Jump to content
Tuts 4 You

2.xx Plugins

84 files

  1. AAHWBP

    This is a plugin for OllyDbg 2 that can be used to help hide hardware breakpoints from being modified by SEH.

    36 downloads

    0 comments

    Submitted

  2. Address Shortcuts

    This plugin adds highly needed shortcuts to OllyDbg including Follow DWORD in Disassembler (Ctrl+Enter), Follow DWORD in Dump (Alt+Enter), and Copy RVA (Alt+"+").
    This plugin adds the following menu options / shortcuts to OllyDbg v2.01:
    Follow DWORD in Disassember (Ctrl+Enter) Follow DWORD in Dump (Alt+Enter) Follow DWORD in Stack Copy RVA — Similar to Alt+Ins in Olly, except that the address will be relative to the start of the module. Copy RVA (pretty) (Alt+"+") — The string will be formatted as helloworld+0x36a4. Copy file offset — Similar to Alt+Ins in Olly, except that the address will be relative to the start of the file. Copy file offset (pretty) (Ctrl+"+") — The string will be formatted as helloworld.dll+0x36a4. Note: The "+" key is at the top row of the keyboard, not the number pad.
    The above keyboard shortcuts (Alt vs. Ctrl, etc.) were chosen rather arbitrarily, so feel free to change them.
    Usage
    Simply drop address_shortcuts.dll next to your OllyDbg.exe, then restart OllyDbg, and Address Shortcuts should appear under your right-click menu.
    Now, look at a C++ object (with virtual functions) in the Memory Dump pane. The first dword should be a vtable address. Press Alt+Enter to follow it. Now press Ctrl+Enter to quickly pull up any function in the Disassembly Pane, and Alt+"+" to copy its RVA in a pretty format (helloworld+0x36a4). And, as usual, use the familiar Numpad-Plus/Minus to navigate forwards/backwards and Alt+Ins to copy raw addresses. Copy/paste hex bytes with Ctrl+Ins/Shift+Ins, and generate pretty hexdumps with Ctrl+C.
    Compiling
    You will need the OllyDbg Plugin SDK (ollydbg.lib).
    Using GCC:
    Copy CodeBlocks/plugin.h and CodeBlocks/ollydbg.lib from plug201h.zip into the current directory, then run:
    gcc -std=c99 -Wall -m32 -Os -g0 -funsigned-char -shared -nostartfiles -s -static-libgcc -o address_shortcuts.dll address_shortcuts.c ollydbg.lib  

    44 downloads

    0 comments

    Submitted

  3. Advanced Labels

    Advanced labels with user datatypes support. Pointers and arrays are supported too. Datatypes support embedding.

    51 downloads

    0 comments

    Submitted

  4. AnalyzeThis

    Sometimes (especially when dealing with packers) you may need to run OllyDbg's code analysis function, only to find it's not available to you because the EIP is currently outside the code segment as defined by the PE header. AnalyzeThis! is an OllyDbg plugin to allow OllyDbg's analysis function to operate outside of the marked code segment, by telling OllyDbg the current segment *is* the code segment.

    Caveats: If the EIP is outside the range of a known executable module, AnalyzeThis! will not work. Also, OllyDbg can only store one analysis table, so if you analyze a new segment, it will remove any existing analysis that has been done.

    Source code has not been included; not because I don't want to release it at this time, but because I can't find it offhand. If you really need it, email me and I'll look harder for it.

    109 downloads

    0 comments

    Submitted

  5. AntiDebugTimePlugin

    Modern computer programs are more complex in writing and more difficult for reversing. Serious programs have various means of protection against debugging. It prevents application reversing. There are a number of various approaches, like Debug Blocker, Nanomites, others.

    Measuring time to identify that an application is being debugged becomes the widespread practice lately. The OllyDbg has the HideOD and Hide Debugger anti-debug plugins, which have no possibility to hide actual time. This causes difficulties in application reversing.

    Let's consider the system of debugger identification. The debuggers are capable of making breakpoints in code. In this case the operation of the program is suspended. The program can detect such stopping by monitoring the system time. If there is a too long pause between the instructions - most likely the program has been stopped for analysis.

    95 downloads

    0 comments

    Submitted

  6. Asm2Clipboard

    With this plugin you can copy selected Olly assembler code from the clipboard.

    There are four functions available to be asked:

    1st Rip code (MASM)
    2nd Rip code (inline assembly language C / C + +)
    3rd Copy hex code
    4th Lines of code Copy

    The first two functions knnt your use, if your code in your MASM and C / C + + want to re-use projects.

    The code is in accordance with the MASM / C / C + + syntax, including calls and adjust the jump destinations.

    With the third Function is exclusively the hex code into the clipboard.

    The last function will copy the selected lines of code (no hex) including the comments.

    38 downloads

    0 comments

    Submitted

  7. BinaryCopyEx

    BinaryCopyEx is a plugin for OllyDbg 2.01 debugger. The plugin allows to extend the OllyDbg capabilities. Now binary code can be copied with following syntax's:
    Hex Values Assembler C/C++ Pascal Basic Binary As ASCII String Binary As Unicode String Also binary code can be copied with following data types:
    Byte Word Dword Qword Installation:
    Extract BinaryCopyEx.dll in OllyDbg plugin folder. Main features allow:
    to select vitual memory address/address range directly in CPU Pane (Disasm, Dump or Stack panes) to enter vitual memory address/address range in window manually to copy binary to clipboard (according to selected format: syntax, data type, etc.) to save binary to text file (according to selected format: syntax, data type, etc.) Some format features allow:
    to set items (byte, word, dword, qword) per line to set leading zero (if it is necessary) to split items by any characters (also spaces, tabs and etc.) to swap bytes of items (word, dword, qword) Some plugin options allow:
    to create toolbar button on startup (default is on) to change toolbar button offset (position in toolbar) to switch on/off flashes (messages) in the OllyDbg info line when vitual memory address/address range is selected to change text file extention (default is .txt) Shortcut:
    Use ALT+Q to open BinaryCopyEx window

    49 downloads

    0 comments

    Updated

  8. Bookmark

    The default bookmark plugin for OllyDbg 2 by the author Oleh Yuschuk. Includes source code examples for; Borland C++ Builder 5.0, Borland C++ 5.5, Visual C++ 2005 (Express Edition) and Code::Blocks (MinGW).

    45 downloads

    0 comments

    Submitted

  9. Call Stack

    Shows the call stack in a window.

    45 downloads

    0 comments

    Submitted

  10. CleanUDD

    Erases the *.udd and *.bak files from the OllyDbg UDD folder to the Windows Trash.

    35 downloads

    0 comments

    Submitted

  11. CleanupExEx

    CleanupExEx is a plugin for OllyDbg 2.XX. It's a new plugin BUT it's improving with a good idea from CleanupEx (by Gigapede and atom0s) to work on OllyDbg 2.XX. The plugin allows to delete OllyDbg data (*.UDD,*.BAK) into UDD directory.

    Plugin isn't good but source code is OPEN (Delphi IDE). You can improve/add/modify code whenever as you like.

    Why was "CleanupExEx" created? I found BUG in both plugins CleanupEx v2 and VicPlugIn2, both plugins weren't work on OllyDbg 2.01(G,H,I). So i decided to create my own plugin to do that.

    40 downloads

    0 comments

    Submitted

  12. ClearOD

    Automatically clear OllyDbg history (UDD directory, etc.)

    30 downloads

    0 comments

    Submitted

  13. CmdBarO2

    Help command bar for OllyDbg version 2.01. All functions and commands of the regular cmdbar run.
    Shortcut for command line plugin: Alt+F1         
    Shortcut for  focus combobox: Crtl+Alt+D
    Commands are not case-sensitive, parameters in brackets are optional.

    115 downloads

    0 comments

    Submitted

  14. Command Bar

    Gigapede's Command Bar 3.20.110 ported to OllyDbg 2.01g.
    t_command cmdlist[] = { // "Assignment" command, must be first in the list. { _T("SET"), _T("LV"), 0, Setcmnd, _T("Writes value of expression to reg|mem") }, // Assign to lvalue // Disassembler commands. { _T("AT"), _T("A"), 0, Dasmcmd, _T("Disassemble at address") }, // Disassemble at address { _T("FOLLOW"),_T("A"), 0, Dasmcmd, _T("Disassemble at address") }, // Ditto { _T("ORIG"), _T(""), 0, Dorigin, _T("Disassemble at EIP") }, // Disassemble at EIP { _T("*"), _T(""), 0, Dorigin, _T("Disassemble at EIP") }, // Ditto // Dump and stack commands. { _T("D"), _T("A"), 0, Dumpcmd, _T("Dump at address") }, // Dump at address { _T("DUMP"), _T("A"), 0, Dumpcmd, _T("Dump at address") }, // Dump at address { _T("DA"), _T("a"), DU_DISASM|0x0011, Dumpcmd, _T("Dump as disassembly") }, // Dump as disassembly { _T("DB"), _T("a"), DU_HEXTEXT|0x0101, Dumpcmd, _T("Dump in hex byte format") }, // Dump in hex byte format { _T("DC"), _T("a"), DU_TEXT|0x0401, Dumpcmd, _T("Dump in ASCII format") }, // Dump in ASCII format { _T("DD"), _T("a"), DU_ADDR|0x0014, Dumpcmd, _T("Dump in stack format") }, // Dump in stack format { _T("DU"), _T("a"), DU_UNICODE|0x0402, Dumpcmd, _T("Dump in UNICODE format") }, // Dump in UNICODE format { _T("DW"), _T("a"), DU_IHEX|0x0082, Dumpcmd, _T("Dump in hex word format") }, // Dump in hex word format { _T("STK"), _T("A"), 0, Stakcmd, _T("Go to address in stack") }, // Go to address in stack // Assembling commands. { _T("A"), _T("AS"), 0, Assembl, _T("Assemble at address") }, // Assemble at address // Comments and labels. { _T("L"), _T("AS"), NM_LABEL, Commlab, _T("Label at address") }, // Label at address { _T(":"), _T("AS"), NM_LABEL, Commlab, _T("Label at address") }, // Ditto { _T("C"), _T("AS"), NM_COMMENT, Commlab, _T("Comment at address") }, // Comment at address // Breakpoint commands. { _T("BP"), _T("AS"), 0, Breakpt, _T("Break with condition") }, // Break with condition { _T("BPX"), _T("S"), 0, Brkname, _T("Break on all calls") }, // Break on all calls { _T("BPD"), _T("S"), 1, Brkname, _T("Delete break on all calls") }, // Delete break on all calls { _T("BC"), _T("A"), 0, Delbkpt, _T("Delete breakpoint") }, // Delete breakpoint { _T("ME"), _T("Av"), MEMBP_EXETURE, Membkpt, _T("Memory breakpt on execute") }, // Memory breakpt on execute { _T("MR"), _T("Av"), MEMBP_READ, Membkpt, _T("Memory breakpt on access") }, // Memory breakpt on access { _T("MW"), _T("Av"), MEMBP_WRITE, Membkpt, _T("Memory breakpt on write") }, // Memory breakpt on write { _T("MERW"), _T("Av"), MEMBP_ERWALL, Membkpt, _T("Memory breakpt on E.R.W") }, // Memory breakpt on E.R.W { _T("MD"), _T("Av"), 0, Membkpt, _T("Remove memory breakpoint") }, // Remove memory breakpoint { _T("HR"), _T("A"), HB_ACCESS, Hwbreak, _T("HW break on access") }, // HW break on access { _T("HW"), _T("A"), HB_WRITE, Hwbreak, _T("HW break on write") }, // HW break on write { _T("HE"), _T("A"), HB_CODE, Hwbreak, _T("HW break on execution") }, // HW break on execution { _T("HD"), _T("a"), HB_FREE, Hwbreak, _T("Remove HW breakpoint") }, // Remove HW breakpoint // Stepping and tracing commands. //{ _T("STOP"), _T(""), VK_F12, Keystrk, _T("Pause execution") }, // Pause execution //{ _T("PAUSE"), _T(""), VK_F12, Keystrk, _T("Pause execution") }, // Ditto //{ _T("RUN"), _T(""), 0, Runprog, _T("Run program") }, // Run program //{ _T("G"), _T("a"), 0, Runprog, _T("Run till address") }, // Run till address //{ _T("GE"), _T("a"), 1, Runprog, _T("Run and pass exception") }, // Run and pass exception //{ _T("S"), _T(""), 0, Stepper, _T("Step into") }, // Step into //{ _T("SI"), _T(""), 0, Stepper, _T("Step into") }, // Ditto //{ _T("SO"), _T(""), 1, Stepper, _T("Step over") }, // Step over //{ _T("T"), _T("a"), 0, Tracing, _T("Trace in till address") }, // Trace in till address //{ _T("TI"), _T("a"), 0, Tracing, _T("Trace in till address") }, // Ditto //{ _T("TO"), _T("a"), 1, Tracing, _T("Trace over till address") }, // Trace over till address //{ _T("TC"), _T("S"), 0, Tracing, _T("Trace in till condition") }, // Trace in till condition //{ _T("TOC"), _T("S"), 1, Tracing, _T("Trace over till condition") }, // Trace over till condition //{ _T("TR"), _T(""), VK_F9, Ctrlkey, _T("Till return") }, // Till return //{ _T("TU"), _T(""), VK_F9, Altkeyd, _T("Till user code") }, // Till user code // Table window commands. //{ _T("LOG"), _T(""), _T('L'), Altkeyd, _T("View Log window") }, // View Log window //{ _T("MOD"), _T(""), _T('E'), Altkeyd, _T("View Modules window") }, // View Modules window //{ _T("MEM"), _T(""), _T('M'), Altkeyd, _T("View Memory window") }, // View Memory window //{ _T("CPU"), _T(""), _T('C'), Altkeyd, _T("View CPU window") }, // View CPU window //{ _T("CS"), _T(""), _T('K'), Altkeyd, _T("View Call Stack") }, // View Call Stack //{ _T("BRK"), _T(""), _T('B'), Altkeyd, _T("View Breakpoints window") }, // View Breakpoints window //{ _T("OPT"), _T(""), _T('O'), Altkeyd, _T("Open Options") }, // Open Options // Application commands. //{ _T("EXIT"), _T(""), _T('X'), Altkeyd, _T("Quit OllyDbg") }, // Quit OllyDbg //{ _T("QUIT"), _T(""), _T('X'), Altkeyd, _T("Quit OllyDbg") }, // Ditto // Miscellaneous commands. //{ _T("OPEN"), _T("S"), 0, Openexe, _T("Open executable file") }, // Open executable file //{ _T("CLOSE"), _T(""), VK_F2, Altkeyd, _T("Close executable") }, // Close executable //{ _T("RST"), _T(""), VK_F2, Ctrlkey, _T("Restart current program") }, // Restart current program //{ _T("HELP"), _T("S"), 0, Heeeelp, _T("Help on API function") }, // Help on API function //{ _T("H"), _T("S"), 0, Heeeelp, _T("Help on API function") }, // Ditto // My commands. { _T("ASM"), _T("S"), 0, LineAsm, _T("Assemble (if command needs it's own addres, \"ASM COMMAND\;ADDRESS\")")}, // Assemble { _T("DASM"), _T("S"), 0, LineDsm, _T("Disassemble immediate opcode") }, // Dump at address //{ _T("FR"), _T(""), _T('R'), CtlDasm, _T("Find reference to selected command/address")}, // Find Reference to selected command/address //{ _T("AC"), _T(""), _T('A'), CtlDasm, _T("Analyse code") }, // Analyse Code //{ _T("SN"), _T(""), _T('N'), CtlDasm, _T("Search for Name(label) in current module") }, // Search for Name(label) in current module //{ _T("SOB"), _T(""), _T('O'), CtlDasm, _T("Scan object files") }, // Scan OBJect files // Macro command { _T("MAC"), _T("S"), 0, LoadMac, _T("Execute Macro Command") }, // Execute Macro Command { _T("OSC"), _T("S"), 0, GoScrpt, _T("Execute OllyScript script") }, // Execute Macro Command // Calculator and watch commands. { _T("CALC"), _T("V"), 0, Express, _T("Estimate expression") }, // Estimate expression { _T("?"), _T("V"), 0, Express, _T("Estimate expression") }, // Ditto //{ _T("WATCH"), _T("S"), 0, Addwtch, _T("Add watch expression") }, // Add watch expression //{ _T("W"), _T("S"), 0, Addwtch, _T("Add watch expression") }, // Ditto { _T(""), _T("V"), 0, Express, _T("Estimate expression") } // Ditto };  

    57 downloads

    0 comments

    Updated

  15. Debug Plugin

    DebugPlugin allows you to debug other plugins of OllyDbg 2.

    132 downloads

    0 comments

    Updated

  16. DEF2

    DEF is a small plugin to search for Delphi events.
    The events was saved in the UDD file.

    56 downloads

    0 comments

    Submitted

  17. DiffSnake

    Inspired by the Olly Hit Snake plugin I wrote something similar for Olly 2. I am calling it DiffSnake.
     
    Basically you use the Hit Trace feature in Olly. Run the hit trace up to some point. Then take a snapshot. Continue running the hit trace up to some other point, then call the diff. You will see a window with all the code addresses called since. The color of the hit trace 'dots' for the new code will be changed to black (from the original red).

    26 downloads

    0 comments

    Submitted

  18. DragAttach

    This plugin allows you to quickly attach a running process by dragging a pointer from OllyDbg to the running process' window.

    22 downloads

    0 comments

    Submitted

  19. DumpAddressColor

    Colorizes the double-words in the CPU dump of OllyDbg 2 by the following rules:
    Red: an address to a code block of a module.
    Magenta: an address to a non-code block of a module.
    Yellow: an address to a non-module memory block.
    Black: a handle of a window which belongs to the debuggee process.
    The colors can be changed in the .ini file.
    Limitations: double-words across rows are not processed.

    41 downloads

    0 comments

    Submitted

  20. DumpHistoryNavFixer

    This plugin fixes a minor, but annoying issue with the CPU dump history navigation on OllyDbg 2.
    Without the plugin:

    With the plugin:

    25 downloads

    0 comments

    Submitted

  21. Fastpad

    FastpadPlugin allows to take notes in Ollydbg the Fastpad windows hides automatically when not in use. To open it just put the cursor on the left of the screen, the cursor turns red on contact.
    One can save directly from Olly the selected text using the shortcut CTRL+q.
    Fastpad automatically saves the text in the plugin \ fastpad directory (each debuggee has a different .txt file)

    70 downloads

    0 comments

    Submitted

  22. FireFly

    An embedded C++ script plugin for Ollydbg.

    40 downloads

    0 comments

    Submitted

  23. FollowImmediateConstant

    Adds the missing option to follow immediate constant in OllyDbg 2, just like in OllyDbg 1.10.
     

    35 downloads

    0 comments

    Updated

  24. Hardware Info

    This plugin was developed to help keygenners retrieve information about system hardware. This is useful when generating serial numbers dependent on hardware ID; CPU, memory, MAC address, motherboard, hard drisk volumes, etc.

    44 downloads

    0 comments

    Updated

  25. HideOd

    A plugin to hide Olly.

    100 downloads

    0 comments

    Submitted


×
×
  • Create New...