Jump to content
Tuts 4 You

26 files

  1. Ariadne Optimizer

    The Ariadne framework makes it possible for anyone who is involved in reverse engineering to save a time when reversing a code or creating new products. Using Ariadne, you can read and modify executable files, disassemble them, and even decompile a part of the code into the intermediate representation (Ariadne IR). Of course, with Ariadne you can not only read disassembled or decompiled instructions, but also modify them. Moreover, modifications can be saved into the source executable file without using any additional tools. But that's not all! Ariadne has a series of original code trace optimization strategies built-in, which can make your life a lot easier when working with obfuscated code. The Ariadne framework was initially developed for easy use in your own programs. The range of Ariadne applications is broad from software analysis with complex obfuscation to programs that provide obfuscation and software protection.

    Ariadne key features:
    PE parser Makes it possible PE format analyzing and modifying Supports modifications saving into PE-file Ariadne Intelligent Disassembler (AID). Based on open-source Mediana disassembler GP, FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4a, VMX, SMX support Provides good code coverage of the PE-file without debugging information (the technology is based on heuristics rather than on signatures) Supports MAP-files Recognizes switch tables and other entry points including Borland initialization and other tables during smart analysis Splits code into basic blocks Allows database saving/loading Supports modifications saving into PE-file Ariadne Intermediate Representation (AIR) language Supports assembler instructions translation into IR Allows IR instructions modifying Optimized to create obfuscation and deobfuscation strategies Contains code tracing mechanisms Contains built-in trace deobfuscation: (AIR Wave Deobfuscation Technology) Supports IR instructions emulation Supports IR-project (AIR database) saving and loading Supports translation from IR into binary code
    Most of the products which disassemble and analyze PE-files require a lot of RAM. In some cases they crash due to lack of memory. In Ariadne, this problem is solved thanks to its own memory manager. When RAM becomes insufficient, the framework creates its own swap file on the computer's hard disk.

    87 downloads

    0 comments

    Updated

  2. Highlightfish

    Highlightfish will allow you to set coulour and Highlighting.
    Coded to work with OllyDbg and ImmunityDebugger, one plugin for both debuggers.
    It supports the schemes published here: http://www.ollydbg.de/schemes.htm
    If you have a nice and comfortable scheme, send it to me and I will add it in the next release.
    Template structure (scheme):
    [Highlightfish] schemename=Gray Angelfish colours=0,18,0,8,2,0,7,13 commands=0,4,14,10,1,15,11,13,111,7,124,0,0,0 operands=1,5,0,0,15,1,4,10,0,0,0,0,0,0 for more information see included sample (GrayAngelfish.scheme).
    You are asked to restart the Debugger, so please save your work (Debuggee analysis) first.

    63 downloads

    0 comments

    Submitted

  3. OllyMigrate

    This plugin make it possible to pass debuggee to another debugger without restarting (like VM live migration). Each debuggers have both strong and weak points compared with others.
    We can get only strong point of each debuggers by debuggee migration, e.g. Using OllyDbg to bypass antidebug and detect OEP, after that using Immunity Debugger to fix obfuscated import table.
    Very simple overview:
    OllyMigrate = Debuggee live migration plugin Features:
    Various debuggers supported Migrate debuggee between each debuggers Multi thread and suspended thread aware (running state not required) Migrate software breakpoint settings (keep enabled/disabled status) Migrate selected address of disassemble, memory and stack window Supported Debugger:
    OllyDbg version 1.10 (tested 1.10) OllyDbg version 2.01 (tested 2.01) Immunity Debugger version 1.8x or higher (tested 1.85) IDA Pro 32bit build version 5.0 or higher (tested 6.9) IDA Pro 64bit build version 7.0 or higher (tested 7.1) IDA Freeware 32bit build version 5.0 (tested 5.0) IDA Freeware 64bit build version 7.0 (tested 7.0.190307) WinDbg version 6.x (tested 6.2) x64dbg (tested 20170822 snapshot) How to use (OllyDbg example):
    Install "same version" plugin to sender(src) and receiver(dst) debuggers. Start sender debugger to add receiver debugger definition.
    Menu > Plugins > OllyMigrate > Options
    Input debugger info
    Path: receiver debugger path (Click [Browse] and select file)
    Tag:  anything is ok (identification only)
    Args: debugger command line argument (usually not need to change)
    Click [Add] and [Save] Open debuggee using sender debugger. Start debugging (e.g. until detect OEP)
    After that switch to another debugger. Paused status is recommended.
    Menu > Plugins > OllyMigrate > Send Debuggee
    Select destination debugger and Click [Migrate] Receiver debugger startup automatically and receive debuggee.
    Continue debugging.

    97 downloads

    0 comments

    Updated

  4. TLS Stopper

    Install plugin Disable option "Warn when terminating active process" in "Security" Load "tls.exe" (from example[test] directory) in to ImmunityDbg

    75 downloads

    0 comments

    Updated

  5. Windows Maximizer

    Plugin for Immunity Debugger to keep all the windows maximized.

    71 downloads

    0 comments

    Updated

  6. VEHWalk

    This plugin shows all installed vectored exception handlers in the program.

    56 downloads

    0 comments

    Submitted

  7. Ultra String Reference

    Ultra String Reference is a OllyDbg plug-in unit (Plugin), the OllyDbg string type reference (String Reference) the support quite is bad to Chinese, Has the feeling to this, I have written this plug-in unit, supports to the GB2312 Chinese string type reference, hoped may improve this kind of condition.

    215 downloads

    0 comments

    Submitted

  8. StrongOD

    Make your OllyDbg Strong!

    This plug-in provides three kinds of ways to initiate the process:
    Normal - And the same manner as the original start, the STARTUPINFO inside unclean data CreateAsUser - User with a mandate to initiate the process of the user, so that the process running under the purview of the User, unable to establish the process Admin operation. Running is such a need in the local security strategy - the user rights assignment inside your users will join the two powers:
    the replacement process-level marks (SeAssignPrimaryTokenPrivilege) the operating system mode operations (SeTcbPrivilege) If the home version of the windows, unable to set up, then you can try to use SuperMode and reopen the OD to upgrade the competence and strongly does not recommend the use of this option

    CreateAsRestrict - The second option the user with User authority to initiate the process more restricted areas, and increase the third function to a explicit Admin users to initiate proceedings.

    The procedure is initiated Admin user, but power users only some of the default User authority, all authority to delete some risk (including SeDebugPrivilege, SeLoadDriverPrivilege, etc.), this procedure will not run OD cause great harm. In this way the proposed commencement of the proceedings.

    929 downloads

    0 comments

    Submitted

  9. PhantOm Plugin

    Plug-in for concealment OllyDbg (plugin with the driver). Helps from following methods of detection:

    // driver - extremehide.sys

    [+] NtQueryInformationProcess.
    [+] SetUnhandledExceptionFilter.
    [+] OpenProcess.
    [+] Invalid Handle.
    [+] NtSetInformationThread.
    [+] RDTSC.
    [+] NtYieldExecution.
    [+] NtQueryObject.
    [+] NtQuerySystemInformation.
    [+] Windows hide.
    [+] GetProcessTimes.
    [+] NtSetContextThread.

    // plugin - PhantOm.dll

    [+] PEB BeingDebugged.
    [+] PEB NtGlobalFlag.
    [+] GetStartupInfo.
    [+] Process Heaps.
    [+] GetTickCount.
    [!] Protect DRx.
    [!] Hide DRx.
    [!] Fake Windows version.
    [!] Custom Handler.
    [+] BlockInput

    1,504 downloads

    0 comments

    Submitted

  10. RagDog

    This plugin added in Ollydbg in the menubar more menu's with your favourite tools for quick-start.

    Use:

    Install in the Olly Plugins Folder

    - for add new menu entry go in add menu and add you favourite tools if OK add this plugin new menu's in Ollydbg menubar for quick-start.

    71 downloads

    0 comments

    Submitted

  11. OllyDumpEx

    This plugin is process memory dumper for OllyDbg and Immunity Debugger.
    Very simple overview:
    OllyDumpEx = OllyDump + PE Dumper - obsoleted + useful features Features:
    Various debuggers supported Select to dump debugee exe, loaded dll or non-listed module Search PE File from memory Multiple Dump mode. Rebuild for typical PE dump, Binary for PE Carving PE32+ supported (Search and Binary Dump mode only available on 32bit debugger) Native 64bit process supported (IDA Pro, WinDbg and x64dbg) ELF supported (both of 32bit and 64bit) Standalone version available Dump any address space as section even if not in original section header Auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...) Supported Debugger:
    OllyDbg version 1.10 (tested 1.10) OllyDbg version 2.01 (tested 2.01) Immunity Debugger version 1.8x or higher (tested 1.85) IDA Pro 32bit build version 5.0 or higher (tested 6.9) IDA Pro 64bit build version 7.0 or higher (tested 7.1) IDA Freeware 32bit build version 5.0 (tested 5.0) IDA Freeware 64bit build version 7.0 (tested 7.0.190307) WinDbg version 6.x (tested 6.2) x64dbg (tested 20170822 snapshot)

    253 downloads

    0 comments

    Submitted

  12. OllyDump

    Dump debuggee process memory and Rebuild IAT.

    269 downloads

    0 comments

    Submitted

  13. OllyDbg PE Dumper

    This is new PE Dumper plugin for best user mode debugger OllyDbg. The PE Dumper is similar to OllyDump by Gigapede but fully rewritten and have some features: 
    you can dump any *.exe and *.dll from debugged process address space; you can add/remove sections to/from resulting dump. If you are add new  section, you specify VA and size of memory region  to add as section, attributes, File Offset, RAW size and section name. So, now you can add to dump any memory regions created by protectors during debug session; antidump antiprotection and most correct save dump technics: during dumping, against other dumpers, PE Dumper save only present memory pages (basing on VA & Virtual size). So, if between memory regions present non-allocated space, most other dumpers (and OllyDump too) will not save dump correctly, but PE Dumper will save all correctly. fix raw sizes correct only RAW size of image according to Virtual Sizes; paste header from disk - use header from disk, it's clear; This plugin not fully tested yet. If you find bug, please e-mail me.

    283 downloads

    0 comments

    Submitted

  14. ODBGScript

    ODbgScript is a plugin for OllyDbg, which is, in our opinion, the best application-mode debugger out there. One of the best features of this debugger is the plugin architecture which allows users to extend its functionality. ODbgScript is a plugin meant to let you automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using my plugin you can write a script once and for all.

    218 downloads

    0 comments

    Submitted

  15. Multiline Ultimate Assembler

    Multiline Ultimate Assembler is a multiline (and ultimate) assembler (and disassembler) plugin for OllyDbg. It's a perfect tool for modifying and extending a compiled executable functionality, writing code caves, etc.
    Installation
    The plugin works with OllyDbg v1.10, OllyDbg v2, Immunity Debugger, and x64dbg.
    To install the plugin, copy the appropriate DLL file to the plugin directory:
    multiasm_odbg.dll - OllyDbg v1.10. multiasm_odbg2.dll - OllyDbg v2. multiasm_immdbg.dll - Immunity Debugger. multiasm_x64dbg.dp[32|64] - x64dbg.

    144 downloads

    0 comments

    Submitted

  16. MapConv

    Purpose
    converts map files from IDA or DeDe to OllyDBG

    Introduction
    Here is my first plugin for OllyDBG. I don't know c++ but this magnificent debugger give me patience and will to do that. Please don't laugh on my c code. [gf+]

    Usage
    Copy mapconv.dll in OllyDBG directory and then:
    You must create .map file using IDA or DeDe Run program from OllyDBG or atach to it Select what info to replace (comments or labels) Use plugin to select map file for this process Right-click on CPU window, and "Search for"/"User-defined comment" or "User-defined labels" to browse the imported info from map file History
    1.4 added dynamic resolution of the address of code section should now work for dlls and other processes that don't have codebase = 00401000h 😃
    1.3 recompiled with OllyDbg Plugin Developement Kit v1.8 + BCB60
    1.03 bug fixes and some features added
    1.02 recompiled with OllyDbg Plugin Development Kit v1.06
    1.01 added option to replace comments and/or labels
    1.00 first release

    Note
    If you mixed up map files just delete process.udd which resides in OllyDBG directory.

    90 downloads

    0 comments

    Submitted

  17. IsDebugPresent

    This Plugin is intended to hide debugger from IsDebuggerPresent Windows API.

    119 downloads

    0 comments

    Submitted

  18. immSignSrch

    immSignSrch is a signatures scanner plugin for Immunity Debugger developed upon Luigi Auriemma's signSrch ( diff ).
    Features:
    Fast search engine It can recognize: tons of compression, multimedia and encryption algorithms many other things (like known strings and anti-debugging code) Signatures DB automatically updatable from the program itself and editable by hand Usage:
    From the command line ( ALT + F1 ) type: !iss -h

    68 downloads

    0 comments

    Submitted

  19. HideOD

    Plugin to hide Immunity Debugger.

    209 downloads

    0 comments

    Submitted

  20. Hide Debugger

    This plugin hides OllyDbg from many debugger detection tricks.

    401 downloads

    0 comments

    Submitted

  21. FullDisasm

    A small plugin for Immunity Debugger which allow you to replace the old disassemble routine used in OllyDbg by a more recent one (beaengine). With this plugin, you can now debug FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2 and VMX without problems.

    Example :
    00401000 PSLLQ MM0,QWORD PTR DS:[402020] 00401007 MOVQ MM0,QWORD PTR DS:[402020] 0040100E MOV EAX,1235 00401013 MOV DWORD PTR DS:[402028],EAX 00401018 ??? ; Unknown command 0040101A ADD EAX,SSE.00402028 0040101F ??? ; Unknown command 00401021 ADD EAX,SSE.00402028 00401026 ??? ; Unknown command 00401028 ADD EAX,SSE.00402028 0040102D MOVQ QWORD PTR DS:[402020],MM0 00401034 MOV EDI,SSE.00402000 00401039 MOVHPS XMM5,QWORD PTR DS:[EDI+8] 0040103D MOVLPS XMM5,QWORD PTR DS:[EDI] 00401040 ??? ; Unknown command 00401042 IN EAX,DX ; I/O command 00401043 MOV ESI,SSE.00402010 00401048 MOVUPS XMM1,DQWORD PTR DS:[ESI] 0040104B ??? ; Unknown command 0040104D LEAVE 0040104E MULPS XMM1,XMM5 00401051 ??? ; Unknown command 00401054 LEAVE 00401055 SUB ESP,10 00401058 MOVHPS QWORD PTR SS:[ESP],XMM1 0040105C MOVLPS QWORD PTR SS:[ESP+8],XMM1 With FullDisasm : (press Ctrl+W or Ctrl+X for local action) :
    00401000 psllq mm0, qword ptr [402020h] 00401007 movq mm0, qword ptr [402020h] 0040100E mov eax, 1235h 00401013 mov dword ptr [402028h], eax 00401018 paddq mm0, qword ptr [402028h] ; Unknown command 0040101F psubq mm0, qword ptr [402028h] ; Unknown command 00401026 pmuludq mm0, qword ptr [402028h] ; Unknown command 0040102D movq qword ptr [402020h], mm0 00401034 mov edi, 402000h 00401039 movhps xmm5, qword ptr [edi+8h] 0040103D movlps xmm5, qword ptr [edi] 00401040 cvtdq2ps xmm5, xmm5 ; Unknown command 00401043 mov esi, 402010h 00401048 movups xmm1, dqword ptr [esi] 0040104B cvtdq2ps xmm1, xmm1 ; Unknown command 0040104E mulps xmm1, xmm5 00401051 cvtps2dq xmm1, xmm1 ; Unknown command 00401055 sub esp, 10h 00401058 movhps qword ptr [esp], xmm1 0040105C movlps qword ptr [esp+8h], xmm1  

    261 downloads

    0 comments

    Submitted

  22. Analyze This

    Sometimes (especially when dealing with packers) you may need to run OllyDbg's code analysis function, only to find it's not available to you because the EIP is currently outside the code segment as defined by the PE header. AnalyzeThis! is an OllyDbg plugin to allow OllyDbg's analysis function to operate outside of the marked code segment, by telling OllyDbg the current segment *is* the code segment.

    Caveats: If the EIP is outside the range of a known executable module, AnalyzeThis! will not work. Also, OllyDbg can only store one analysis table, so if you analyze a new segment, it will remove any existing analysis that has been done.

    Source code has not been included; not because I don't want to release it at this time, but because I can't find it off hand. If you really need it, email me and I'll look harder for it.

    185 downloads

    0 comments

    Submitted

  23. Crypto Scanner

    Hopefully you will find this useful - the advantage of having it as a plugin means that breakpoints can easily be set where required, and signatures can be located quickly.

    85 downloads

    0 comments

    Submitted

  24. Command Bar

    I remodelled command line plugin to a bar type in the lowest position of a main window. I add some commands and a candidate command indication function. About a command, please refer to a help of command line plugin.

    75 downloads

    0 comments

    Submitted

  25. CleanupEx

    Deletes all .udd, .bak files. Plugin & udd dir support.

    48 downloads

    0 comments

    Submitted


×
×
  • Create New...