Multiline Ultimate Assembler (an OllyDbg plugin)
Multiline Ultimate Assembler is a multiline (and ultimate) assembler (and disassembler) plugin for OllyDbg. It’s a perfect tool for modifying and extending a compiled executable functionality, writing code caves, etc.
multiasm.rar (375.1 kB, changelog)
Posted in Releases, Software by RaMMicHaeL at September 13th, 2009.
Tags: multiline ultimate assembler, ollydbg
Tags: multiline ultimate assembler, ollydbg
i really like that plugin, but sometimes for no reason, it doesn’t want to accept strings – the example like on this page wouldn’t work, it would give me a ‘command mnemonic expected’ in the middle of “hello world” string.
just ignore previous comment, i didn’t see i don’t have the latest version
How do i plugin on ollydbg? I’ve put the plugin in plugin folder but it doesn’t appear on olly. Should i set something on ollydbg.ini? -Thnx- nice blog
It should just work.
You can upload your olly pack so I could check it out.
AWESOME!! This plugin would’ve saved me a lot of time on multiple occasions.
Very useful. But it crashes almost everytime.
It writes the opcodes just fine, but then crashes Olly a few seconds later.
Okay, I’ve pinpointed it to Labels.
If “Write Labels” is enabled in options, it crashes me Ollydbg (1.10 – Tried clean install too).
If I untick “Write Labels” it works just fine.
PS: I can’t get it to support labels for loop instructions (LOOP, LOOPD, LOOPE).
@Bla:
LOOP @Bla ; does not work
LOOP 00401000; works
Confirmed
LOOP SHORT @Bla ; works
^ you can use this form meanwhile
I’ve never experienced such crashes. You say it happens with any code/binary even on a clean olly? Can you say on which RVA it crashes?
After a number of experiments, I was able to reproduce the issue. Seems like it’s a bug of Ollydbg and it’s Quickinsertname/Mergequicknames functions. Maybe Ollydbg does not expect these functions to be called from another thread – what MUltimate Assembler does.
It does not crash on my PC while assembling a sane amount of code, but inserting labels/comments in a loop make it eventually crash.
Perhaps your PC is faster, and thus it happens regularly for you.
Disabling “Write Labels” and “Write Comments” will help, but if you find these useful, you could make MUltimate Assembler use Insertname instead of Quickinsertname/Mergequicknames (Insertname accepts the same parameters as Quickinsertname). As an Ollydbg user it should not be difficult for you
Try it and tell me how it works.
The crash was fixed in v1.3
Updated to v1.2.1
Bug fixes:
- Now correctly assembles loop instructions with labels (reported by Morten).
- Fixed assembling short jumps with labels on high addresses.
Updated to v1.2.2, which only creates a single thread on startup and uses it instead of creating a new thread every time the assembler window is opened.
That makes it work together with the phantOm plugin.
Great Plugin!!
Thanks!
Thanks for the update. Disassembler is awesome! Still waiting for tab renaming feature, though.
nice plugin as say MCKSys Argentina ,, i use from version 1,
ask: is posible do this same for ollydbg 2 ( now was a update and cann add plugin ^^)
BR, Apuromafo
I want to eventually update it to OllyDbg 2, but for now I think I’ll wait for a documentation of the API.
^^ now was a little documentation in ollydbg.de maybe you can check if are good or not
Best Regards Apuromafo
It’s very partial, and lacks important functions such as Assemble.
u.u oki , i hope see some day this plugin in ollydbg 2
Done!
this is my fav olly plugin, not to seem ungrateful but I think it will take some time for the plugin documentation to appear..and its a real pain having to juggle multiple versions of olly ..as v2.0 is the best now even tho a little buggy
thanks for your work
v1.7.1:
* Search/replace in editor (hotkeys: Ctrl+F, Ctrl+H, F3, Shift+F3).
* Fix: Correctly handle prefixed instructions (LOCK, REP, REPE/REPZ, REPNE/REPNZ).
Just came across your amazing plugin. It is a life-saver. I am doing a tutorial on code caves right now and I can’t wait to introduce your plugin to my many readers.
I have one feature request. Seeing as a lot of the members on my site are beginners, it would be great if, instead of just giving a generic error, your plugin said what line number the error was on or highlight the line or something. I can already tell I’m going to get numerous questions like “Can you look at my code? It says I have a ___ error but I can’t figure out where”.
Anyway, if you have the time. If not, it’s still an amazing plugin and I will use it often.
I am also going to ask my minions to donate to your cause, as I plan to do as well. Too few people get recognized for their hard work.
-R4ndom
Hi R4ndom,
Thanks for the feedback.
As for the error spot, after showing the error message box, the caret moves to the line that contains the error.
RaMMicHaeL.
http://thelegendofrandom.com/blog/archives/2470
btw: do you have any sort of manual or quick guide or anything? I would love to include something in the tutorial…
Nope, though I do plan to write a help file to make things clearer once I have some spare time.
Done!
Может быть вам стоит рассказать об этой штуке на Хабрахабре? Там очень большая аудитория, и статьи на подобную тематику воспринимаются очень тепло. Пример: http://habrahabr.ru/post/51857/
Также вы можете рассказать о 7TT, рассказав для примера как вы делали какую-нибудь простую функцию (чтобы не посчитали рекламой и воодушевить других программистов). Это будет просто бомба!
Ну и +10 к популярности вашего ПО. Для примера, моя последняя статья ( http://habrahabr.ru/post/168269/ ) за 10 часов уже собрала больше 25000 просмотров — а это немало.
Страна должна знать своих героев!
Если надумаете что-нибудь написать и оценить Хабраэффект, я могу поделиться инвайтом.
Может быть, хотя не уверен, что из меня выйдет хороший писатель. Да и время для этого найти нужно.
А вообще я с Хабром знаком, почитываю иногда.
Про 7TT, кстати, кто-то уже писал (кратко, но все же):
http://habrahabr.ru/links/125911/
Ну а так, если надумаю писать, буду знать к кому обращаться за инвайтом. Спасибо за предложение
Это не считается, поскольку заметка даже на главную не попала. Секрет успеха на хабре — немножко подробностей, как оно работает. А там где вы показали кроме ссылки ничего нет.
Что касается написания статей. Нужно просто написать пару первых предложений — остальное уже как-то само получается
Вот, накатал статейку:
Здесь была ссылка
Ваше мнение?
Ответил вам по почте. Кстати да, это вы мне написали, или кто-то другой подсуетился?
Я, кто же еще
Hi,
Would it be possible to also compile this plugin as a standalone DLL/static library? This would help with writing tools that need to inject code for example.
Please consider it.
Greetings,
Mr. eXoDia
Hi Mr. eXoDia,
The plugin uses OllyDbg’s assembling and disassembling API, so it can’t be made standalone. Have you considered using FASM or similar?
RaMMicHaeL.
Thanks for the reply! Yes I considered fasm, but your plugin just rocks..
And does your plugin only rely on this library or also on other parts of olly (only a dll that assembles is good enough) because disasm is open source: http://ollydbg.de/srcdescr.htm
Greetings
Here are the functions it imports from Olly:
Addtolist
Pluginreadstringfromini
Findmemory
Findmodule
Finddecode
Pluginreadintfromini
Readmemory
Disasm
Assemble
Dumpbackup
Plugingetvalue
Getstatus
Findsymbolicname
Pluginwriteinttoini
Writememory
Quickinsertname
Pluginwritestringtoini
Mergequicknames
Deletenamerange
Findname
So no, not much
But it’s designed to assemble code to memory. You want a standalone library to write code to a file, right? If so, the division to sections (<401000> stuff) would either dropped, or I’d have to use a custom file format or something.
In any case, how would that be better than FASM?
In addition, FASM supports macros, which are very powerful and might come in handy.
P.S.
Thanks
the sections () would not be used with my code.. It’s more like this:
unsigned int makeinline(unsigned char* result, char* assembly, unsigned int va_base)
result is the resulting assembly code
assembly is just the plain text code (with @label, “\x03″ support)
va_base is the virtual address where the result will be written later on
return value is the length of the resulting buffer.
For me it’s more about the simple syntax and compatibility with the odbg version of multimate assembler.
Something optional would be that the function also returns a relocation table, but for me it’s mainly about the code style.
Greetings
Let’s make a deal
I make the standalone library you requested, and you write an article about how you use it, what it’s good for, etc.
I’ll post your article on my blog, so others can see what it’s all about, and maybe use it too.
What do you think?
Deal
Here you go:
https://www.dropbox.com/s/3rbmow07ng6n5k0/Multiline%20Ultimate%20Assembler%20library.rar?dl=1
See header file for exported functions and documentation.
See demo project for usage examples.
One downside is that the available OllyDbg (dis)assembler sources don’t support operands such as DB, DW, DD, which are very useful sometimes.
Thanks! I’ll be making a little (open source) tool that shows the usage of this library and include an article about how it all works with it..
Greetings,
Mr. eXoDIa
Hello again.
I’ve been trying to get it to work with ollydbg 2. I’ve downloaded the latest version and placed multiasm_odbg2.dll in ollydbg2\Plugins, and set up the plugin directory in the ollydbg options.
However, the Plugins menu is grayed out, and the plugin doesn’t seem to load at all.
Reading on ollydbg2.de it seems he changed the plugin interface, so I guess it’s incompatible with the new version.
Any chance of an update for the latest version of ollydbg2?
Thanks.
Hmm, downloaded the second latest version of olly, and now it works. Guess I’ll just stick with that one for now.
Hi,
The latest version, v2.1.1, is compatible with the latest version of OllyDbg, odbg201h.zip (November 19, 2012). Just rechecked it.
Could it be that you’re trying an older version of the plugin?
Hmm. Weird. It works now. I redownloaded olly 201h and MUA v2.1.1 from the top of the page.
Though I’m certain that it’s the same versions I used before. Perhaps it’s some ollydbg settings. I’ll poke around.
Thanks.
it has to do with ini settings of ollydbg. just delete ollydbg.ini to fix this issue…
greetings
Hey,
I’ve been busy with this standalone library, but currently real life stuff is eating all my time… I’ll continue writing the tutorial, but it might take more time.
Greetings
Fine, thanks for letting me know. Tell me if you need any help with the library.
Hey,
So I had some time to ‘finish’ this coding example of your library so here it is: http://rghost.net/private/45983365/f6fdd54ba9db02e63867bf1fe66ab2c7 I still need to write a full tutorial in PDF format, but here is just what I could do by now (it works, tested on one target, but it works)
Greetings,
Mr. eXoDia
Nice
The technique mostly targets protectors, right?
I found a bug that caused it to crash on my PC, pefunc.cpp line 70:
psh=(IMAGE_SECTION_HEADER*)(&pnth->OptionalHeader)+pnth->FileHeader.SizeOfOptionalHeader;
The pointer is not calculated correctly.
Also, it might be worth creating the extra section automatically.
Yes I think mostly for targeting protectors. But it could also be useful if someone wants to make a small disassembler with easy multiline assembling feature (although x64 would be better in that case).
Thanks, I reused the code from another project and it isn’t really used so I experienced no crashes. Fixing line:
psh=(IMAGE_SECTION_HEADER*)((DWORD)(pnth)+pnth->FileHeader.SizeOfOptionalHeader+sizeof(IMAGE_FILE_HEADER)+sizeof(DWORD));
I will see if I’m going to implement this feature.. usually I use titanengine, but in this case I would need to write this code by myself (no problem, but it takes time).
Greetings,
Mr. eXoDia