12 Dec 2011

Hyde v1.01

Today I released an update to Hyde OllyDbg2 plugin, a few more tricks added and bug fixes.
Please see the Hyde.txt contained within the archive for list of changes.

12 Sept 2011

Hyde v1.00

Today I released my second plugin for OllyDbg v2.xx - Hyde
This plugin hides OllyDbg from various detection tricks, whilst allowing "normal" usage of Apis.
What this means is that OllyDbg will be hidden from Apis, but all other processes and windows can be found.

The options can be saved to file, to create patch-sets.  So if you are debugging ASProtect, then you can save options to a file ASProtect.SET, which you can reload when you next need those options.
As an example, a Patch-Set for VMProtect (or VProtect) is included in the distribution.

8 Aug 2011

WinMax plugin for OllyDbg v2.xx

Over on my site I have released my first plugin for OllyDbg v2.xx, Window Maximizer ..  As the name suggests, this plugin simply keeps all windows maximized automatically.
The new plugin-capable OllyDbg has been out for just a couple of days and is still alpha, so I haven't converted the full PDK yet, but full Delphi source is included.

Download

15 Apr 2011

Old PEiD projects

Today I added some more projects from my old site:


  1. PEiDLL (PEiD in a DLL) - This is a DLL that contains a slightly hacked version of PEiD v0.94 which allows you to use PEiD scanning engine from your own projects.
    Included in archive is documentation, SDK, and examples in C++, Delphi and Asm.

  2. PluginToExe - As the name suggests, this program converts PEiD plugins to executable files.  It adds a small loader that does all the things needed to make this work, including opening a file dialog (if no cmdline supplied) and the actual loading of the file.  Note: This actually converts the DLL into an EXE, so no loader exe is needed.
Quite a few more projects to come!  Keep checking back for more updates :)

14 Apr 2011

Converted Immunity Debugger 1.8x plugins

I released a few days ago on my site 13 plugins converted for use with Immunity Debugger 1.8x.
Most are converted from OllyDbg plugins, and some were original Immunity Debugger plugin format.
All plugins were converted with my FixPlugins tool..  Find them (and more!) here

                          1 Apr 2011

                          Immunity Debugger Plugin-related projects released

                          On my new site (http://woodmann.com/BobSoft/) yesterday, I released two new projects.

                          1. Immunity Debugger PDK v1.03 - A multi-debugger aware PDK that will enable the same plugin to be used with old ImmDbg, New ImmDbg (v1.8x+), and OllyDbg (and patched versions).  No patching is needed to make it work on EG ImmDbg v1.73, OllySND or OllyDRX, in fact the plugin can be in a shared plugin folder for all three!
                            Get it Here

                          2. PluginFix v1.01 - Conversion tool for old ImmDbg plugins, and OllyDbg plugins, to make them work with newer v1.8x ImmDbg Plugin changes. This process requires altering of the Imports and Exports of a plugin to allow it to:
                              A) Be loaded by ImmDbg v1.8x, by removing implicit Imports to OllyDbg or old ImmDbg.
                              B) Fix the Exports to be recognised by ImmDbg as a valid plugin.
                            Get it Here

                          More detailed information will be found if you click the links.

                          31 Mar 2011

                          Weird Delphi 7 compiler bugs (Part 1)

                          This one I came across only recently.  It is only affected in ASM blocks.


                          Function  BugTest : Cardinal;
                          Asm
                              Jmp  @Start
                            @L1:
                              Nop
                              Nop
                              Nop
                              Nop
                            @L2:
                              Jmp  @L1
                              Nop
                              Nop
                            @L3:  
                              DD  Offset L2    // Start address
                              DD  Offset L3    // End address
                            // Return the distance between labels @L2 and @L3
                            @Start:
                              Lea ECX, Offset @L3
                              Mov EAX, [ECX]   // Get start address
                              Mov ECX, [ECX+4] // Get end address
                              Sub ECX, EAX     // Sub start from end to get len
                              Mov @Result, ECX
                          End;
                          Running this code should give a result of 4 (2-byte Jmp and 2 nops) but it doesn't, the function returns 8!

                          What actually happens is that the start address is taken from the JMP instruction at the @L2 label, meaning that the start address value compiled in the table at @L3 points to @L1 instead of @L2 ..
                          This doesn't happen with any conditional JCC either, just JMP, and only when pointed to by a DWord table offset..  Very rare condition, but annoying if you don't know what is going on.

                          So how to stop this? Well, as I said you can alter the JMP to be a JCC or rearrange the instructions so that the first instruction is not a JMP (I added a NOP)