Tuts 4 You : Downloads

OllySymbolServer 0.0

suburban_user — Mon, 23 Apr 2012 03:43:46 -0500

Enable Microsoft symbol server download compatablilty in OllyDbg v1.10 (with no fussing around).

NameChanger 1.1

Marcin 'Icewall' Noga — Sun, 22 Apr 2012 20:09:28 -0500

I recently returned to an idea of an OllyDbg plug-in which would provide functionality similar like in an IDA related with inter alia :changing name of functions or setting more readable form for global variables.

CPU Initialization Patch 1.0.0.1

Blurcode — Sun, 22 Apr 2012 19:34:35 -0500

This is a plugin for OllyDbg 1.10, which hot-patches Olly's code to resolve the issue of OllyDbg taking 100% CPU time as soon as the debugged process is running (i.e. after having pressed F9 inside OllyDbg).

If nothing else, this problem causes any laptop that you might be reversing on to lose much more battery life than necessary, and also to sound like a jet plane due to constant maximum fan rotation, so this plugin will come in hand for any laptop reversers at least.

OllyDbg - Windows 7 (Virtualized) 0.2

DarkElf — Sun, 22 Apr 2012 19:32:08 -0500

Some beloved plugins for Olly stopped working when used with Windows 7, among these are OllyAdvanced and Conditional Branch Logger just to name two of them. To overcome this issue I virtualized Olly and now the plugins are working again :)

You can customize this Olly as usual. Note, that you have to set the Plugins- and UDD- directory when starting it for the first time. Unfortunately there is a small shortcoming - Every part of a plugin that is driver-based is NOT working. This is due to the fact, that drivers cannot be virtualized. For instance while everything else in OllyAdvanced is working, it's driver-based Anti-RTDSC is not but that does not hinder the plugin to work great. The same goes for other plugins that have drivers involved. Sorry for that, virtualization nowadays is pretty good but not perfect.

Also, there may be an issue with non-latin charactersets which I'm unable to confirm because I haven't got a non-latin Windows.

Advanced Labels 1.2.0.0

Oleh Yuschuk, Icegood — Sun, 22 Apr 2012 17:50:09 -0500

Advanced labels with user datatypes support.

Compiled in Borland C++ builder 6.0 10.166 w/o addons.

Enigma Protector 1.x - 3.x Vol.1 (Unpacking)

Silence — Sun, 22 Apr 2012 17:46:39 -0500

Today I release - finally - the series of unpacking tutorials about manually unpacking The Enigma Protector. I will discuss all protections of Enigma which are fully detailed as possible.

I have to say thanks to LCF-AT, she helped me alot with this.

VMSweeper 1.5 Beta 0

Vam — Sun, 15 Apr 2012 16:50:34 -0500

VMSweeper helps you to decompile VM code.

* VMSweeper decompiles functions, virtualized in:

- Code Virtualizer (Oreans Technology)
- VMProtect (VMProtect Software)

* Recovers import
* Finds different types of VM, including not supported for decompiling by itself.

Win32api and x86 Opcodes

Microsoft — Sun, 15 Apr 2012 08:07:42 -0500

The Win32.hlp file for OllyDbg "Help on symbolic name" containing information on some Win32 API's. Archive includes OpCodes.hlp for a list of some x86 hex opcodes and mnemonics with descriptions.

Enigma Protector 2.x - 3.x (HWID + Inline Patching)

Pertic@n — Sun, 15 Apr 2012 07:35:43 -0500

Video tutorials on bypassing the HWID and inline patching of Enigma Protector protected files from version 2.x to 3.x.

Keygenning Encrypto's KeygenMe #5

NewHitman — Sun, 15 Apr 2012 07:30:49 -0500

A tutorial on how to reverse a challenge from an old pal Encrypto that I have found lately and I have never reversed until now. The ultimate goal of the challenge is to code a standalone keygen and this is what I have done. The tutorial is a little bit long since it is provided with details so anyone can watch and give it a try.

If you get any kind of problems will be happy to help!

Keygenning pDriLl CrackMe #2

hepL3r — Sun, 15 Apr 2012 07:28:10 -0500

Here is my tutorial for pDriLl's KeygenMe#2. It is using RSA, I hope it will be useful for you and of course this tutorial is not for complete newbies.

OllyMSDN 1.0

Mario Vilas — Sun, 15 Apr 2012 07:25:37 -0500

This plugin will replace WIN32.HLP with online help from the MSDN website.

To install:
1) Copy OllyMSDN.dll to OllyDbg's or ImmDbg's plugin directory.
2) Start the debugger.
3) If you haven't done so already, go to Help -> Select API help file
and select WIN32.HLP as usual. It doesn't need to be the real file,
just one named like that.

To use:
*) When you click on Help -> Open API help file, the MSDN online website
will be opened instead.
*) To get help on individual API calls, right-click on the CALL instruction
in the CPU pane and click on "Help on symbolic name".

OllyWow64 0.1

Waliedassar — Sun, 15 Apr 2012 07:24:23 -0500

Here is an OllyDbg v1.10 plugin to remove the annoying single-step break while debugging in Windows 7, Wow64.

Virtual Section Dumper 2.0

+NCR/CRC! — Sun, 15 Apr 2012 07:24:13 -0500

VSD (Virtual Section Dumper) is intented to be a tool to visualize and dump the memory regions of a running 32 bits or a 64 bits process in many ways. For example, you can dump the entire process and fix the PE Header, dump a given range of memory or even list and dump every virtual section present in the process.

SyserExt 0.95

Ferrit — Tue, 20 Mar 2012 08:19:15 -0500

SyserExt is a plugin for Syser debugger. The intention is similar to IceExt and it has mainly the following features:

- Advanced hide engine
- Conditional branch logger

RISC Machine Documentation

Deathway — Mon, 12 Mar 2012 02:02:40 -0500

I present this time a documentation about RISC machines. The content about this document is detailed enough to give an overview of RISC machines, how they are constructed, how they deal with virtual opcodes, and how they virtualize them.

Reverse Engineering Techniques - Part 1

Kingstaa — Sat, 10 Mar 2012 21:21:12 -0600

The whole tutorial is about playing with a target and implementing new things into it. The tutorial is not for newbies, you must know how the tools given in this tutorial works. The entire article is based on exploring the calibre of a reverse engineer. Reverse engineering is an art; how to analyse and play with the target and find out other possibilities which you can implement. Sometimes targets are so challenging you can't even imagine. The target I am going to use in this tutorial is a simple crackme by Nemo.

Oreans UnVirtualizer 1.5

Deathway — Sat, 10 Mar 2012 21:16:26 -0600

This tool will help conversion VirtualOpcodes -> Assembly Instruction. Restoring the original code of your virtualized application, the basic engine was from CodeUnvirtualizer, my other tool.

[Features]

- Supports WinLicense/Themida/CodeVirtualizer Cisc/Risc Machines
- Supports almost all common opcodes
- Supports CHECK_MACRO_PROTECTION on CISC machines
- Supppots MultiBranch Tech

[Use]

- Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn't found you have to click again, after checking that the full machine was correctly deofuscated)

Keygenning pDriLl CrackMe #1

hepL3r — Thu, 08 Mar 2012 05:06:45 -0600

In this tutorial I will show you how we can keygen this easy keygenme from pDriLl.

TLSCatch 0.2

Waliedassar — Thu, 08 Mar 2012 05:06:32 -0600

This plugin simply intercepts any new module loaded into the current process address space, searches it for TLS callbacks and sets a one-shot breakpoint on every callback found. It lets the malware analyst catch any TLS callback in OllyDbg.

1) Uses permanent breakpoints instead of one-shot breakpoints.
2) Handles executables which manipulate their PE header at runtime.

Just copy the plugin DLL into Olly's plugin directory then start OllyDbg.

Tested on OllyDbg v1.10 on Windows XP and Windows Vista.

Reversing a Keygenme Challenge

lfozia0 — Tue, 06 Mar 2012 07:38:58 -0600

This tutorial is intended for beginners in RCE but it might contain something for more advanced ones. Those of you which are more advanced you can start from Part 2 as this tutorial is split into two parts.

The target and objective for both parts of the tutorial will be a keygenme coded by Flux.

BIOS Disassembly Ninjutsu Uncovered

Darmawan Salihun — Sun, 04 Mar 2012 01:42:08 -0600

For many years, there has been a myth among computer enthusiasts and practitioners that PC BIOS (Basic Input Output System) modification is a kind of black art and only a handful of people can do it or only the motherboard vendor can carry out such a task. On the contrary, this book will prove that with the right tools and approach, anyone can understand and modify the BIOS to suit their needs without the existence of its source code. It can be achieved by using a systematic approach to BIOS reverse engineering and modification. An advanced level of this modification technique is injecting a custom code to the BIOS binary.

There are many reasons to carry out BIOS reverse engineering and modification, from the fun of doing it to achieve higher clock speed in overclocking scenario, patching certain bug, injecting a custom security code into the BIOS, up to commercial interest in the embedded x86 BIOS market. The emergence of embedded x86 platform as consumer electronic products such as TV set-top boxes, telecom-related appliances and embedded x86 kiosks have raised the interest in BIOS reverse engineering and modification. In the coming years, these techniques will become even more important as the state of the art bus protocols have delegate a lot of their initialization task to the firmware, i.e. the BIOS. Thus, by understanding the techniques, one can dig the relevant firmware codes and understand the implementation of those protocols within the BIOS binary.

The main purpose of the BIOS is to initialize the system into execution environment suitable for the operating system. This task is getting more complex over the years, since x86 hardware evolves quite significantly. It’s one of the most dynamic computing platform on earth. Introduction of new chipsets happens once in 3 or at least 6 month. This event introduces a new code base for the silicon support routine within the BIOS. Nevertheless, the overall architecture of the BIOS is changing very slowly and the basic principle of the code inside the BIOS is preserved over generations of its code. However, there has been a quite significant change in the BIOS scene in the last few years, with the introduction of EFI (extensible Firmware Interface) by several major hardware vendors and with the growth in OpenBIOS project. With these advances in BIOS technology, it’s even getting more important to know systematically what lays within the BIOS.

In this book, the term BIOS has a much broader meaning than only motherboard BIOS, which is familiar to most of the reader. It also means the expansion ROM. The latter term is the official term used to refer to the firmware in the expansion cards within the PC, be it ISA, PCI or PCI Express.
So, what can you expect after reading this book? Understanding the BIOS will open a new frontier. You will be able to grasp how exactly the PC hardware works in its lowest level. Understanding contemporary BIOS will reveal the implementation of the latest bus protocol technology, i.e. HyperTransport and PCI-Express. In the software engineering front, you will be able to appreciate the application of compression technology in the BIOS. The most important of all, you will be able to carry out reverse engineering using advanced techniques and tools. You will be able to use the powerful IDA Pro disassembler efficiently. Some reader with advanced knowledge in hardware and software might even want to “borrow” some of the algorithm within the BIOS for their own purposes. In short, you will be on the same level as other BIOS code-diggers.

This book also presents a generic approach to PCI expansion ROM development using the widely available GNU tools. There will be no more myth in the BIOS and everyone will be able to learn from this state-of-the-art software technology for their own benefits.

Deobfuscation of Packed and Virtulazation-Obfuscated Protected Binaries

Kevin Patrick Coogan — Sun, 04 Mar 2012 01:40:17 -0600

Code obfuscation techniques are increasingly being used in software for such reasons as protecting trade secret algorithms from competitors and deterring license tampering by those wishing to use the software for free. However, these techniques have also grown in popularity in less legitimate areas, such as protecting malware from detection and reverse engineering. This work examines two such techniques – packing and virtualization-obfuscation –and presents new behavioral approaches to analysis that may be relevant to security analysts whose job it is to defend against malicious code. These approaches are robust against variations in obfuscation algorithms, such as changing encryption keys or virtual instruction byte code.

Packing refers to the process of encrypting or compressing an executable file. This process “scrambles” the bytes of the executable so that byte-signature matching algorithms commonly used by anti-virus programs are ineffective. Standard static analysis techniques are similarly ineffective since the actual byte code of the program is hidden until after the program is executed. Dynamic analysis approaches exist, but are vulnerable to dynamic defenses. We detail a static analysis technique that starts by identifying the code used to “unpack” the executable, then uses this unpacker to generate the unpacked code in a form suitable for static analysis. Results show we are able to correctly unpack several encrypted and compressed malware, while still handling several dynamic defenses.

Virtualization-obfuscation is a technique that translates the original program into virtual instructions, then builds a customized virtual machine for these instructions. As with packing, the byte-signature of the original program is destroyed. Furthermore, static analysis of the obfuscated program reveals only the structure of the virtual machine, and dynamic analysis produces a dynamic trace where original program instructions are intermixed, and often indistinguishable from, virtual machine instructions. We present a dynamic analysis approach whereby all instructions that affect the external behavior of the program are identified, thus building an approximation of the original program that is observationally equivalent. We achieve good results at both identifying instructions from the original program, as well as eliminating instructions known to be part of the virtual machine.

ImmSoftice 0.1

Deroko — Sun, 04 Mar 2012 01:37:33 -0600

Who has ever used SoftICE will, and probably still finds OllyDbg and ImmunityDebugger key mapping confusing. Guess what, I'm one of them. For Olly we have Crudd[RET] modification which has SoftICE keys, and I'm using this Olly version for a long long loooooong time with some custom patches. Recently, at CodeGate 2012 we had to use ImmunityDebugger for a some challange, and I found it very very veeeeeeery annoying to use default keys there, so I wrote this plugin which will map SoftICE keys to ImmunityDebugger so this debugger can be used by users which are used to SoftICE keys (and also WinDbg keys).

Hope SoftICE and WinDbg users will find it useful...

Kao’s “Toy Project” and Algebraic Cryptanalysis

Dcoder — Sun, 04 Mar 2012 01:32:34 -0600

In “Toy Project” Kao presents us with a tiny, yet perverse, piece of code to reverse. Given two 32-byte strings A and B, and the 32-bit integers x and y that were used to produce B from A with the following function:

void expand(u8 B[32], const u8 A[32], u32 x, u32 y) 

{ 

  u32 i; 

  for(i=0; i < 32; ++i) 

  { 



    out[i] = (in[i] -x) ^ y; 

    x = ROL(x, 1); 

    y = ROL(y, 1); 

  } 

}

Simple enough. How do we solve it?

RemoveCriticality 0.2

Waliedassar — Sun, 04 Mar 2012 01:30:51 -0600

An OllyDbg plugin that allows malware analysts to safely debug processes that call the "RtlSetProcessIsCritical" function.

Calculator 0.1

Waliedassar — Wed, 22 Feb 2012 08:03:48 -0600

Fast access to Windows Calculator from OllyDbg, just press Alt+F11.

Tested with OllyDbg v1.10 on XP SP2 and Windows 7.

AttachTo 0.1

Waliedassar — Wed, 22 Feb 2012 07:57:16 -0600

Processes with manipulated PEB.LoaderData don't show in the OllyDbg "Select process to attach" dialogue box.

The plugin first checks for the integrity of the target process's _PEB_LDR_DATA structure. If a manipulated structure is detected, the plugin tries to create a new typical one.

ICanAttach 0.2

Waliedassar — Wed, 22 Feb 2012 07:57:11 -0600

This plugin enables you to bypass anti-attach techniques e.g. Hooked DbgUiRemoteBreakin, DbgBreakPoint, and NtContinue functions.

MarkAllAsSystem 0.1

Waliedassar — Wed, 22 Feb 2012 07:55:34 -0600

This tiny OllyDbg plugin marks all loaded DLLs as system.

This is very useful only when tracing over system DLLs in an application with large number of loaded non-system DLLs.

OllyVB 0.1

Waliedassar — Wed, 22 Feb 2012 07:54:20 -0600

A tiny plugin that resolves the "DllFunctionCall" function calls.

StrongOD 0.4.6.816

海风月影 — Tue, 14 Feb 2012 06:12:32 -0600

Make your OllyDbg Strong!

This plug-in provides three kinds of ways to initiate the process:

1, Normal - And the same manner as the original start, the STARTUPINFO inside unclean data
2, CreateAsUser - User with a mandate to initiate the process of the user, so that the process running under the purview of the User, unable to establish the process Admin operation.

Running is such a need in the local security strategy - the user rights assignment inside your users will join the two powers:

1, the replacement process-level marks (SeAssignPrimaryTokenPrivilege)
2, the operating system mode operations (SeTcbPrivilege)

If the home version of the windows, unable to set up, then you can try to use SuperMode and reopen the OD to upgrade the competence and strongly does not recommend the use of this option

3, CreateAsRestrict - The second option the user with User authority to initiate the process more restricted areas, and increase the third function to a explicit Admin users to initiate proceedings.

The procedure is initiated Admin user, but power users only some of the default User authority, all authority to delete some risk (including SeDebugPrivilege, SeLoadDriverPrivilege, etc.), this procedure will not run OD cause great harm. In this way the proposed commencement of the proceedings.

PC Guard 5.07 (Unpacking)

PassingThrough — Tue, 14 Feb 2012 06:05:02 -0600

A video tutorial showing a method of unpacking PC Guard 5.07 on Windows XP.

VirusTotal v0.1

Elias Bachaalany — Tue, 14 Feb 2012 05:52:06 -0600

A VirusTotal reporting and file submission plugin for IDA Pro. The plugin will allow you to get reports from VirusTotal based on the input file MD5 or a file of your choice. The plugin will offer to upload the file if the file was not analyzed before.

DetachMe 0.1

Waliedassar — Wed, 08 Feb 2012 06:44:47 -0600

One of the new interesting features of OllyDbg v2.0 is the "Detach" functionality, which enables you to detach debuggees from OllyDbg at anytime and let them run freely outside control of OllyDbg.

Unfortunately, OllyDbg v1.10, the widely used version, lacks this features. Pedram Amini has created a nice plugin to fill this gap, but it does not satisfy my needs, though.

Pedram's plugin only works on debuggees in the running mode. It does not work on debuggees in the suspended mode. In addition, debugees will crash if software breakpoints are left.

This pushed me to create a new OllyDbg v1.10 plugin, in which i tried to create a similar functionality to the one in version 2.0.

Features introduced in my plugin:

1) Disabling user's software and hardware breakpoints without affecting the corresponding .udd files.
2) Detaching debuggees in the suspended mode.

Ariadne Optimizer 0.1 (OllyDbg)

Group-IB — Tue, 07 Feb 2012 08:47:15 -0600

The Ariadne framework makes it possible for anyone who is involved in reverse engineering to save a time when reversing a code or creating new products. Using Ariadne, you can read and modify executable files, disassemble them, and even decompile a part of the code into the intermediate representation (Ariadne IR). Of course, with Ariadne you can not only read disassembled or decompiled instructions, but also modify them. Moreover, modifications can be saved into the source executable file without using any additional tools. But that's not all! Ariadne has a series of original code trace optimization strategies built-in, which can make your life a lot easier when working with obfuscated code. The Ariadne framework was initially developed for easy use in your own programs. The range of Ariadne applications is broad – from software analysis with complex obfuscation to programs that provide obfuscation and software protection.

Ariadne key features:

* PE parser
- Makes it possible PE format analyzing and modifying
- Supports modifications saving into PE-file

* Ariadne Intelligent Disassembler (AID). Based on open-source Mediana disassembler
- GP, FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4a, VMX, SMX support
- Provides good code coverage of the PE-file without debugging information (the technology is based on heuristics rather than on signatures)
- Supports MAP-files
- Recognizes switch tables and other entry points including Borland initialization and other tables during smart analysis
- Splits code into basic blocks
- Allows database saving/loading
- Supports modifications saving into PE-file

* Ariadne Intermediate Representation (AIR) language
- Supports assembler instructions translation into IR
- Allows IR instructions modifying
- Optimized to create obfuscation and deobfuscation strategies
- Contains code tracing mechanisms
- Contains built-in trace deobfuscation: (AIR Wave Deobfuscation Technology)
- Supports IR instructions emulation
- Supports IR-project (AIR database) saving and loading
- Supports translation from IR into binary code

Most of the products which disassemble and analyze PE-files require a lot of RAM. In some cases they crash due to lack of memory. In Ariadne, this problem is solved thanks to its own memory manager. When RAM becomes insufficient, the framework creates its own swap file on the computer's hard disk.

Ariadne Optimizer 0.1 (IDA)

Group-IB — Tue, 07 Feb 2012 08:45:07 -0600

Ariadne Optimizer 0.1 (Immunity)

Group-IB — Tue, 07 Feb 2012 08:34:19 -0600

ODBGPluginConv 0.1b

Thunder — Tue, 07 Feb 2012 08:31:10 -0600

A utility to convert our OllyDbg plugins to use them on any modified version thereof

Features:

-Automatic plugin conversion
-Supported versions: OllyDbg, Defixed, SND, RAMODBG, diablo2oo2, Shadow, ICE, CiM.
-Advanced plugin conversion
-Change imports and exports names manually
-Integrated hexa-editor

Armadillo - ECDSA Patching

Mr. eXoDia — Sat, 04 Feb 2012 21:43:51 -0600

I had a lot of free time to spend and therefore I created a full tutorial about Armadillo ECDSA Public Parameter replacing. I will start from the beginning and put hardware breakpoints and stuff to show you the time-consuming process which reversing can be.

Tutorial includes an UnPackMe, the text file so you can try stuff yourself and a few useful tools (source available on request).