack.com and modify if needed

by Hnedka

http://letitbit.net/download/6926.6f92506c265686d06475011a2/CodeDoctor_v0.90.rar.html

Scripad 1.0 + ODBGScript 1.77.3 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

ODbgScript is a plugin for OllyDbg, which is, in our opinion, the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. ODbgScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using my plugin you can write a script once and for all.

http://letitbit.net/download/3316.36752f6bb46e115cd0783f9ce/Scripad_v1.0.rar.html

http://letitbit.net/download/8134.80ce16ba4868818583ea8d745/ODbgScript_v1.77.3.rar.html

StrongOD 0.2.6.415 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

This will be a seperate download of StrongOD as of version 0.2.4.350 because – as strange as it sounds – the developer has protected it!

This plugin will now require a key for it to run and be used. You can obtain a valid key by emailing: StrongOD©safengine.com
http://letitbit.net/download/9563.9f5459d00eca80b4993740279/StrongOD_v0.2.6.415.rar.html

HOlly 0.2 Build 81 November 20, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

This is my OllyDbg mod named HOlly. I will be constantly adding features as I require them or they are requested. Currently it only has a multiline assembler that needs some work but I would like some input.

So if I could get some input on the following that would be great.

http://letitbit.net/download/3997.d3730400452d29f3a615da1f7/HOlly_v0.2_Build_81.rar.html

6 new olly plugins October 14, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

hi
HOlly v0.2
LabelArgs v0.1
MUltimate Assembler v0.3
ODbgScript v1.75.3
Olly Advanced v1.27
Plugins Manager v1.2
StrongOD v0.2.6.415

http://letitbit.net/download/6309.6577fabcf64e4c420746565f5/olly_plugins.rar.html

StrongOD 0.2.3.305 February 24, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
1 comment so far
Make your OllyDbg Strong!
This plug-in provides three kinds of ways to initiate the process:
1, Normal – And the same manner as the original start, the STARTUPINFO inside unclean data
2, CreateAsUser – User with a mandate to initiate the process of the user, so that the process running under the purview of the User, unable to establish the process Admin operation.
Running is such a need in the local security strategy – the user rights assignment inside your users will join the two powers:
1, the replacement process-level marks (SeAssignPrimaryTokenPrivilege)
2, the operating system mode operations (SeTcbPrivilege)
If the home version of the windows, unable to set up, then you can try to use SuperMode and reopen the OD to upgrade the competence and strongly does not recommend the use of this option
3, CreateAsRestrict – The second option the user with User authority to initiate the process more restricted areas, and increase the third function to a explicit Admin users to initiate proceedings.
The procedure is initiated Admin user, but power users only some of the default User authority, all authority to delete some risk (including SeDebugPrivilege, SeLoadDriverPrivilege, etc.), this procedure will not run OD cause great harm. In this way the proposed commencement of the proceedings.

ODBGScript v1.66.3 February 24, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
2 comments

ODBGScript v1.66.3, Release
1.66 (21 Dec 2008)
+ GOPI (Get Operand Information) to get asm operand informations (TYPE, SIZE, ADDR, DATA, GOOD)
* Fixed OPCODE, GCI, GAPI, REF commands, ReadMemory replaced by ReadCommand (bug on Vista ?)

1.65 (SVN)
+ BPHWC without parameter clears all hardware breakpoints (same as BPHWCALL, which could be removed/renamed)
+ BC without parameter clears all loaded breakpoints (Breakpoints Window)
+ BD without parameter disables all loaded breakpoints
* Breakpoints saving enhanced, and saving/restore on restart.

i will upload all file in one file in first post of this page ;)

OllyEye 0.1 February 24, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
2 comments

Sometimes we want to find out where in a module the code parsing is done. In the example below, we want to find the code that parses the QuickTime video codecs that are in Windows media player. We know that the codecs support the raw, rle, jpeg, mjpb, and rpza tags, so all we need to do is to search for those tags in our module–in this case, the “quartz.dll” module. The OllyEye hunter knows that it should check for the video codec’s tags such as code.equals (“rpza”) and that in assembly it should be done with the CMP command that represents it. For this reason, it searches for the CMP command that matches the ‘rpza’ keyword. http://securitylabs.websense.com/content/Blogs/3244.aspx

OllyMoreMenu-v1.3c January 24, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

This plugin added in ollydbg in the menubar more menu´s with your favorite tools for quickstart.

Use:

Install in the Olly Plugins Folder

- for add new menu entry go in add menu and add you favorite tools if ok add this plugin new menu´s in ollydbg menubar for quickstart

http://vip-file.com/download/7ff9a6246046/OllyMoreMenu-v1.3c.7z.html

PhantOm Plugin 1.54 January 24, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
1 comment so far

Plug-in for concealment OllyDbg (plugin with the driver). Helps from following methods of detection:

// driver – extremehide.sys

[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.

// plugin – PhantOm.dll

[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput

Whats new: – 1.20

[*] Added own handling of exception (C0000005).
[*] Added option for the title change of the main window.
[*] Added own handling of exception (OUTPUT_DEBUG_STRING_EVENT).
[*] int 3 at EP correctly removed.
[*] Added interception of BlockInput. (WinXP only)
[*] Added own handling of exception (C0000094).
[*] Added hiding of GetStartupInfo.
[*] Fixed bug with changing the options of the plugin.
[*] Added more defense of the driver from detection.

http://vip-file.com/download/0fb19f513060/PhantOm-Plugin-v1-.54.7z.html

StrongOD v0.2.1.267 [20090107] January 7, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

http://vip-file.com/download/7ae084949790/StrongOD-v0.2.1.rar.html

PhantOm Plugin v1.51 January 7, 2009

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
1 comment so far

http://vip-file.com/download/066172511319/PhantOm-Plugin-v1.51.7z.html

see this  link  :”download with Very Slow Speed “

Request files Reup. December 18, 2008

Posted by reversengineering in OLLY'S PLUGINS, OTHER, Request, Scripts, TOOLS.
add a comment

hi my friends

http://vip-file.com/download/c6ed40102967/HideSyser-v-1.94.rar.html

http://vip-file.com/download/99ab99480277/Thinstall-Package–Extractor.rar.html

http://vip-file.com/download/3b8847955758/VMProtect-1.7-IAT-Repair.txt.html

http://vip-file.com/download/997828206045/MagicHideOllyDbg-v-1.01.rar.html

http://vip-file.com/download/2c3ae6798317/Themida—WinLicence-1.x.x—2.x.x-CodeEncrypt-Repair.txt.html

MagicHideOllyDbg 1.01 December 9, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
1 comment so far

Here’s a quick list of MagicHideOllyDbg’s function:

- erases debug-heap padding
– erases BeingDebugged flag in the PEB
– erases NtGlobalFag in the PEB
– adjusts heap flags to default values
– disables kernel32!OutputDebugStringA() function
– forces kernel32!CheckRemoteDebuggerPresent() to always return an error
– forces kernel32!UnhandledExceptionFilter() to ignore debugger presence
– forces kernel32!Process32NextW() to return immediately
– forces ntdll!NtSetInformationThread() to ignore HideThreadFromDebugger class
– forces ntdll!NtQueryInformationProcess() function to ignore ProcessDebugPort class
– intercepts ntdll!NtQuerySystemInformation() function but does nothing with it
– randomises “CPU – ” text in OllyDbg

http://letitbit.net/download/997828455996/MagicHideOllyDbg-v-1.01.rar.html

3links reuploaded November 19, 2008

Posted by reversengineering in OLLY'S PLUGINS, OTHER, TOOLS.
2 comments

http://letitbit.net/download/8507b3922490/PE.Explorer.v1.99.R4.Incl.Keyfilemaker.READ.NFO-EMBRACE.rar.html

http://letitbit.net/download/f19d5d479804/poison.rar.html

http://letitbit.net/download/fa2efd697724/KKFv151d.rar.html

DataRipper 1.3 November 19, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

DataRipper 1.3
Author Ziggy
website http://forum.tuts4you.com
Description Data Ripper is an easy way to rip any kind of data from an app being debugged using Ollydbg. The ripped data can be formatted and “declared” in the syntax of the popular programming languages MASM, C/C++ and Delphi.

Data Ripper is useful whenever you need to rip data, tables etc out of an app so the data can be used in another compiled program.

http://letitbit.net/download/5b438e23842/DataRipper-1.3.rar.html

StrongOD 0.19 & 0.20 November 19, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

StrongOD 0.20
Author Fengyue [CUG]

http://www.unpack.cn/

Make your OllyDbg Strong!

This plug-in provides three kinds of ways to initiate the process:

1, Normal – And the same manner as the original start, the STARTUPINFO inside unclean data
2, CreateAsUser – User with a mandate to initiate the process of the user, so that the process running under the purview of the User, unable to establish the process Admin operation.

Running is such a need in the local security strategy – the user rights assignment inside your users will join the two powers:

1, the replacement process-level marks (SeAssignPrimaryTokenPrivilege)
2, the operating system mode operations (SeTcbPrivilege)

If the home version of the windows, unable to set up, then you can try to use SuperMode and reopen the OD to upgrade the competence and strongly does not recommend the use of this option

3, CreateAsRestrict – The second option the user with User authority to initiate the process more restricted areas, and increase the third function to a explicit Admin users to initiate proceedings.

The procedure is initiated Admin user, but power users only some of the default User authority, all authority to delete some risk (including SeDebugPrivilege, SeLoadDriverPrivilege, etc.), this procedure will not run OD cause great harm. In this way the proposed commencement of the proceedings.

http://letitbit.net/download/a6a753749588/StrongOD-v-0.20.rar.html

http://letitbit.net/download/eedd1c403410/StrongOD-v-0.19.rar.html

MagicHideOllyDbg 1.00 November 19, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

This plug-in from key stakeholders method heXer, shoooo, loveboom, simonzh2000 that procedure, Thank you!
This version is the reverse from, I do not have access to source code, only just a convenience we do not have other means, above all very sorry ~ ~ ~!
Tip: this version and kanxue big HideOD have in common, let us not repeat ^ ^ _ so as not to influence each other! No need to bring the trouble ~ ~!

1.00 update:
In kanxue greatly on the basis of a new hidden, you can easily use other types of hidden (can not say the specific, we will try out), this still could not escape the latest version of themida testing, we hope to give the test 1.8 I .5 is the latest in the hands of escape (the actual HideOD, can be a long, and methods from HideOD, so of course there is no problem !^_^)。

will be tested again in the hope that we can better luck, or my luck, and the related increase in the number of settings, to share with you!

Thank you for your support for the snow to see ~ ~!
-By EasyStudy For snow to see the development of tools group

http://letitbit.net/download/1798bb902820/MagicHideOllyDbg.rar.html

HideOD v0.182 November 19, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
1 comment so far

0.1.8.2 update:
An increase of a hidden, we hope that more tests What is the problem can be sent to ~! I look good, the amendment again.
The update is significantly updated for kanxue
At present, the test:
themida 1.9.9.0 able to escape!
themida 2.0.4.0 (test version can be tried, but the official version, no money to buy, not to test! I go under the official, did not expect a smooth escape _ ^ ^) can be successfully managed to escape!
2.0 after the test is not complete, we hope that some on-hand to test

At all surprising that I have been treated themida still could not escape

http://letitbit.net/download/209233593171/HideOD2008.11.19.rar.html

StrongOD v0.18 [2008.09.18] October 29, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

StrongOD v0.18

OllyDBG v1.10 plugin – StrongOD v0.18 [2008.09.18]

================================================== ==================
[2008.09.18 v0.18]
1, to repair the Ctrl G calculation rva, offset when a small BUG
2, when the program is not running the state, Detach before running program
3, restoration of the original data OD zone copy BUG
4, repair od after the CPU running very high occupancy rate BUG
5, you can set it to skip some of the exception handling

[2008.09.02 v0.17]
1, to skip some of the improper handling of the abnormal OD
2, correctly handle the instructions int 2d

[2008.08.31 v0.16]
1, joined the drive to protect the process, the hidden window, over most of the anti-debugging
2, driver support for the custom equipment 000 (ollydbg.ini of DeviceName, equipment were not more than 8 characters)
ollydbg.ini of [StrongOD], you can set up their own
HideWindow = 1 to hide the window
HideProcess = 1 to hide the process
ProtectProcess = 1 protection process
DriverKey =- 82693034 and the key driver of communication
DriverName = fengyue0 who drives (not more than 8 characters)

3, OD will be the creation of the parent process into the process explorer.exe (copied from shoooo code)

////////////////////////////////////////////////// ///////////

The increase in the version of the driver, if a blue screen, set up minidump spread to the Forum, thank you
OllyDbg original use as much as possible, and other generally do not need the anti-anti plugin in conjunction with plug-in (including phant0m)

http://letitbit.net/download/523d21906934/StrongOD-v0.18.rar.html

Bulk Labelling PlugIn 1.0 October 29, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

There are 8 files in this package, including this ReadMe.

1. BlkLabel.dll ) Copy to OllyDbg
2. SubLabel.dll ) Folder to obtain Clarion MAP
3. BlkLabel.chm ) PlugIn functionality

Create a SubLabel.dll to obtain specific functionality for your Programming Language IDE Output. The specificalion of
SubLabel.dll is set out in BlkLabel.chm. In essence all that is required are two Exports:

MAPFilePerCharacterHandler … which will receive each Character read (as a 1 Character C-String). (It will also receive,
via a similar 1-Character C-String, the Previous Character … this may, or may not, be of use … depends on circumstances).
If Character translation is necessary, overstore the Current Character with a translation (Unicode is NOT supported here). In
this case of SubLabel.dll as supplied, the only translation performed is to turn Tab Character (09h) into a single Space
(20h).

The record that is built, via MAPFilePerCharacterHandler, is – when completed – handed over to:

MAPFilePerRecordHandler … from which Label-Address pairs can be extracted any-which-way you want. Use OllyDbg
“_Insertname” to insert them.

4. BlkLabel.clw is the Clarion Source Text of the main PlugIn.
5. SubLabel.clw is the Clarion Source Text that supports a Clarion Memory Map file.

(Being written in Clarion they should be perfectly readable, but will probably be useless to you. This is, of course,
precisely the problem *I* have, IN REVERSE, with ALL examples supplied by other people … unless the functionality is
described in non-specific/universal terms … as I have tried to do here).

6. Veronica.obj is my Asssembler-coded stuff that provides ‘interfacing glue’ between C-Style and Clarion-Style, comprising
such Functions as SaveRegisters(), RestoreRegisters(), StringCopy(), RemoveLeadingSpaces(), RemoveTrailingSpaces(), etc.
7. Veronica.clw is a Source File Text which declares the Prototypes of the Exports of Veronica.obj.

This PlugIn is really only useful to those who write their own software, using an IDE that can create a Memory Map. In this
case you would find it very useful to be able to transfer your Symbols into OllyDbg. Things become much easier to find!

(As far as I can see) The only thing necessary would be to create a SubLabel.dll – as explained above – to decipher RECORDS
presented sequentially from the Memory Map of your choice … which should not be a big job. BlkLabel itself does all the
rest.

Author: Veronica Chapman

http://www.veronicachapman.com/

http://letitbit.net/download/55ac70716007/BlkLabel-v-1.0.rar.html

OllyDBG v1.10 plugin – StrongOD v0.18 [2008.09.18] September 19, 2008

Posted by reversengineering in DEBUGGER, OLLY'S PLUGINS, TOOLS.
2 comments

[2008.09.18 v0.18]
1, to repair the Ctrl G calculation rva, offset when a small BUG
2, when the program is not running the state, Detach before running program
3, restoration of the original data OD zone copy BUG
4, repair od after the CPU running very high occupancy rate BUG
5, you can set it to skip some of the exception handling

[2008.09.02 v0.17]
1, to skip some of the improper handling of the abnormal OD
2, correctly handle the instructions int 2d

[2008.08.31 v0.16]
1, joined the drive to protect the process, the hidden window, over most of the anti-debugging
2, driver support for the custom equipment 000 (ollydbg.ini of DeviceName, equipment were not more than 8 characters)
ollydbg.ini of [StrongOD], you can set up their own
HideWindow = 1 to hide the window
HideProcess = 1 to hide the process
ProtectProcess = 1 protection process
DriverKey =- 82693034 and the key driver of communication
DriverName = fengyue0 who drives (not more than 8 characters)

3, OD will be the creation of the parent process into the process explorer.exe (copied from shoooo code)

The increase in the version of the driver, if a blue screen, set up minidump spread to the Forum, thank you
OllyDbg original use as much as possible, and other generally do not need the anti-anti plugin in conjunction with plug-in (including phant0m)

Download

http://www.unpack.cn/viewthread.php?tid=28854

X3 0.1 September 15, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

A plugin which gives you quick access to RegEdit, Calculator and EnableDebugPrivilege.

http://letitbit.net/download/1b2ca1398980/x3-v-0.1.rar.html

2 new olly plugins September 7, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

IDAFicator v1.2.12
+BP-OLLY v0.1

http://letitbit.net/download/af9d43246757/2-new-plugins.rar.html

StrongOD v0.15 (bug fixed) September 4, 2008

Posted by reversengineering in OLLY'S PLUGINS, TOOLS.
add a comment

DeAttach a BUG
1, enhanced Find function modules (correctly handled peb find the modules, such as ring3 hidden module)
2, OD enhance the document Pe head of analysis (such as Upack shell, etc.)
3, anti anti attach (an extreme form attach)
4, the goal is no longer out of debugging (DebugActiveProcessStop) function, xp system over
5, dll to be injected into the process of debugging
a) Remote Thread (using CreateRemoteThread injection)
b) Current Thread (shellcode, not to increase threads way into the current thread to be suspended)

////////////////////////////////////////////////// /////////////////////

Tell us about simple function:
1, View module features: Find module is the general search peb, have to deal with the peb, OD support properly, so StrongOD find ways to use the module ZwQueryVirtualMemroy
The following plans: This is the hidden module, ProcessExplorer find less than module, and correctly found in the OD

2, the first non-normal PE, OD will not be able to identify, in the data window pe header structure will be an error, StrongOD OD enhanced ability to identify PE head, but also to other plug-in for the information provided to facilitate pe
The chart is the main program UPack

OD under the plan is to identify the import table Upack

3, many procedures to prevent additional OD, hook or a NtContinue DbgUiRemoteBreakin function, StrongOD use of a means to attach extreme attach. (Note: some unconventional means to check the thread StrongOD no special treatment, such as opening a thread TTProtect regularly check, can not be here or attach)

4, DebugActiveProcessStop functions to be debugging process from the debugger

5, dll to be injected into the process of debugging, two kinds of ways, the first thread is the long-range model, the second did not open an additional thread, the current moratorium on the use of the thread to inject. The former can be run in the state, can also suspend the state, while the latter must first suspend a thread can be injected

http://letitbit.net/download/6f61ac660771/StrongODv0.15-DeAttach-a-BUG.rar.html

Follow

Get every new post delivered to your Inbox.

Join 42 other followers