DumpAddressColor (an OllyDbg 2 plugin)

Colorizes the double-words in the CPU dump of OllyDbg 2 by the following rules:
Red: an address to a code block of a module.
Magenta: an address to a non-code block of a module.
Yellow: an address to a non-module memory block.
Black: a handle of a window which belongs to the debuggee process.

The colors can be changed in the .ini file.

Limitations: double-words across rows are not processed.

zip dump_address_color.zip (5.38 kB)

The source code is available on GitHub.

Posted in Releases, Software on August 28th, 2015. 4 Comments.

DumpHistoryNavFixer (an OllyDbg 2 plugin)

This plugin fixes a minor, but annoying issue with the CPU dump history navigation on OllyDbg 2.

Without the plugin (clickable):

With the plugin (clickable):

zip dump_history_nav_fixer.zip (112.31 kB)

Posted in Releases, Software on August 28th, 2015. No Comments.

FollowImmediateConstant (an OllyDbg 2 plugin)

Adds the missing option to follow immediate constant in OllyDbg 2, just like in OllyDbg 1.10.

Screenshot (clickable):

zip follow_immediate_constant.zip (21.58 kB)

Posted in Releases, Software on August 28th, 2015. No Comments.

Symbols on Demand (an OllyDbg plugin)

OllyDbg is able to use dbghelp.dll and symsrv.dll to show extended debug information, such as the module source code (if referenced by the debug information) or module symbols from a PDB file (which can be fetched from the Microsoft Symbol Server for system modules). The problem is that if you turn on this option, module loading becomes much slower. On the other hand, this information is very handy, so there’s a dilemma as of whether to turn it on.

The Symbols on Demand plugin provides the best of both worlds: it disables loading of this extended debug information by default, but allows to load it explicitly for any module, at any time. Using this approach, loading is still fast, but if you need to load extended debug information for a module, you can easily do that.

OllyDbg v1.10 and v2.01 are supported. For OllyDbg v1.10, there’s additional functionality: you can set the symbols search path, which is set by default to SRV*.\Symbols*http://msdl.microsoft.com/download/symbols. You can also choose to retrieve undecorated symbol names. These options can be set in the INI file of OllyDbg, in the plugin’s section.

zip symbols_on_demand.zip (4.96 kB)

For your convenience, here are the dbghelp.dll and symsrv.dll files:

zip dbghelp_symsrv.zip (579.8 kB)

The source code is available on GitHub.

Posted in Releases, Software on August 8th, 2015. 9 Comments.

QuickAddressCopy (an OllyDbg v1.10 plugin)

This tiny plugin allows you to copy the address of the selected item/command/byte with the Ctrl+X keyboard shortcut.

Note that the plugin works only for OllyDbg v1.10. For OllyDbg v2, you can achieve the same with:
Options -> Edit shortcuts… (“Copy address” in “Dump: Edit”)

zip quick_address_copy.zip (1.6 kB)

Posted in Releases, Software on March 17th, 2015. 3 Comments.

Portablizer (an OllyDbg plugin)

This plugin makes your copy of OllyDbg portable, which means that you can copy the OllyDbg folder to another location without having to fix ollydbg.ini manually.
OllyDbg v1.10 and OllyDbg v2 are supported.

OllyDbg v1.10

Usage:

  1. Copy portablizer.dll to the plugins folder.
  2. Apply the ollydbg-patch.exe patch on ollydbg.exe.
    The patch is needed because by default, OllyDbg loads the plugins at a later stage.
  3. Run OllyDbg from the correct folder, then close it.
  4. Make sure that the entries of ollydbg.ini contain relative paths (the [History] section).

Limitations:

  1. The plugin DLL file must be named portablizer.dll.
OllyDbg v2

Usage:

  1. Copy portablizer_odbg2.dll to the plugins folder.
  2. Run OllyDbg from the correct folder, then close it.
  3. Make sure that the entries of ollydbg.ini contain relative paths (the [History] section).
Download

zip portablizer.zip (63.35 kB)

Posted in Releases, Software on March 17th, 2015. 7 Comments.

Multiline Ultimate Assembler v2.3

Multiline Ultimate Assembler v2.3 is out.

x64_dbg support

Starting from version 2.3, the Multiline Ultimate Assembler plugin supports the x64_dbg debugger in addition to OllyDbg and Immunity Debugger.

x64_dbg is a relatively new project, and thus not all features could be implemented for it. For example, the option to disassemble external code is not available, as the debugger doesn’t expose this information.

Despite of the limitations, x64_dbg evolves quickly, and is already usable for many tasks. It can be extremely useful for 64-bit targets, as the more mature OllyDbg can only handle 32-bit executables at the moment.

Multiline comments

It’s possible to use the COMMENT directive to define a comment which consists of multiple lines, using the MASM syntax:

COMMENT delimiter [[text]]
[[text]]
[[text]] delimiter [[text]]

Other changes

In addition to the above, v2.3 adds drag and drop support to the editor, and fixes a couple of minor bugs.

P.S. The text editor component, RAEdit, was originally written in 32-bit x86 assembly. If you’re wondering how it was ported to 64-bit, refer to the post C as a portable assembly: porting RAEdit to 64-bit.

Posted in Software, Updates on September 4th, 2014. No Comments.

Multiline Ultimate Assembler v2.2

Multiline Ultimate Assembler v2.2 is out.
What’s new:

Added the ability to specify block end address

You can now specify the end address of a block, which the code shouldn’t exceed.
Read More…

Posted in Software, Updates on March 16th, 2014. 4 Comments.

Multiline Ultimate Assembler v2.1

Multiline Ultimate Assembler v2.1 extends the syntax of RVA addresses:

  • Explicit base address.
    e.g.: PUSH $(00400000).1000
  • Short syntax for block addresses.
    e.g.: <$$1000>
  • Fix: Module names are no longer case-sensitive.

Read More…

Posted in Software, Updates on October 24th, 2012. 1 Comment.

Multiline Ultimate Assembler v2.0

Multiline Ultimate Assembler (previously known as MUltimate Assembler) v2.0 is out.

A new name
The plugin is called Multiline Ultimate Assembler now. I never liked the old name, MUltimate Assembler. It could easily be misread as Multi-Mate, while the intention is Multiline-Ultimate.

Note: if you update from an older version, change the section name in ollydbg.ini from “MUltimate Assembler” to “Multiline Ultimate Assembler” to keep the plugin’s optiosn.

An OllyDbg v2 port
The plugin was ported to OllyDbg v2.
Currently there’s one known issue: the data commands (DB, DW, DD, etc.) aren’t supported by the new OllyDbg’s assembler, so you cannot use them.

A help file
I’ve written a help file, which explains the assembler syntax, the editor interface, and the plugin’s options. It should make it easier to get started with the plugin.

Posted in Software, Updates on October 17th, 2012. No Comments.