tag:blogger.com,1999:blog-74978175951778588212024-03-08T02:03:28.126-08:00Blog of BoB<center> <big> <big> Blog of BoB - <em> Random posts about programming and reverse engineering. </em> </big> </big> </center>Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-7497817595177858821.post-91986008660713129992014-04-28T18:19:00.000-07:002014-04-28T18:19:04.902-07:00Ironically Delphi XE6 huge 20meg+ firemonkey executables are detected as "BobSoft Mini Delphi -> BoB / BobSoft" by PEiD<br />
<br />Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.com0tag:blogger.com,1999:blog-7497817595177858821.post-49602135188350848662014-03-07T10:39:00.004-08:002014-03-07T10:39:59.997-08:00Delphi + Windows DialogsEven after all these years using Delphi 7 I still wish it had Windows Dialog designer rather than custom Form VCL. I think Delphi would have been a more popular language if they had done this years ago.<br /><br />I guess it would be possible to make a Delphi Expert to do this, but I cannot find one.<br />
<br />I never use VCL or Forms and have made my own libraries to do this, maybe harder for me but I make programs that are easy for user, not for coder, and smaller the better!Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.com0tag:blogger.com,1999:blog-7497817595177858821.post-33367876985926678402013-09-25T03:36:00.003-07:002013-09-25T03:37:51.985-07:00I'm backSorry for silence, I've had a few personal problems - mostly being homeless for a while, and my computer dying. I lost over a years code too :(<br />
<br />
Well anyway, life goes on, and what has been lost can be made again. Expect updates soon :)<br />
<br />
All links in this blog have been updated to my new site - <a href="http://woodmann.com/BobSoft/" target="_blank">http://woodmann.com/BobSoft/</a>Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.com0tag:blogger.com,1999:blog-7497817595177858821.post-66266494344470812022011-12-12T16:45:00.000-08:002013-09-25T03:21:08.453-07:00Hyde v1.01Today I released an update to <a href="http://woodmann.com/BobSoft/Pages/Plugins/OllyDbg2/" target="_blank">Hyde OllyDbg2 plugin</a>, a few more tricks added and bug fixes.<br />
Please see the Hyde.txt contained within the archive for list of changes.Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.com1tag:blogger.com,1999:blog-7497817595177858821.post-44038515691810207502011-09-12T09:46:00.000-07:002013-09-25T03:22:30.180-07:00Hyde v1.00Today I released my second plugin for OllyDbg v2.xx - <a href="http://woodmann.com/BobSoft/Pages/Plugins/OllyDbg2" target="_blank">Hyde</a><br />
This plugin hides OllyDbg from various detection tricks, whilst allowing "normal" usage of Apis.<br />
What this means is that OllyDbg will be hidden from Apis, but all other processes and windows can be found.<br />
<br />
The options can be saved to file, to create patch-sets. So if you are debugging ASProtect, then you can save options to a file ASProtect.SET, which you can reload when you next need those options.<br />
As an example, a Patch-Set for VMProtect (or VProtect) is included in the distribution.<br />
<br />Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.com0tag:blogger.com,1999:blog-7497817595177858821.post-34222665576451375002011-08-08T10:54:00.000-07:002013-09-25T03:24:22.701-07:00WinMax plugin for OllyDbg v2.xxOver on <a href="http://woodmann.com/BobSoft/" target="_blank">my site</a> I have released my first plugin for <a href="http://www.ollydbg.de/version2.html">OllyDbg v2.xx</a>, Window Maximizer .. As the name suggests, this plugin simply keeps all windows maximized automatically.<br />
The new plugin-capable OllyDbg has been out for just a couple of days and is still alpha, so I haven't converted the full PDK yet, but full Delphi source is included.<br />
<br />
<a href="http://woodmann.com/BobSoft/Files/Plugins/OllyDbg2/Hyde_OD2_Plugin.RAR">Download</a>Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.com0tag:blogger.com,1999:blog-7497817595177858821.post-10604504905660826082011-04-15T12:12:00.000-07:002013-09-25T03:26:53.213-07:00Old PEiD projectsToday I added some more projects from my old site:<br />
<br />
<br />
<ol>
<li><a href="http://woodmann.com/BobSoft/Files/Other/PEiDLL.zip">PEiDLL</a> (PEiD in a DLL) - This is a DLL that contains a slightly hacked version of PEiD v0.94 which allows you to use <a href="http://woodmann.com/BobSoft/Files/Other/PEiD-0.95-20081103.zip">PEiD scanning engine</a> from your own projects.<br />
Included in archive is documentation, SDK, and examples in C++, Delphi and Asm.<br />
<br />
</li>
<li><a href="http://woodmann.com/BobSoft/Files/Programs/PluginToExe.rar">PluginToExe</a> - As the name suggests, this program converts PEiD plugins to executable files. It adds a small loader that does all the things needed to make this work, including opening a file dialog (if no cmdline supplied) and the actual loading of the file. Note: This actually converts the DLL into an EXE, so no loader exe is needed.</li>
</ol>
<div>
Quite a few more projects to come! Keep checking back for more updates :)</div>
Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.com4tag:blogger.com,1999:blog-7497817595177858821.post-61065627968107288122011-04-14T19:27:00.000-07:002013-09-25T03:30:01.636-07:00Converted Immunity Debugger 1.8x pluginsI released a few days ago on <a href="http://woodmann.com/BobSoft/" target="_blank">my site</a> 13 plugins converted for use with Immunity Debugger 1.8x.<br />
Most are converted from OllyDbg plugins, and some were original Immunity Debugger plugin format.<br />
All plugins were converted with my <a href="http://woodmann.com/BobSoft/Files/Programs/ImmDbg_Plugin_Fixer.RAR">FixPlugins</a> tool.. Find them (and more!) <a href="http://woodmann.com/BobSoft/Pages/Plugins/ImmDbg" target="_blank">here</a><br />
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
<ul style="font-size: 11px; line-height: 1.3em; margin-bottom: 1em; margin-left: 2em; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;"></ul>
Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.com0tag:blogger.com,1999:blog-7497817595177858821.post-6036697889098928082011-04-01T10:55:00.000-07:002013-09-25T03:32:51.340-07:00Immunity Debugger Plugin-related projects releasedOn my new site (<a href="http://woodmann.com/BobSoft/Pages/Plugins/ImmDbg">http://woodmann.com/BobSoft/</a>) yesterday, I released two new projects.<br />
<br />
<ol>
<li>Immunity Debugger PDK v1.03 - A multi-debugger aware PDK that will enable the same plugin to be used with old ImmDbg, New ImmDbg (v1.8x+), and OllyDbg (and patched versions). No patching is needed to make it work on EG ImmDbg v1.73, OllySND or OllyDRX, in fact the plugin can be in a shared plugin folder for all three!<br />
Get it <a href="http://woodmann.com/BobSoft/Pages/Plugins/ImmDbg#PDK" target="_blank">Here</a><br />
<br />
</li>
<li>PluginFix v1.01 - Conversion tool for old ImmDbg plugins, and OllyDbg plugins, to make them work with newer v1.8x ImmDbg Plugin changes. This process requires altering of the Imports and Exports of a plugin to allow it to:<br />
A) Be loaded by ImmDbg v1.8x, by removing implicit Imports to OllyDbg or old ImmDbg.<br />
B) Fix the Exports to be recognised by ImmDbg as a valid plugin.<br />
Get it <a href="http://woodmann.com/BobSoft/Pages/Plugins/ImmDbg#PluginFix" target="_blank">Here</a></li>
</ol>
<br />
More detailed information will be found if you click the links.Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.com0tag:blogger.com,1999:blog-7497817595177858821.post-73758349637605609982011-03-31T06:44:00.000-07:002011-03-31T06:46:33.547-07:00Weird Delphi 7 compiler bugs (Part 1)<span class="Apple-style-span" style="font-family: inherit;">This one I came across only recently. It is only affected in ASM blocks.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span><br />
<blockquote><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Function BugTest : Cardinal;</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">Asm</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Jmp @Start</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> @L1:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Nop</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Nop</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Nop</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Nop</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> @L2:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Jmp @L1</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Nop</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Nop</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> @L3: </span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> DD Offset L2 // Start address</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> DD Offset L3 // End address</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> // Return the distance between labels @L2 and @L3</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> @Start:</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Lea ECX, Offset @L3</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Mov EAX, [ECX] // Get start address</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Mov ECX, [ECX+4] // Get end address</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Sub ECX, EAX // Sub start from end to get len</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> Mov @Result, ECX</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">End;</span></blockquote>Running this code should give a result of 4 (2-byte Jmp and 2 nops) but it doesn't, the function returns 8!<br />
<br />
What actually happens is that the start address is taken from the JMP instruction at the @L2 label, meaning that the start address value compiled in the table at @L3 points to @L1 instead of @L2 ..<br />
This doesn't happen with any conditional JCC either, just JMP, and only when pointed to by a DWord table offset.. Very rare condition, but annoying if you don't know what is going on.<br />
<br />
So how to stop this? Well, as I said you can alter the JMP to be a JCC or rearrange the instructions so that the first instruction is not a JMP (I added a NOP)Neilhttp://www.blogger.com/profile/14843372346166610265noreply@blogger.com0