Jump to content
Tuts 4 You

2.xx Plugins

84 files

  1. OllyExt

    OllyExt is a plugin for Olly 2.xx debugger. The main intention of this plugin is to provide the biggest anti-anti debugging features and bug fixes for Olly 2.xx. VMProtect support!
    The currently available commands are the following:
    Code Rip to Clipboard Code Rip to Clipboard Recursive Data Rip to Clipboard Signature Rip to Clipboard The currently supported protections are the following:
    IsDebuggerPresent NtGlobalFlag HeapFlag ForceFlag CheckRemoteDebuggerPresent OutputDebugString NtClose SeDebugPrivilege BlockInput ProcessDebugFlags ProcessDebugObjectHandle TerminateProcess NtSetInformationThread NtQueryObject FindWindow NtOpenProcess Process32First Process32Next ParentProcess GetTickCount timeGetTime QueryPerformanceCounter ZwGetContextThread NtSetContextThread KdDebuggerNotPresent KdDebuggerEnabled NtSetDebugFilterState ProtectDRX HideDRX DbgPrompt CreateThread NtSystemDebugControl Custom ( Write your own ) The currently supported bug fixes are the following:
    Caption change Kill Anti-Attach ( dll integrity check ) Requirements:
    Microsoft Visual C++ 2010 Redistributable Package (x86) OS support:
    Windows XP Windows Server 2003 R2 Windows Server 2008 R2 Windows 7 Windows Server 2012 Windows 8 Windows Server 2012 R2 Windows 8.1 Limitations:
    Because of missing PDK function data ripping is ONLY on 2.01 latest supported If you have any problem just notify me.

    2,923 downloads

    0 comments

    Updated

  2. Vic Plug-In-2

    ----- [ MENU ] -----     Show the toolbar in the title of OllyDbg window     Maximize OllyDbg window when staring     Maximize OllyDbg child windows when staring     Show address info in status bar     Use APIs menu in OllyDbg menu bar     Apply confirm exit for OllyDbg     Make the transparency for OllyDbg window     Debuggee Data         Delete UDD data of the current session         Delete all UDD data         Open UDD data list         Delete recent debuggee files     Data Converter     DLL Process Viewer     File Location Converter     PE Viewer     Thread Viewer     Lookup Error Code     Find events of C++ Builder / Delphi VCL GUI application     Advanced Map File Importer         Map File Importer         Open Label window         Open Comment window     Bypass Anti Debugging         Hide the PEB     Data Copier         VA Address         RVA Address         Offset Address         ANSI String         UNICODE String         Code Ripped     Breakpoint Manager         INT3 Delete all         INT3 Import         INT3 Export         HWBP Delete all         HWBP Import         HWBP Export         MBP Delete all         MBP Import         MBP Export     Follow Me         Follow in Disassembler at <address>         Follow in Dump at <address>         Copy <address> to clipboard     Check for update     Information  

    1,281 downloads

    0 comments

    Updated

  3. Swordfish

    Swordfish is an OllyDbg 2 plugin, supports many useful features to simplify the OllyDbg use.

    639 downloads

    0 comments

    Updated

  4. OllyDumpEx

    This plugin is process memory dumper for OllyDbg and Immunity Debugger.
    Very simple overview:
    OllyDumpEx = OllyDump + PE Dumper - obsoleted + useful features Features:
    Various debuggers supported Select to dump debugee exe, loaded dll or non-listed module Search PE File from memory Multiple Dump mode. Rebuild for typical PE dump, Binary for PE Carving PE32+ supported (Search and Binary Dump mode only available on 32bit debugger) Native 64bit process supported (IDA Pro, WinDbg and x64dbg) ELF supported (both of 32bit and 64bit) Standalone version available Dump any address space as section even if not in original section header Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...) Supported Debugger:
    OllyDbg version 1.10 (tested 1.10) OllyDbg version 2.01 (tested 2.01) Immunity Debugger version 1.8x or higher (tested 1.85) IDA Pro 32bit build version 5.0 or higher (tested 6.9) IDA Pro 64bit build version 7.0 or higher (tested 7.1) IDA Freeware 32bit build version 5.0 (tested 5.0) IDA Freeware 64bit build version 7.0 (tested 7.0.190307) WinDbg version 6.x (tested 6.2) x64dbg (tested 20170822 snapshot)

    238 downloads

    0 comments

    Submitted

  5. ScyllaHide

    ScyllaHide is an open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This will stay usermode! For kernelmode hooks use TitanHide.

    Debugger Hiding:
    PEB - BeingDebugged, NtGlobalFlag, Heap Flags NtSetInformationThread - ThreadHideFromDebugger NtQuerySystemInformation - SystemKernelDebuggerInformation, SystemProcessInformation NtQueryInformationProcess - ProcessDebugFlags, ProcessDebugObjectHandle, ProcessDebugPort, ProcessBasicInformation, ProcessBreakOnTermination, ProcessHandleTracing NtSetInformationProcess - ProcessBreakOnTermination, ProcessHandleTracing NtQueryObject - ObjectTypesInformation, ObjectTypeInformation NtYieldExecution NtSetDebugFilterState NtUserBuildHwndList - EnumWindows NtUserFindWindowEx - FindWindowA/W, FindWindowExA/W NtUserQueryWindow NtClose NtCreateThreadEx BlockInput Remove Debug Privileges OutputDebugStringA - OutputDebugStringW Timing Hooks:
    GetTickCount GetTickCount64 GetLocalTime GetSystemTime NtQuerySystemTimeHook NtQueryPerformanceCounter Special functions:
    Prevent Thread creation - for protectors like Execryptor. Only use if you know what you are doing ! Malware RUNPE Unpacker - Hooks NtResumeThread and terminates + dumps the process created by malware Protecting and Stealthing DRx (Hardware Breakpoints):
    NtGetContextThread NtSetContextThread KiUserExceptionDispatcher (only x86) NtContinue (only x86) Hooks:
    Stealth hooks for 32-bit targets (Tested against Themida/VMProtect)

    195 downloads

    0 comments

    Submitted

  6. ODbgScriptO2

    ODbgScript is a plugin for OllyDbg, which is, in our opinion, the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. ODbgScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using this plugin you can write a script once and for all.
     

    162 downloads

    0 comments

    Submitted

  7. OD2-ExPlug

    + Main Menu +

    - Breakpoint Manager
    . Import Breakpoints
    . Export Breakpoints
    - MAP File Master
    . Import Labels
    . Import Comments
    . Import MAP To Library
    . Clear All Labels
    . Clear All Comments
    - Open Label Tabel
    - Plugin Debug Break
    . DoMyJob
    . Support..
    - Option
    - About...

    + Disasm Memu +

    - Data Copy
    . ASNI (str) (Copy ansi string to clipboard) (Ctrl + Alt + A)
    . WIDE (str) (Copy wide string to clipboard) (Ctrl + Alt + W)
    . BYTE (Copy 1 BYTE)
    . WORD (Copy 2 BYTE)
    . DWORD (Copy 4 Byte)
    . Address (Copy selected address) (Alt + Insert)
    - Breakpoint Manager
    . Import Breakpoints
    . Export Breakpoints
    . Delete All INT3 BPs (Delete all INT3 Breakpoints)
    . Delete All Hard BPs (Delete all Hardware Breakpoints)
    . Delete All Mem BPs (Delete all Memory Breakpoints)
    - Tools
    . Notepad
    . Calculator
    . TaskMgr
    . HashTool
    . Configuration
    - Label Master
    . Add New Label (Ctrl + Shift + E)
    . Open Label Table (Ctrl + Shift + T/L)
    . Follow In Dump (Ctrl + D)
    . Search By Google (Ctrl + Shift + G)
    - ASM2Clipboard (Ctrl + Shift + A)
    - ASCII Hint
    - ByteCounter
    - Go EIP (Shortcut Only: Esc)

    + Dump Menu +

    - Data Copy
    . ASNI (str) (Copy ansi string to clipboard) (Ctrl + Alt + A)
    . WIDE (str) (Copy wide string to clipboard) (Ctrl + Alt + W)
    . BYTE (Copy 1 BYTE)
    . WORD (Copy 2 BYTE)
    . DWORD (Copy 4 Byte)
    . Address (Copy selected address)(Alt + Insert)
    - Follow In Dump (Ctrl + D)
    - Follow In Disassembler (Ctrl + Alt + D)
    - Create DumpWindow (Ctrl + Alt + C)
    - ReverseHex (Ctrl + Z)
    - MiNiHash (Ctrl + Alt + Z)

    + Info Bar +

    - Add selected count(er)

    + Register Menu +

    - Hardware Breakpoint [ESP]

    + INT3Breakpoint Menu +

    - Breakpoint->
    . Set a few breakpoint

    + HotKey +
    PRESS and HOLD "H" key in 0.5s to Register/Unregister Hotkey You must PRESS and HOLD the hotkey in 0.1s for it work
    . "Esc" : go EIP(current origin) (Allow on any MDIWindows)
    . "," : Copy BYTE
    . "." : Copy WORD
    . "/" : Copy DWORD
    . "`" : Copy Address
    . "[" : Go to start of function (You must analysis code before use it)
    . "]" : Go to end (RET) of function
    . "Gray *" : Set "Malware Analysis" breakpoint group
    . "Gray /" : Set "NET" breakpoint group
    . NOTE: MAYBE THE HOTKEY DO NOT WORK WITH THE MOD OLLYDBG (SND v2.2) (Use OllyDbg2FixeR Plugins To Fix Bug In SnD v2.2)

    150 downloads

    0 comments

    Submitted

  8. StrFinder

    I always wanted to write an OD plug-in for myself. Finally referenced many codes. After copying the code of many people I have written an OD2.01 character search plugin.
    I have never touched the OD plug-in before, and it took about two and a half days to write this.
    I feel that the OD2.01 plug-in is simpler to write than 1.x because most of the code I refer to is 1.x, which feels a bit complicated. After trying to figure out the whole structure by myself, it feels quite simple.
    The main difficulty is that there is no API manual. The API on the official website is not complete. Basically, it takes more time to test the API.
    Can search ASCII and UNICODE. Includes "Find" and "FindNext" options.

    144 downloads

    0 comments

    Submitted

  9. Debug Plugin

    DebugPlugin allows you to debug other plugins of OllyDbg 2.

    132 downloads

    0 comments

    Updated

  10. Multiline Ultimate Assembler

    Multiline Ultimate Assembler is a multiline (and ultimate) assembler (and disassembler) plugin for OllyDbg. It's a perfect tool for modifying and extending a compiled executable functionality, writing code caves, etc.
    Installation
    The plugin works with OllyDbg v1.10, OllyDbg v2, Immunity Debugger, and x64dbg.
    To install the plugin, copy the appropriate DLL file to the plugin directory:
    multiasm_odbg.dll - OllyDbg v1.10. multiasm_odbg2.dll - OllyDbg v2. multiasm_immdbg.dll - Immunity Debugger. multiasm_x64dbg.dp[32|64] - x64dbg.

    112 downloads

    0 comments

    Updated

  11. CmdBarO2

    Help command bar for OllyDbg version 2.01. All functions and commands of the regular cmdbar run.
    Shortcut for command line plugin: Alt+F1         
    Shortcut for  focus combobox: Crtl+Alt+D
    Commands are not case-sensitive, parameters in brackets are optional.

    110 downloads

    0 comments

    Submitted

  12. AnalyzeThis

    Sometimes (especially when dealing with packers) you may need to run OllyDbg's code analysis function, only to find it's not available to you because the EIP is currently outside the code segment as defined by the PE header. AnalyzeThis! is an OllyDbg plugin to allow OllyDbg's analysis function to operate outside of the marked code segment, by telling OllyDbg the current segment *is* the code segment.

    Caveats: If the EIP is outside the range of a known executable module, AnalyzeThis! will not work. Also, OllyDbg can only store one analysis table, so if you analyze a new segment, it will remove any existing analysis that has been done.

    Source code has not been included; not because I don't want to release it at this time, but because I can't find it offhand. If you really need it, email me and I'll look harder for it.

    107 downloads

    0 comments

    Submitted

  13. HideOd

    A plugin to hide Olly.

    100 downloads

    0 comments

    Submitted

  14. TraceAPI

    This plugin allows to trace all calls to system DLLs in a single thread by setting one-time memory breakpoints. 
    API trace can be started only if process is paused. Plugin sets break on access on user code. When user code is reached, it removes break on access from user code and sets it on system code, and so on. 
    Of course, it is possible that user code accesses data in the system area or vice versa. In this case I step over this command and restore breakpoint. Such cases are rare.

    This plugin is by no means ideal. It runs only single thread, and there may be problems if program calls ZwContinue(). If DLL unloads, plugin doesn't delete call records. It doesn't check whether one-time breakpoints are already set by user. It doesn't allow to protocol only selected APIs, and so on.    

    100 downloads

    0 comments

    Submitted

  15. HolyshitO2

    The first version of this plugin had only one feature, that was to add a label list. The second edition includes a feature to let OllyDbg load .sys files. I added this feature for common use (but with this plugin - so far - you can't unpack driver files, it can't even get you to the EP). In a future edition we will be able to unpack a packed driver in OllyDbg, in ring3!
    The toolbar is from IDAFicator, I just improved it. It is flexible and supports OllyDbg 2.01h.
    I have written all details in toolbar.ini in Chinese because this plugin was only released yesterday and I had never thought it would be released on Tuts 4 You.
    The main goal of this plugin is same as IDAFicator: "This plugin tries to make the life of OllyDBG users easier by bringing to him some fast and frequently used function."
    HolyshitO2 release: several buttons have been added to facilitate searches in Olly it is always configurable with the .ini file.

    98 downloads

    0 comments

    Submitted

  16. AntiDebugTimePlugin

    Modern computer programs are more complex in writing and more difficult for reversing. Serious programs have various means of protection against debugging. It prevents application reversing. There are a number of various approaches, like Debug Blocker, Nanomites, others.

    Measuring time to identify that an application is being debugged becomes the widespread practice lately. The OllyDbg has the HideOD and Hide Debugger anti-debug plugins, which have no possibility to hide actual time. This causes difficulties in application reversing.

    Let's consider the system of debugger identification. The debuggers are capable of making breakpoints in code. In this case the operation of the program is suspended. The program can detect such stopping by monitoring the system time. If there is a too long pause between the instructions - most likely the program has been stopped for analysis.

    95 downloads

    0 comments

    Submitted

  17. OllyDump

    Dump debuggee process memory and Rebuild IAT.

    92 downloads

    0 comments

    Submitted

  18. ODbgScript

    ODbgScript is a plugin for OllyDbg, which is, in our opinion, the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. ODbgScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using this plugin you can write a script once and for all.

    85 downloads

    0 comments

    Submitted

  19. Hyde

    Hyde is a plugin for OllyDbg v2.xx, it's purpose is to hide OllyDbg from detection by the debugee. This is done by patching memory and API's, and the options (or patch sets) can be saved to file, for easy reloading.
    For example, with an ASProtect target you can set the patches that you need for ASProtect and save to a file "ASProtect.SET". This patch-set file can then be loaded whenever you need to debug ASProtect.
    Features:
    All patched apis should work "normally" - They should only hide OllyDbg, but work for other windows/processes etc. All patches/hooks are selectable from the menu for quick access, or from options dialog. Optional Jmp variations (Push/Ret or Jmp[xxxxxxxx]) for patches. Load/Save patch sets. Patch Sets are simply INI files, so can also be edited in notepad. Remote allocated memory is seperated into code and data with appropriate access so should be no problems with DEP. Patches:
    PEB.IsDebugged PEB.NtGlobalFlag PEB.HeapFlags Hooks:
    NtQueryInformationProcess NtQuerySystemInformation NtSetInformationThread FindWindowA FindWindowW FindWindowExA FindWindowExW EnumWindows Process32NextW OutputDebugStringA OutputDebugStringW NtQueryObject GetTickCount NtOpenProcess BlockInput NtClose GetStartupInfo Future:
    Support any suggested hooks. Possibly change exception options for OllyDbg in patch-sets? Maybe detection of packer targets?

    76 downloads

    0 comments

    Submitted

  20. OllyMigrate

    This plugin make it possible to pass debuggee to another debugger without restarting (like VM live migration). Each debuggers have both strong and weak points compared with others.
    We can get only strong point of each debuggers by debuggee migration, e.g. Using OllyDbg to bypass antidebug and detect OEP, after that using Immunity Debugger to fix obfuscated import table.
    Very simple overview:
    OllyMigrate = Debuggee live migration plugin Features:
    Various debuggers supported Migrate debuggee between each debuggers Multi thread and suspended thread aware (running state not required) Migrate software breakpoint settings (keep enabled/disabled status) Migrate selected address of disassemble, memory and stack window Supported Debugger:
    OllyDbg version 1.10 (tested 1.10) OllyDbg version 2.01 (tested 2.01) Immunity Debugger version 1.8x or higher (tested 1.85) IDA Pro 32bit build version 5.0 or higher (tested 6.9) IDA Pro 64bit build version 7.0 or higher (tested 7.1) IDA Freeware 32bit build version 5.0 (tested 5.0) IDA Freeware 64bit build version 7.0 (tested 7.0.190307) WinDbg version 6.x (tested 6.2) x64dbg (tested 20170822 snapshot) How to use (OllyDbg example):
    Install "same version" plugin to sender(src) and receiver(dst) debuggers. Start sender debugger to add receiver debugger definition.
      Menu > Plugins > OllyMigrate > Options
      Input debugger info
       Path: receiver debugger path (Click [Browse] and select file)
       Tag:  anything is ok (identification only)
       Args: debugger command line argument (usually not need to change)
      Click [Add] and [Save] Open debuggee using sender debugger. Start debugging (e.g. until detect OEP)
      After that switch to another debugger. Paused status is recommended.
       Menu > Plugins > OllyMigrate > Send Debuggee
      Select destination debugger and Click [Migrate] Receiver debugger startup automatically and receive debuggee.
      Continue debugging.

    73 downloads

    0 comments

    Submitted

  21. Fastpad

    FastpadPlugin allows to take notes in Ollydbg the Fastpad windows hides automatically when not in use. To open it just put the cursor on the left of the screen, the cursor turns red on contact.
    One can save directly from Olly the selected text using the shortcut CTRL+q.
    Fastpad automatically saves the text in the plugin \ fastpad directory (each debuggee has a different .txt file)

    70 downloads

    0 comments

    Submitted

  22. OllyPath2

    When using OllyDbg as a portable version (e.g. on an USB stick) there are always problems with the UDD/Plugin path not being set correctly.
    The features:
    DLL, which sets Plugins, UDD and win32.hlp paths automatically Dummy export so it's easy to add the DLL to your olly mod Open source Attached is DLL + Source, I hope it's useful for somebody. Feel free to modify to your needs, just credit where you think it's needed.
    P.S. To add the DLL to your mod: Use CFF explorer to add the import "dummy" (which does nothing) to ollydbg.exe, this will execute the DllMain function (which can be considered illegal) and set the paths in the INI file.
    OllyPath2.dll must be in the same directory than ollydbg.exe

    65 downloads

    2 comments

    Submitted

  23. OllySEH

    I used to have such a plugin in Olly 1.10 (OllySSEH) for SEH - BOF exploiting and wrote a basic one for OllyDbg 2.01b2.

    Displays the modules of the loaded target and gives information if the modules have been compiled with "/safeSEH ON" or "/safeSEH OFF" or don't have a SEH at all.

    64 downloads

    0 comments

    Submitted

  24. OllyDbg2FixeR

    OllyDbg2FixeR is a plugin for OllyDbg201(I). OllyDbg2FixeR allows you to fix OllyDbg assemble BUG when you press space/double-click on CALL/JUMP commands.

    If you have chosen "Show Symbolic Addresses" in OllyDbg options, this BUG only decode by name of API/Label when it's exist.

    You must be checked in "Fix Assemble" to Fix BUG or Uncheck if you want to "ReStore Assemble" as "default" of ollyDbg.

    You can also ADD NEW PARAMETER by Manual for OllyDbg2FixeR to Patch OllyDbg2, include (ManualPatch, Address, OldByte NewByte, PatchLen, PatchTime)

    ManualPatch must be = 1 (Flag to Enable)
    PathTime must be valid.
    Address[x] must be valid.
    PatchLen[x] must be <= 1024 Byte.
    OldByte[x] = Original Byte at adress.
    NewByte[x] = New Byte to patch at address.
    See "OllyDbg2FixeR.PNG" for more detail.

    It's easy to fix SMALL BUG of OllyDbg automatic way when you run OllyDbg2 with OllyDbg2FixeR plugin.

    62 downloads

    0 comments

    Updated

  25. TransOlly2

    TransOlly2 allows to make transparent Olly to see the application in debugging under Olly.
    It can be activated or deactivated with the Alt + F11 keyboard shortcut.

    62 downloads

    0 comments

    Submitted


×
×
  • Create New...