Today I released an update to Hyde OllyDbg2 plugin, a few more tricks added and bug fixes.
Please see the Hyde.txt contained within the archive for list of changes.
12 Dec 2011
12 Sept 2011
Hyde v1.00
Today I released my second plugin for OllyDbg v2.xx - Hyde
This plugin hides OllyDbg from various detection tricks, whilst allowing "normal" usage of Apis.
What this means is that OllyDbg will be hidden from Apis, but all other processes and windows can be found.
The options can be saved to file, to create patch-sets. So if you are debugging ASProtect, then you can save options to a file ASProtect.SET, which you can reload when you next need those options.
As an example, a Patch-Set for VMProtect (or VProtect) is included in the distribution.
This plugin hides OllyDbg from various detection tricks, whilst allowing "normal" usage of Apis.
What this means is that OllyDbg will be hidden from Apis, but all other processes and windows can be found.
The options can be saved to file, to create patch-sets. So if you are debugging ASProtect, then you can save options to a file ASProtect.SET, which you can reload when you next need those options.
As an example, a Patch-Set for VMProtect (or VProtect) is included in the distribution.
8 Aug 2011
WinMax plugin for OllyDbg v2.xx
Over on my site I have released my first plugin for OllyDbg v2.xx, Window Maximizer .. As the name suggests, this plugin simply keeps all windows maximized automatically.
The new plugin-capable OllyDbg has been out for just a couple of days and is still alpha, so I haven't converted the full PDK yet, but full Delphi source is included.
Download
The new plugin-capable OllyDbg has been out for just a couple of days and is still alpha, so I haven't converted the full PDK yet, but full Delphi source is included.
Download
15 Apr 2011
Old PEiD projects
Today I added some more projects from my old site:
- PEiDLL (PEiD in a DLL) - This is a DLL that contains a slightly hacked version of PEiD v0.94 which allows you to use PEiD scanning engine from your own projects.
Included in archive is documentation, SDK, and examples in C++, Delphi and Asm.
- PluginToExe - As the name suggests, this program converts PEiD plugins to executable files. It adds a small loader that does all the things needed to make this work, including opening a file dialog (if no cmdline supplied) and the actual loading of the file. Note: This actually converts the DLL into an EXE, so no loader exe is needed.
Quite a few more projects to come! Keep checking back for more updates :)
14 Apr 2011
Converted Immunity Debugger 1.8x plugins
I released a few days ago on my site 13 plugins converted for use with Immunity Debugger 1.8x.
Most are converted from OllyDbg plugins, and some were original Immunity Debugger plugin format.
All plugins were converted with my FixPlugins tool.. Find them (and more!) here
Most are converted from OllyDbg plugins, and some were original Immunity Debugger plugin format.
All plugins were converted with my FixPlugins tool.. Find them (and more!) here
1 Apr 2011
Immunity Debugger Plugin-related projects released
On my new site (http://woodmann.com/BobSoft/) yesterday, I released two new projects.
More detailed information will be found if you click the links.
- Immunity Debugger PDK v1.03 - A multi-debugger aware PDK that will enable the same plugin to be used with old ImmDbg, New ImmDbg (v1.8x+), and OllyDbg (and patched versions). No patching is needed to make it work on EG ImmDbg v1.73, OllySND or OllyDRX, in fact the plugin can be in a shared plugin folder for all three!
Get it Here
- PluginFix v1.01 - Conversion tool for old ImmDbg plugins, and OllyDbg plugins, to make them work with newer v1.8x ImmDbg Plugin changes. This process requires altering of the Imports and Exports of a plugin to allow it to:
A) Be loaded by ImmDbg v1.8x, by removing implicit Imports to OllyDbg or old ImmDbg.
B) Fix the Exports to be recognised by ImmDbg as a valid plugin.
Get it Here
More detailed information will be found if you click the links.
31 Mar 2011
Weird Delphi 7 compiler bugs (Part 1)
This one I came across only recently. It is only affected in ASM blocks.
What actually happens is that the start address is taken from the JMP instruction at the @L2 label, meaning that the start address value compiled in the table at @L3 points to @L1 instead of @L2 ..
This doesn't happen with any conditional JCC either, just JMP, and only when pointed to by a DWord table offset.. Very rare condition, but annoying if you don't know what is going on.
So how to stop this? Well, as I said you can alter the JMP to be a JCC or rearrange the instructions so that the first instruction is not a JMP (I added a NOP)
Function BugTest : Cardinal;Running this code should give a result of 4 (2-byte Jmp and 2 nops) but it doesn't, the function returns 8!
Asm
Jmp @Start
@L1:
Nop
Nop
Nop
Nop
@L2:
Jmp @L1
Nop
Nop
@L3:
DD Offset L2 // Start address
DD Offset L3 // End address
// Return the distance between labels @L2 and @L3
@Start:
Lea ECX, Offset @L3
Mov EAX, [ECX] // Get start address
Mov ECX, [ECX+4] // Get end address
Sub ECX, EAX // Sub start from end to get len
Mov @Result, ECX
End;
What actually happens is that the start address is taken from the JMP instruction at the @L2 label, meaning that the start address value compiled in the table at @L3 points to @L1 instead of @L2 ..
This doesn't happen with any conditional JCC either, just JMP, and only when pointed to by a DWord table offset.. Very rare condition, but annoying if you don't know what is going on.
So how to stop this? Well, as I said you can alter the JMP to be a JCC or rearrange the instructions so that the first instruction is not a JMP (I added a NOP)
Subscribe to:
Posts (Atom)