PDA

View Full Version : Plugin OllyDbg : FullDisasm


BeatriX
June 27th, 2007, 15:59
Hi,

Here is a small plugin for OllyDbg 1.10 which allows you to replace the old disassemble routine used in OllyDbg by a more recent one (beaengine). With this plugin, you can now debug MMX, FPU, SSE, SSE2, SSE3 and SSSE3 without problems. Example :

Without FullDisasm :

http://binary-reverser.org/tools/FullDisasm/FullDisasm1.jpg


With FullDisasm : (press Ctrl+W) :

http://binary-reverser.org/tools/FullDisasm/FullDisasm2.jpg

With FullDisasm : (press Ctrl+X)

http://binary-reverser.org/tools/FullDisasm/FullDisasm3.jpg


http://binary-reverser.org/tools/FullDisasm/FullDisasm.dll

Kayaker
June 27th, 2007, 16:24
Thank you BeatriX,

If it's all right with you, I'd like to add it to the OllyStuph page. It can be updated any time you wish.

Regards,
Kayaker

BeatriX
June 27th, 2007, 16:27
ok, you can add it thanks.

Shub-nigurrath
June 28th, 2007, 02:14
excellent work, can I ask a minor adjustment? An option to insert disassembled code all caps, like normally does Olly..

FoxB
June 28th, 2007, 03:57
Thu Jun 28 15:27:47 2007 HTTP/1.1 404 Not Found on first place.

try http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll

lcx2005
June 28th, 2007, 04:37
Quote:
[Originally Posted by FoxB;66731]Thu Jun 28 15:27:47 2007 HTTP/1.1 404 Not Found on first place.

try http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll



Both working for me, But when i use Opera 8.53 the dll change to exe. but in IE dll.

Polaris
June 28th, 2007, 06:19
Good job, really a nice plugin!

BeatriX
June 28th, 2007, 06:43
thanks I have added the option Shub-nigurrath asked. You can now have the disasm in upper case. FullDisasm just generate a small file named FullDisasm.txt to save this parameter. (0 = lowercase and 1 = uppercase)

lcx2005
June 29th, 2007, 06:14
Thanx for the update.

countryman
July 2nd, 2007, 02:07
It's really Good plug-in.
thank a lot...
God blessing you!!!

blabberer
July 2nd, 2007, 12:24
nice plugin there BeatriX

BeatriX
July 5th, 2007, 05:46
thanks Here is an updated version with two new options :
1 ) You can now use tabulation between mnemonic and arguments .(thanks to AvOid for the idea).
2 ) You can see in the right window (with registers) informations about supported technologies on your processor.

FullDisasm 1.4 :

http://binary-reverser.org/tools/FullDisasm/FullDisasm.dll

BeatriX
July 6th, 2007, 15:40
new update. Here is the 1.5 version.

1 ) FullDisasm is now able to disassemble SSE4.1 and SSE4.2
2 ) FullDisasm allows to use 2 new syntaxes : NASM and GOASM.
3 ) For those two syntaxes, FullDisasm allows to display numbers under 2 formats : C style and asm style -> 0x1234 or 1234h.

Examples :

Code:
OllyDbg MASM32 Syntax :

00401000 PUSH TEST.004016EE
00401005 PUSH DWORD PTR FS:[0]
0040100C MOV DWORD PTR FS:[0], ESP
00401013 PUSH TEST.0041531A
00401018 CALL <JMP.&kernel32.LoadLibraryA>

FullDisasm MASM32 Syntax :

00401000 push 4016EEh
00401005 push dword ptr fs:[0h]
0040100C mov dword ptr fs:[0h], esp
00401013 push 41531Ah
00401018 call 413228h

FullDisasm NASM Syntax :

00401000 push 4016EEh
00401005 push dword [fs:0h]
0040100C mov dword [fs:0h], esp
00401013 push 41531Ah
00401018 call 413228h

FullDisasm NASM Syntax + C style numbers :

00401000 push 0x4016EE
00401005 push dword [fs:0x0]
0040100C mov dword [fs:0x0], esp
00401013 push 0x41531A
00401018 call 0x413228

FullDisasm GOASM Syntax :

00401000 push 4016EEh
00401005 push d fs:[0h]
0040100C mov d fs:[0h], esp
00401013 push 41531Ah
00401018 call 413228h

FullDisasm GOASM Syntax + C style numbers :

00401000 push 0x4016EE
00401005 push d fs:[0x0]
0040100C mov d fs:[0x0], esp
00401013 push 0x41531A
00401018 call 0x413228


http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll

Kayaker
July 9th, 2007, 17:02
Hi

I found a bit of an "issue" with the plugin. Any breakpoint you set is interpreted and displayed as an "INT3", instead of showing the underlying instruction as Olly normally does. Toggle the bp off and the proper disassembly returns, toggle the bp back on and the plugin corrupts the disasm by showing the hidden 0xCC.

Now, this may be by design or by nature, it doesn't really matter. The problem is that the effect is present whether the plugin is being used or not, simply being loaded from the plugin directory is enough for it to be making these overt changes.

I don't see anything in ODBG_Plugininit that might be causing that, but if the plugin isn't being used it shouldn't be having such an effect on the display. Just thought I'd mention that.

Regards,
Kayaker

BeatriX
July 10th, 2007, 03:38
thanks Kayaker. You are right, in the last versions (1.4 - 1.5), I use my own buffer filled with readprocessmemory to catch the code to analyze instead of using the OllyDbg's buffer. This is the reason of such trouble. I have fixed this problem in the version 1.53.
By the way, displaying int3 is a natural behavior from the disassemble engine and not a feature I wanted to "exploit".

http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll

Information
August 1st, 2007, 02:32
please use od's imagebase + rva to hook od's function, some home made od have it's own imagebase.

BeatriX
August 1st, 2007, 07:34
huhu..ok. It is fixed now in the 1.6 version :

http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll

Information
August 1st, 2007, 21:46
hi, great Beatrix,
thanks for your quickly reply.

it seems you forget change serveral address:
_ODBG_Plu> 68 49928101 PUSH 1819249H ; ASCII "FullDisasm 1.6 (using BeaEngine) - FRET 2007"
017F104D 6A 00 PUSH 0H
017F104F E8 03060000 CALL 17F1657H
017F1054 68 76928101 PUSH 1819276H ; ASCII " Written by BeatriX (FRET) - copyright 2007"
017F1059 6A FF PUSH 0FFFFFFFFH
017F105B E8 F7050000 CALL 17F1657H
017F1060 E8 930A0000 CALL 17F1AF8H
017F1065 68 F6908101 PUSH 18190F6H
017F106A 6A 04 PUSH 4H
017F106C 68 00F00A00 PUSH 0AF000H
017F1071 68 00104000 PUSH 401000H // should be imagebase+0x1000, same in restore proc
017F1076 E8 296B0200 CALL 1817BA4H

after fix, still crash, call 429b31, seems another hard coded address. you can rebase your od with any pe tools and do the test.

BeatriX
August 2nd, 2007, 04:30
ha sorry ! Here is another correction version 1.61

http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll

You say I can rebase od easily to test my dll but, I can't succeed in that task. First, TLS must be modified and there are a lot of hardcoded addresses in the od code. You can't rebase OllyDbg only by modifying ImageBase... Do you use a homemade tool to do that ?

blabberer
August 2nd, 2007, 11:11
beatrix rebasing can be accomplished with editbin (edit bin in masm32 hutchs package) it is simply a wrapper for passing arguments to link.exe

this post might help you (ive rebased a few but never tried rebasing ollydbg) also the loaddll might not work properly if od is rebased (i think i saw such comment in loaddll source by oleh)

also im not sure if od has reloc tables intact (ill check later not possible atm) if the reloc section is intact rebasing the exe is easy

http://www.woodmann.com/forum/showpost.php?p=56898&postcount=4

full thread
http://www.woodmann.com/forum/showthread.php?t=8865&highlight=rebase

BeatriX
August 2nd, 2007, 14:56
ok great. Thanks blabberer. It is working perfectly. So now, I can say FullDisasm 1.61 is stable and works with an OllyDbg version rebased at 0x1000000.

Information
August 2nd, 2007, 22:43
good, it works now, thank you! an option for auto replace od's disassemble func will be good(eg, after load an file, disassemble with this plugin auto).

BeatriX
August 3rd, 2007, 11:07
the 1.62 version save automatically the disassemble engine used (ollydbg engine - fulldisasm engine (global mode) or fulldisasm engine (local mode)) and restore it each time you run ollydbg.

FullDisasm 1.62 :

http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll

blabberer
August 3rd, 2007, 11:28
no problem beatrix
btw did you confirm if loaddll works well too by loading a dll for debugging

BeatriX
August 3rd, 2007, 13:44
yes, I have no problem with loaddll if Ollydbg is rebased at 0x1000000.

BeatriX
August 5th, 2007, 14:48
It is me again I have fixed a bug on the opcode 83h (thanks to Yolejedi) and I have compiled the plugin for Immunity Debugger 1.00.

FullDisasm 1.63 :
http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm_OllyDbg.zip
http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm_ImmDbg.zip

Polaris
August 6th, 2007, 00:34
Thanks for the update Beatrix. Seeing also the immunity-debugger version is quite refreshing, as I was afraid they did change Olly's internal plugin architecture.

Keep up the good job!

BeatriX
October 25th, 2007, 00:50
new update for ImmDbg

ImmDbg is usually updated and "unfortunately", FullDisasm uses hardcoded addresses to hook some important functions. Until 1.2 ImmDbg version, there was no problem to use this method. 1.2 version has been deeply changed from the previous versions and so, the usage of hardcoded addresses is not the good way.

FullDisasm 1.7 is using a new method to patch needed routine in the .text section of ImmDbg. It's using a signature recognition by scanning the code during initialization. If ImmDbg staff don't use different compiler to build ImmDbg for next versions, i "think" it is a quite stable method. For the moment, 1.7 version is working under 1.00, 1.01 and 1.2 versions of ImmDbg.

FullDisasm 1.7 for ImmDbg 1.xx :

http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm_ImmDbg.zip

dELTA
October 25th, 2007, 02:11
Thanks for the update.

skippyVonDrake
November 12th, 2007, 13:29
Beatrix, I'm using FullDisasm_OllyDbg_v1.63 and noticed the following while editing in Olly.
On below code I selected middle 2 lines and edited them.
0040100C 90 nop
0040100D 31DB xor ebx, ebx
0040100F 90 nop
00401010 9C pushfd
Replaced the 3 bytes with: 0F AE F9
And the result disassembled to:
0040100C 90 nop
0040100D 0FAE sfenceecx, edi ; Unknown command
00401010 9C pushfd
It looks right except I no longer see the new byte at 0040100F (F9).
If I select the lines again to edit them it is visible within the edit box.
Is this some display bug?
BTW thanks for plugin. It is much needed by me.

BeatriX
November 13th, 2007, 10:52
0040100D 0FAE sfenceecx, edi ; Unknown command

First of all, we shouldn't see the "ecx, edi" arguments because there is no argument for this instruction. So, this is a small bug, I am going to fix it quickly

For the byte F9 located at 40100D, it is "normal" that you don't see it in the disassembly window because it is the mod/rm of "sfence". FullDisasm, for the moment, just display instructions and doesn't modify the 2nd column. In fact, we should see that :

0040100D 0FAEF9 sfence
00401010 9C pushfd

I am going to improve that point, I must admit it could be a source of confusion.
Thanks for the report

BeatriX
November 14th, 2007, 16:52
it's me again. Here are the plugins with the improvements announced in the previous post.

FullDisasm 1.70 for OllyDbg 1.10 :

http://reverseengineering.free.fr/tools/FullDisasm/FullDisasm_OllyDbg.zip

FullDisasm 1.71 for ImmDbg 1.xx :

http://reverseengineering.free.fr/tools/FullDisasm/FullDisasm_ImmDbg.zip

JMI
November 14th, 2007, 18:02
And our continuing appreciation for your ongoing efforts and for sharing them with our members.

Regards,

skippyVonDrake
November 15th, 2007, 09:14
Works great! Thanks for the speedy update, Beatrix.

BeatriX
February 11th, 2009, 15:51
FullDisasm 2.0 is released. This version is able to decode undocumented instructions called 'aliases' by Christian Ludloff. (usually used by malicious codes).
For fun, you can also display instructions with the GNU Assembler syntax (AT&T).

FullDisasm 2.0 :

http://beatrix2004.free.fr/FullDisasm/FullDisasm_ImmDbg.zip
http://beatrix2004.free.fr/FullDisasm/FullDisasm_OllyDbg.zip

http://beatrix2004.free.fr/FullDisasm/immunity.png

JMI
February 11th, 2009, 16:11
And thanks again for sharing with our community.



Regards,

BeatriX
February 12th, 2009, 11:51
gloups...there was a small bug in the OllyDbg plugin (something stupid!). (thanks to our russian friends for the remark on cracklab.ru ). It is ok now.

RaMMicHaeL
April 19th, 2009, 11:56
Great plugin, thanks!

I found a bug, though.
It crashes on a DEP-enabled system.
That's because the second call of VirtualProtect does not work - the last parameter cannot be zero.

BeatriX
April 20th, 2009, 15:35
thanks for encouragements and the bugfix. Is it working with this version ?

http://beatrix2004.free.fr/FullDisasm/FullDisasm.zip

RaMMicHaeL
April 21st, 2009, 11:48
Yes, you fixed it.

A feature request:
Fix the cursor position.
For example, look at the following commands:
Code:
00401050 > $ 51 push ecx
00401051 . F3: movq xmm0 , qword ptr [eax]
00401055 . 8B40 08 mov eax , dword ptr [eax+08h]


OllyDbg sees that as the following:
Code:
00401050 > $ 51 PUSH ECX
00401051 . F3: PREFIX REP: ; Superfluous prefix
00401052 . 0F7E00 MOVD DWORD PTR [EAX],MM0
00401055 . 8B40 08 MOV EAX,DWORD PTR [EAX+8]


And when you click on mov eax , dword ptr [eax+08h], movq xmm0 , qword ptr [eax] is selected.
Perhaps you could do that by modifying the opcodes table (I guess OllyDbg has one) of OllyDbg.

Thanks

+ I've just noticed the bytes 0F7E00 disappear. Another thing for you to fix

BeatriX
April 22nd, 2009, 08:17
ok ok you are right, the "cursor position bug" is quite annoying but I must admit I have seen it since a long time and...just waiting someone complain about that So, I think I have fixed these two bugs (only for OllyDbg for the moment) :

http://beatrix2004.free.fr/FullDisasm/FullDisasm_OllyDbg.zip

tell me if it is ok for you.

RaMMicHaeL
April 22nd, 2009, 11:45
It crashes on _Readmemory

Parameters:
Code:
CPU Stack
Address Value ASCII Comments
0012A79C \0046138B ; RETURN from OLLYDBG.004A3530 to OLLYDBG._Readmemory+7F
0012A7A0 /041F81F5 ; Arg1 = FullDisasm.41F81F5
0012A7A4 |00CC2D18 ; Arg2 = 0CC2D18
0012A7A8 |0000D000 ; Arg3 = 0D000


Error:
Quote:
Access violation when writing to [041FD000] - Shift+Run/Step to pass exception to the program

BeatriX
April 22nd, 2009, 15:49
hu..what is the target you debug with OllyDbg ? I had never seen such block sizes (0D000h) ! I think it is ok now :

http://beatrix2004.free.fr/FullDisasm/FullDisasm_OllyDbg.zip

RaMMicHaeL
April 23rd, 2009, 02:59
Now it works .

And the cursor position works correctly, but only if the target is not analyzed.
Otherwise OllyDbg treats the unknown commands as data, and the bug persists.

RaMMicHaeL
May 22nd, 2009, 14:30
OK, seems like there's a serious problem with the latest version you've posted.
Analysis of code takes forever - OllyDbg just hangs.

I don't think it behaved like this with the previous version, but I cannot check it, as you replaced the previous version with the latest one.

Cheers.

BeatriX
May 23rd, 2009, 08:03
ok. I just had uploded the previous stable version before the last modifications. If you can, tell me more about the trouble. (target ?)
Last stable version :
http://beatrix2004.free.fr/FullDisasm/FullDisasm_OllyDbg.zip

Last beta version :

http://beatrix2004.free.fr/FullDisasm/FullDisasm_OllyDbg_beta.zip

RaMMicHaeL
May 23rd, 2009, 14:22
I was right, the trouble is with beta version only.

With the stable version:
The speed of analysis is standard, no problems.

With the beta version:
kernel32.dll analysis takes about a minute.
ntdll.dll - it just hangs, and doesn't seem to complete anytime soon.

OS: Windows Vista, Seven.

BeatriX
May 6th, 2010, 16:37
FullDisasm 3.0 is out. (using BeaEngine 4)
last version :

http://www.beaengine.org/downloads/FullDisasm_OllyDbg.zip
http://www.beaengine.org/downloads/FullDisasm_ImmDbg.zip

Silkut
May 8th, 2010, 15:12
Thanks for sharing and updating the CRCETL Bea,

changelog:

Code:
1. [new] : BeaEngine is now a cross-platform library and it can be compiled by all well-known compilers (thanks to Igor Gutnik)
2. [new] : New intel AES instruction set has been added (6 instructions : aesdec, aesenc, aesimc, aesdeclast, aesenclast, aeskeygen-assist)
3. [new] : New intel CLMUL instruction has been added (pclmulqdq)
4. [new] : source code is now conform to ISO C.
5. [new] : new website is hosting the project : http://www.beaengine.org
6. [new] : BeaEngine is now thread-safe. Disasm function is re-entrant.(thanks to Nam Nguyen)
7. [new] : BeaEngine is able to disassemble 16 bits targets - useful feature to analyze DOS .com files.

other news

1. [new] : example of a driver using BeaEngine with fasm (thanks to ouadji)
2. [new] : BeaEngine source code has been modified to make it easier to use with Delphi. (thanks to vince)
3. [new] : xlat becomes xlatb [thanks to Ange Albertini]
4. [new] : Header + examples for PureBasic coders (thanks to Helle and Mike Yurgalavage)

bug fixes

1. [bug fix] : xor instruction had bad instruction type (thanks to Tim)
2. [bug fix] : typos in the online documentation (thanks to andrewl)
3. [bug fix] : iret did not make the difference between iretd , iretw and iretq. [thanks to Ange Albertini]
4.[bug fix] : bad operandsize for "in" instruction [thanks to Ange Albertini]
5.[bug fix] : bad operand type for "pinsrw" instruction [thanks to Ange Albertini]
6.[bug fix] : bad operand type for "movupd" instruction [thanks to Ange Albertini]
7.[bug fix] : bad instruction size for Group7 instructions family [thanks to Ange Albertini]
8.[bug fix] : bad interpretation of "invlgpa" instruction [thanks to Ange Albertini]
9. [bug fix] : monitor and mwait not identified properly [thanks to Ange Albertini]
10. [bug fix] :Troubles with operandsize when it was used as a mandatory prefix.[thanks to Ange Albertini]
11. [bug fix] : In driver examples, IAT was not located in the right section. [Thanks to locoDelAssembly (fasm)]
12. [bug fix] : negative immediat where not displayed to be immediatly usable by assemblers. (thanks to 29a metal)