Reverse Engineering b10g | REM

hi
HOlly v0.2
LabelArgs v0.1
MUltimate Assembler v0.3
ODbgScript v1.75.3
Olly Advanced v1.27
Plugins Manager v1.2
StrongOD v0.2.6.415

http://letitbit.net/download/6309.6577fabcf64e4c420746565f5/olly_plugins.rar.html

ODBGScript v1.66.3, Release
1.66 (21 Dec 2008)
+ GOPI (Get Operand Information) to get asm operand informations (TYPE, SIZE, ADDR, DATA, GOOD)
* Fixed OPCODE, GCI, GAPI, REF commands, ReadMemory replaced by ReadCommand (bug on Vista ?)

1.65 (SVN)
+ BPHWC without parameter clears all hardware breakpoints (same as BPHWCALL, which could be removed/renamed)
+ BC without parameter clears all loaded breakpoints (Breakpoints Window)
+ BD without parameter disables all loaded breakpoints
* Breakpoints saving enhanced, and saving/restore on restart.

i will upload all file in one file in first post of this page

Sometimes we want to find out where in a module the code parsing is done. In the example below, we want to find the code that parses the QuickTime video codecs that are in Windows media player. We know that the codecs support the raw, rle, jpeg, mjpb, and rpza tags, so all we need to do is to search for those tags in our module–in this case, the “quartz.dll” module. The OllyEye hunter knows that it should check for the video codec’s tags such as code.equals (“rpza”) and that in assembly it should be done with the CMP command that represents it. For this reason, it searches for the CMP command that matches the ‘rpza’ keyword. http://securitylabs.websense.com/content/Blogs/3244.aspx

This plugin added in ollydbg in the menubar more menu´s with your favorite tools for quickstart.

Use:

Install in the Olly Plugins Folder

- for add new menu entry go in add menu and add you favorite tools if ok add this plugin new menu´s in ollydbg menubar for quickstart
http://vip-file.com/download/7ff9a6246046/OllyMoreMenu-v1.3c.7z.html

Plug-in for concealment OllyDbg (plugin with the driver). Helps from following methods of detection:

// driver – extremehide.sys

[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.

// plugin – PhantOm.dll

[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput

Whats new: – 1.20

[*] Added own handling of exception (C0000005).
[*] Added option for the title change of the main window.
[*] Added own handling of exception (OUTPUT_DEBUG_STRING_EVENT).
[*] int 3 at EP correctly removed.
[*] Added interception of BlockInput. (WinXP only)
[*] Added own handling of exception (C0000094).
[*] Added hiding of GetStartupInfo.
[*] Fixed bug with changing the options of the plugin.
[*] Added more defense of the driver from detection.

http://vip-file.com/download/0fb19f513060/PhantOm-Plugin-v1-.54.7z.html

http://vip-file.com/download/7ae084949790/StrongOD-v0.2.1.rar.html

http://vip-file.com/download/066172511319/PhantOm-Plugin-v1.51.7z.html

see this  link  :”download with Very Slow Speed “

Here’s a quick list of MagicHideOllyDbg’s function:

- erases debug-heap padding
- erases BeingDebugged flag in the PEB
- erases NtGlobalFag in the PEB
- adjusts heap flags to default values
- disables kernel32!OutputDebugStringA() function
- forces kernel32!CheckRemoteDebuggerPresent() to always return an error
- forces kernel32!UnhandledExceptionFilter() to ignore debugger presence
- forces kernel32!Process32NextW() to return immediately
- forces ntdll!NtSetInformationThread() to ignore HideThreadFromDebugger class
- forces ntdll!NtQueryInformationProcess() function to ignore ProcessDebugPort class
- intercepts ntdll!NtQuerySystemInformation() function but does nothing with it
- randomises “CPU – ” text in OllyDbg

http://letitbit.net/download/997828455996/MagicHideOllyDbg-v-1.01.rar.html

DataRipper 1.3
Author Ziggy
website http://forum.tuts4you.com
Description Data Ripper is an easy way to rip any kind of data from an app being debugged using Ollydbg. The ripped data can be formatted and “declared” in the syntax of the popular programming languages MASM, C/C++ and Delphi.

Data Ripper is useful whenever you need to rip data, tables etc out of an app so the data can be used in another compiled program.
http://letitbit.net/download/5b438e23842/DataRipper-1.3.rar.html

StrongOD 0.20
Author Fengyue [CUG]
http://www.unpack.cn/
Make your OllyDbg Strong!

This plug-in provides three kinds of ways to initiate the process:

1, Normal – And the same manner as the original start, the STARTUPINFO inside unclean data
2, CreateAsUser – User with a mandate to initiate the process of the user, so that the process running under the purview of the User, unable to establish the process Admin operation.

Running is such a need in the local security strategy – the user rights assignment inside your users will join the two powers:

1, the replacement process-level marks (SeAssignPrimaryTokenPrivilege)
2, the operating system mode operations (SeTcbPrivilege)

If the home version of the windows, unable to set up, then you can try to use SuperMode and reopen the OD to upgrade the competence and strongly does not recommend the use of this option

3, CreateAsRestrict – The second option the user with User authority to initiate the process more restricted areas, and increase the third function to a explicit Admin users to initiate proceedings.

The procedure is initiated Admin user, but power users only some of the default User authority, all authority to delete some risk (including SeDebugPrivilege, SeLoadDriverPrivilege, etc.), this procedure will not run OD cause great harm. In this way the proposed commencement of the proceedings.

http://letitbit.net/download/a6a753749588/StrongOD-v-0.20.rar.html

http://letitbit.net/download/eedd1c403410/StrongOD-v-0.19.rar.html

This plug-in from key stakeholders method heXer, shoooo, loveboom, simonzh2000 that procedure, Thank you!
This version is the reverse from, I do not have access to source code, only just a convenience we do not have other means, above all very sorry ~ ~ ~!
Tip: this version and kanxue big HideOD have in common, let us not repeat ^ ^ _ so as not to influence each other! No need to bring the trouble ~ ~!

1.00 update:
In kanxue greatly on the basis of a new hidden, you can easily use other types of hidden (can not say the specific, we will try out), this still could not escape the latest version of themida testing, we hope to give the test 1.8 I .5 is the latest in the hands of escape (the actual HideOD, can be a long, and methods from HideOD, so of course there is no problem !^_^)。

will be tested again in the hope that we can better luck, or my luck, and the related increase in the number of settings, to share with you!

Thank you for your support for the snow to see ~ ~!
-By EasyStudy For snow to see the development of tools group
http://letitbit.net/download/1798bb902820/MagicHideOllyDbg.rar.html

0.1.8.2 update:
An increase of a hidden, we hope that more tests What is the problem can be sent to ~! I look good, the amendment again.
The update is significantly updated for kanxue
At present, the test:
themida 1.9.9.0 able to escape!
themida 2.0.4.0 (test version can be tried, but the official version, no money to buy, not to test! I go under the official, did not expect a smooth escape _ ^ ^) can be successfully managed to escape!
2.0 after the test is not complete, we hope that some on-hand to test

At all surprising that I have been treated themida still could not escape
http://letitbit.net/download/209233593171/HideOD2008.11.19.rar.html

StrongOD v0.18

OllyDBG v1.10 plugin – StrongOD v0.18 [2008.09.18]

================================================== ==================
[2008.09.18 v0.18]
1, to repair the Ctrl G calculation rva, offset when a small BUG
2, when the program is not running the state, Detach before running program
3, restoration of the original data OD zone copy BUG
4, repair od after the CPU running very high occupancy rate BUG
5, you can set it to skip some of the exception handling

[2008.09.02 v0.17]
1, to skip some of the improper handling of the abnormal OD
2, correctly handle the instructions int 2d

[2008.08.31 v0.16]
1, joined the drive to protect the process, the hidden window, over most of the anti-debugging
2, driver support for the custom equipment 000 (ollydbg.ini of DeviceName, equipment were not more than 8 characters)
ollydbg.ini of [StrongOD], you can set up their own
HideWindow = 1 to hide the window
HideProcess = 1 to hide the process
ProtectProcess = 1 protection process
DriverKey =- 82693034 and the key driver of communication
DriverName = fengyue0 who drives (not more than 8 characters)

3, OD will be the creation of the parent process into the process explorer.exe (copied from shoooo code)

////////////////////////////////////////////////// ///////////

The increase in the version of the driver, if a blue screen, set up minidump spread to the Forum, thank you
OllyDbg original use as much as possible, and other generally do not need the anti-anti plugin in conjunction with plug-in (including phant0m)
http://letitbit.net/download/523d21906934/StrongOD-v0.18.rar.html

There are 8 files in this package, including this ReadMe.

1. BlkLabel.dll ) Copy to OllyDbg
2. SubLabel.dll ) Folder to obtain Clarion MAP
3. BlkLabel.chm ) PlugIn functionality

Create a SubLabel.dll to obtain specific functionality for your Programming Language IDE Output. The specificalion of
SubLabel.dll is set out in BlkLabel.chm. In essence all that is required are two Exports:

MAPFilePerCharacterHandler … which will receive each Character read (as a 1 Character C-String). (It will also receive,
via a similar 1-Character C-String, the Previous Character … this may, or may not, be of use … depends on circumstances).
If Character translation is necessary, overstore the Current Character with a translation (Unicode is NOT supported here). In
this case of SubLabel.dll as supplied, the only translation performed is to turn Tab Character (09h) into a single Space
(20h).

The record that is built, via MAPFilePerCharacterHandler, is – when completed – handed over to:

MAPFilePerRecordHandler … from which Label-Address pairs can be extracted any-which-way you want. Use OllyDbg
“_Insertname” to insert them.

4. BlkLabel.clw is the Clarion Source Text of the main PlugIn.
5. SubLabel.clw is the Clarion Source Text that supports a Clarion Memory Map file.

(Being written in Clarion they should be perfectly readable, but will probably be useless to you. This is, of course,
precisely the problem *I* have, IN REVERSE, with ALL examples supplied by other people … unless the functionality is
described in non-specific/universal terms … as I have tried to do here).

6. Veronica.obj is my Asssembler-coded stuff that provides ‘interfacing glue’ between C-Style and Clarion-Style, comprising
such Functions as SaveRegisters(), RestoreRegisters(), StringCopy(), RemoveLeadingSpaces(), RemoveTrailingSpaces(), etc.
7. Veronica.clw is a Source File Text which declares the Prototypes of the Exports of Veronica.obj.

This PlugIn is really only useful to those who write their own software, using an IDE that can create a Memory Map. In this
case you would find it very useful to be able to transfer your Symbols into OllyDbg. Things become much easier to find!

(As far as I can see) The only thing necessary would be to create a SubLabel.dll – as explained above – to decipher RECORDS
presented sequentially from the Memory Map of your choice … which should not be a big job. BlkLabel itself does all the
rest.

Author: Veronica Chapman

http://www.veronicachapman.com/

http://letitbit.net/download/55ac70716007/BlkLabel-v-1.0.rar.html

A plugin which gives you quick access to RegEdit, Calculator and EnableDebugPrivilege.

http://letitbit.net/download/1b2ca1398980/x3-v-0.1.rar.html

IDAFicator v1.2.12
+BP-OLLY v0.1

http://letitbit.net/download/af9d43246757/2-new-plugins.rar.html

DeAttach a BUG
1, enhanced Find function modules (correctly handled peb find the modules, such as ring3 hidden module)
2, OD enhance the document Pe head of analysis (such as Upack shell, etc.)
3, anti anti attach (an extreme form attach)
4, the goal is no longer out of debugging (DebugActiveProcessStop) function, xp system over
5, dll to be injected into the process of debugging
a) Remote Thread (using CreateRemoteThread injection)
b) Current Thread (shellcode, not to increase threads way into the current thread to be suspended)

////////////////////////////////////////////////// /////////////////////

Tell us about simple function:
1, View module features: Find module is the general search peb, have to deal with the peb, OD support properly, so StrongOD find ways to use the module ZwQueryVirtualMemroy
The following plans: This is the hidden module, ProcessExplorer find less than module, and correctly found in the OD

2, the first non-normal PE, OD will not be able to identify, in the data window pe header structure will be an error, StrongOD OD enhanced ability to identify PE head, but also to other plug-in for the information provided to facilitate pe
The chart is the main program UPack

OD under the plan is to identify the import table Upack

3, many procedures to prevent additional OD, hook or a NtContinue DbgUiRemoteBreakin function, StrongOD use of a means to attach extreme attach. (Note: some unconventional means to check the thread StrongOD no special treatment, such as opening a thread TTProtect regularly check, can not be here or attach)

4, DebugActiveProcessStop functions to be debugging process from the debugger

5, dll to be injected into the process of debugging, two kinds of ways, the first thread is the long-range model, the second did not open an additional thread, the current moratorium on the use of the thread to inject. The former can be run in the state, can also suspend the state, while the latter must first suspend a thread can be injected

http://letitbit.net/download/6f61ac660771/StrongODv0.15-DeAttach-a-BUG.rar.html

About
OllySocketTrace is a plugin for OllyDbg (version 1.10) to trace the socket operations being performed by a process. It will record all buffers being sent and received. All parameters as well as return values are recorded and the trace is highlighted with a unique color for each socket being traced.

The socket operations currently supported are: WSASocket, WSAAccept, WSAConnect, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSAAsyncSelect, WSAEventSelect, WSACloseEvent, listen, ioctlsocket, connect, bind, accept, socket, closesocket, shutdown, recv, recvfrom, send and sendto.

Usage
Simply install the plugin and activate OllySocketTrace when you wish to begin tracing socket operations. OllySocketTrace will automatically create the breakpoints needed and record the relevant information when these breakpoints are hit. To view the socket trace select the OllySocketTrace Log.

Double clicking on any row in the OllySocketTrace Log window will bring you to the callers location in the OllyDbg disassembly window. The recorded socket trace is highlighted with a unique color for each socket being traced. Right clicking on any row will give you some options such as to view the recorded data trace. You can also filter out unwanted information if you are only concerned with a specific socket.

Screenshot

Screenshot 1

Screenshot 2 http://letitbit.net/download/751034995131/OllySocketTrace-v1.0.zip.html

This plugin shows all installed vectored exception hadlers in the program.
Copy VEH_Walker_Plugin.dll into OllyDbg plugin directory.

Load VEHDemo.exe into OllyDbg. Set breakpoint on ExitProcess.

Run program. When you stop on ExitProcess, choose menu item View VEH.

If all good, you will see four handlers.

http://letitbit.net/download/62f05783918/VEHWalk.rar.html

NICE PLUGIN BY What

Here is the source for a plugin, I have decided to write a new one from scratch with completely custom code.. Its has fixes for stuff like IsDebuggerPresent, HeapFlags, and shows hooks for stuff like ZwQueryProcessInformation. Show how to apply fixes to ollydbg itself, remove ep breakpoint and break on tls. Hope this helps someone. Originally I used a thread on restart of plugin but it was kinda annoying, so I hooked ollydbg later on where all the fixes would work right, took forever to find a good spot.

updated the code and fixed compatibility problems. I would still call it alpha code, but it works with all plugins I use. Looking into adding driver code with the source code for the rdtsc from pediy. Im not sure what exactly I added to it since the first post. Enumwindows mainly for telock. Cant use ignore invalid handle option with ollyadvanced if you want this one the fix in the plugin to work, ill probably fix that sooner or later. Anyway link is updated.

Edit in: Code updated as 3.2.08

Updates include added Process32Next hook, HeapFlags problem.

http://letitbit.net/download/f19d5d702428/poison.rar.html

Anti Anti and compatibility plugin for Olly 1.10 running on Vista x64.
I made this little plugin to make unpacking on Vista x64 a bit more bearable
It has most of the know anti anti and makes an effort to make Olly behave like it should on regular x86 machines.
Next to this I implemented my own version of the OllyBone ‘Break On Execute’ making unpacking some simple packers a lot easier.

http://letitbit.net/download/50ab24687236/Stealth64v1.0.7z.html

Here is the source for a plugin, I have decided to write a new one from scratch with completely custom code.. Its has fixes for stuff like IsDebuggerPresent, HeapFlags, and shows hooks for stuff like ZwQueryProcessInformation. Show how to apply fixes to ollydbg itself, remove ep breakpoint and break on tls. Hope this helps someone. Originally I used a thread on restart of plugin but it was kinda annoying, so I hooked ollydbg later on where all the fixes would work right, took forever to find a good spot.

http://letitbit.net/download/5d6d5441651/Poison-v-0.1.rar.html

This plugin added in ollydbg in the menubar more menu´s with your favorite tools for quickstart.

Use:

Install in the Olly Plugins Folder

- for add new menu entry go in add menu and add you favorite tools if ok add this plugin new menu´s in ollydbg menubar for quickstart

http://letitbit.net/download/cfa996368735/OllyMoreMenu-v1.1.rar.html

— [PhantOm plugin 1.25 ]—————————————— ——–
by Hellsp @ wn & Archer

/ / spring aggravation:
/ / IHA! PEOPLE WITH ALL DAY! SPRING WALKS! BEER begins! GULYAYTE DEVUSHKAMI X!
/ / ZHIVITE FULL LIFE!

| Privety fly to:
| Bronco, kioresk, RSI, lord_Phoenix, HoBleen, Grim Fandango,
| Guru.eXe, vad8787, PE_Kill.
————————————————– —————————

The plug to hide OllyDbg (with driver).
Helps detection of the following methods:

/ / driver – extremehide.sys

[+] NtQueryInformationProcess.
[+] SetUnhandledExceptionFilter.
[+] OpenProcess.
[+] Invalid Handle.
[+] NtSetInformationThread.
[+] RDTSC.
[+] NtYieldExecution.
[+] NtQueryObject.
[+] NtQuerySystemInformation.
[+] Windows hide.
[+] GetProcessTimes.
[+] NtSetContextThread.

/ / plug – PhantOm.dll

[+] PEB BeingDebugged.
[+] PEB NtGlobalFlag.
[+] GetStartupInfo.
[+] Process Heaps.
[+] GetTickCount.
[!] Protect DRx.
[!] Hide DRx.
[!] Fake Windows version.
[!] Custom Handler.
[+] BlockInput

What’s New – 1.25

You may now ask the very name services
HIDENAME and RDTSCNAME.

Some minor bugs.

Fixed bug with memory breakpoints.

What’s New – 1.20

Added own processing exceptions (C0000005).

Added the title change of the main window.

Added own processing exceptions (OUTPUT_DEBUG_STRING_EVENT).

int 3 at EP correctly removed if the stop
at the point of the system failed.

Added BlockInput interception. (WinXP only)

Added own processing exceptions (C0000094).

Added hide from GetStartupInfo.

Fixed bug with the settings plug.

Added protection from detection drivers.

What’s New – 1.15

Several bugs.

What’s New – 1.10

hook GetProcessTimes – moved to the driver.

hook NtSetContextThread – moved to the driver.

The bug and removing the “EP break.”

Several bugs related to downloading options.

In ini added “DELTARDTSC which will regulate the spread RDTSC.

What’s New – 1.04

Fixed bsod while loading drivers.

What’s New – 1.03

Fixed bug with windows.

What’s New – 1.01

Fixed bug in the driver.

What’s New – 1.00

Added protection OllyDbg windows.

Now OllyDbg patchitsya regardless of ImageBase.

What’s New – 0.60

Added own processing exceptions (C000001E, 80000001, C000001D).

Added removal int3 with EntryPoint.

Fixed bug with GetTickCount.

Added methods in anti-detekta driver.

What’s New – 0.58

Fixed bug with Hide from peb on some systems.

What’s New – 0.57

Fixed bug with the attachment to the process.

Added protection from GetProcessTimes.
[-] Removed option Fake Windows version (at the time).

What’s New – 0.55

Improved imulyatsiya GetTickCount.

Added emulation RDTSC.

Fixed bug with not zeroing ServicePack.

A bit optimized code.

What’s New – 0.53

Now the driver is in resources.

NtSetInformationThread added protection.

Fixed bug with Fake Windows version.

What’s New – 0.51

Fixed bug in the GetTickCount

Fixed bug with a patch PEB ‘and

/ / Notes:

– if you have changed the settings in the plug, but you open any file in OllyDbg,
necessarily have to restart it (Ctrl-F2) program.

– plug-in displays debug messages Log (Alt + L), so the first run
advised to put all the options and examine the Log for errors.

– tested only on Windows 2000 SP4, XP SP2.

– with the plug, it is recommended to turn off programs that can prevent
loading drivers (Antivirus, PC).

– incorrect in the work are encouraged to try to plug the “native” OllyDbg,
without extraneous plugins.

/ / Contact author:
www: hellspawn.nm.ru
mail: for.hellspawn @ gmail.com
file here:rar file

FROM:http://kioresk.wordpress.com/

“While Hellspawn in working on new version of PhantOm plugin, you can use modified one to debug applications protected with EXECryptor 2.4.1.

There is nothing extraordinary in it, i’ve changed names of both drivers and their checksums.

Currently, i’m using previous version of PhantOm plugin – 1.0.4 instead of last one (1.1.5), so if you need last version – modify it yourself (don’t forget to change both ascii and unicode names).

Download modified version of PhantOm 1.0.4 plugin from http://www.box.net/shared/8eabhv5sre (7-Zip, 42 kB)”