PDA

View Full Version : Plugin OllyDbg : FullDisasm

BeatriX
06-27-2007, 03:59 PM
Hi,

Here is a small plugin for OllyDbg 1.10 which allows you to replace the old disassemble routine used in OllyDbg by a more recent one (beaengine). With this plugin, you can now debug MMX, FPU, SSE, SSE2, SSE3 and SSSE3 without problems. Example :

Without FullDisasm :

http://binary-reverser.org/tools/FullDisasm/FullDisasm1.jpg


With FullDisasm : (press Ctrl+W) :

http://binary-reverser.org/tools/FullDisasm/FullDisasm2.jpg

With FullDisasm : (press Ctrl+X)

http://binary-reverser.org/tools/FullDisasm/FullDisasm3.jpg


http://binary-reverser.org/tools/FullDisasm/FullDisasm.dll
Kayaker
06-27-2007, 04:24 PM
Thank you BeatriX,

If it's all right with you, I'd like to add it to the OllyStuph page. It can be updated any time you wish.

Regards,
Kayaker
BeatriX
06-27-2007, 04:27 PM
ok, you can add it thanks.
Shub-nigurrath
06-28-2007, 02:14 AM
excellent work, can I ask a minor adjustment? An option to insert disassembled code all caps, like normally does Olly..
FoxB
06-28-2007, 03:57 AM
Thu Jun 28 15:27:47 2007 HTTP/1.1 404 Not Found on first place.

try http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll
lcx2005
06-28-2007, 04:37 AM
Quote:
[Originally Posted by FoxB;66731]Thu Jun 28 15:27:47 2007 HTTP/1.1 404 Not Found on first place.

try http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll



Both working for me, But when i use Opera 8.53 the dll change to exe. but in IE dll.
Polaris
06-28-2007, 06:19 AM
Good job, really a nice plugin!
BeatriX
06-28-2007, 06:43 AM
thanks I have added the option Shub-nigurrath asked. You can now have the disasm in upper case. FullDisasm just generate a small file named FullDisasm.txt to save this parameter. (0 = lowercase and 1 = uppercase)
lcx2005
06-29-2007, 06:14 AM
Thanx for the update.
countryman
07-02-2007, 02:07 AM
It's really Good plug-in.
thank a lot...
God blessing you!!!
blabberer
07-02-2007, 12:24 PM
nice plugin there BeatriX
BeatriX
07-05-2007, 05:46 AM
thanks Here is an updated version with two new options :
1 ) You can now use tabulation between mnemonic and arguments .(thanks to AvOid for the idea).
2 ) You can see in the right window (with registers) informations about supported technologies on your processor.

FullDisasm 1.4 :

http://binary-reverser.org/tools/FullDisasm/FullDisasm.dll
BeatriX
07-06-2007, 03:40 PM
new update. Here is the 1.5 version.

1 ) FullDisasm is now able to disassemble SSE4.1 and SSE4.2
2 ) FullDisasm allows to use 2 new syntaxes : NASM and GOASM.
3 ) For those two syntaxes, FullDisasm allows to display numbers under 2 formats : C style and asm style -> 0x1234 or 1234h.

Examples :

Code:
OllyDbg MASM32 Syntax :



00401000  PUSH TEST.004016EE

00401005  PUSH DWORD PTR FS:[0]

0040100C  MOV DWORD PTR FS:[0], ESP

00401013  PUSH TEST.0041531A     

00401018  CALL 



FullDisasm MASM32 Syntax :



00401000  push 4016EEh

00401005  push dword ptr fs:[0h]

0040100C  mov dword ptr fs:[0h], esp

00401013  push 41531Ah                             

00401018  call 413228h



FullDisasm NASM Syntax :



00401000  push 4016EEh

00401005  push dword [fs:0h]

0040100C  mov dword [fs:0h], esp

00401013  push 41531Ah                            

00401018  call 413228h



FullDisasm NASM Syntax + C style numbers :



00401000  push 0x4016EE

00401005  push dword [fs:0x0]

0040100C  mov dword [fs:0x0], esp

00401013  push 0x41531A                           

00401018  call 0x413228



FullDisasm GOASM Syntax :



00401000  push 4016EEh

00401005  push d fs:[0h]

0040100C  mov d fs:[0h], esp

00401013  push 41531Ah                           

00401018  call 413228h



FullDisasm GOASM Syntax + C style numbers :



00401000  push 0x4016EE

00401005  push d fs:[0x0]

0040100C  mov d fs:[0x0], esp

00401013  push 0x41531A                           

00401018  call 0x413228


http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll
Kayaker
07-09-2007, 05:02 PM
Hi

I found a bit of an "issue" with the plugin. Any breakpoint you set is interpreted and displayed as an "INT3", instead of showing the underlying instruction as Olly normally does. Toggle the bp off and the proper disassembly returns, toggle the bp back on and the plugin corrupts the disasm by showing the hidden 0xCC.

Now, this may be by design or by nature, it doesn't really matter. The problem is that the effect is present whether the plugin is being used or not, simply being loaded from the plugin directory is enough for it to be making these overt changes.

I don't see anything in ODBG_Plugininit that might be causing that, but if the plugin isn't being used it shouldn't be having such an effect on the display. Just thought I'd mention that.

Regards,
Kayaker
BeatriX
07-10-2007, 03:38 AM
thanks Kayaker. You are right, in the last versions (1.4 - 1.5), I use my own buffer filled with readprocessmemory to catch the code to analyze instead of using the OllyDbg's buffer. This is the reason of such trouble. I have fixed this problem in the version 1.53.
By the way, displaying int3 is a natural behavior from the disassemble engine and not a feature I wanted to "exploit".

http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll
Information
08-01-2007, 02:32 AM
please use od's imagebase + rva to hook od's function, some home made od have it's own imagebase.
BeatriX
08-01-2007, 07:34 AM
huhu..ok. It is fixed now in the 1.6 version :

http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll
Information
08-01-2007, 09:46 PM
hi, great Beatrix,
thanks for your quickly reply.

it seems you forget change serveral address:
_ODBG_Plu> 68 49928101 PUSH 1819249H ; ASCII "FullDisasm 1.6 (using BeaEngine) - FRET 2007"
017F104D 6A 00 PUSH 0H
017F104F E8 03060000 CALL 17F1657H
017F1054 68 76928101 PUSH 1819276H ; ASCII " Written by BeatriX (FRET) - copyright 2007"
017F1059 6A FF PUSH 0FFFFFFFFH
017F105B E8 F7050000 CALL 17F1657H
017F1060 E8 930A0000 CALL 17F1AF8H
017F1065 68 F6908101 PUSH 18190F6H
017F106A 6A 04 PUSH 4H
017F106C 68 00F00A00 PUSH 0AF000H
017F1071 68 00104000 PUSH 401000H // should be imagebase+0x1000, same in restore proc
017F1076 E8 296B0200 CALL 1817BA4H

after fix, still crash, call 429b31, seems another hard coded address. you can rebase your od with any pe tools and do the test.
BeatriX
08-02-2007, 04:30 AM
ha sorry ! Here is another correction version 1.61

http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll

You say I can rebase od easily to test my dll but, I can't succeed in that task. First, TLS must be modified and there are a lot of hardcoded addresses in the od code. You can't rebase OllyDbg only by modifying ImageBase... Do you use a homemade tool to do that ?
blabberer
08-02-2007, 11:11 AM
beatrix rebasing can be accomplished with editbin (edit bin in masm32 hutchs package) it is simply a wrapper for passing arguments to link.exe

this post might help you (ive rebased a few but never tried rebasing ollydbg) also the loaddll might not work properly if od is rebased (i think i saw such comment in loaddll source by oleh)

also im not sure if od has reloc tables intact (ill check later not possible atm) if the reloc section is intact rebasing the exe is easy

http://www.woodmann.com/forum/showpost.php?p=56898&postcount=4

full thread
http://www.woodmann.com/forum/showthread.php?t=8865&highlight=rebase
BeatriX
08-02-2007, 02:56 PM
ok great. Thanks blabberer. It is working perfectly. So now, I can say FullDisasm 1.61 is stable and works with an OllyDbg version rebased at 0x1000000.
Information
08-02-2007, 10:43 PM
good, it works now, thank you! an option for auto replace od's disassemble func will be good(eg, after load an file, disassemble with this plugin auto).
BeatriX
08-03-2007, 11:07 AM
the 1.62 version save automatically the disassemble engine used (ollydbg engine - fulldisasm engine (global mode) or fulldisasm engine (local mode)) and restore it each time you run ollydbg.

FullDisasm 1.62 :

http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm.dll
blabberer
08-03-2007, 11:28 AM
no problem beatrix
btw did you confirm if loaddll works well too by loading a dll for debugging
BeatriX
08-03-2007, 01:44 PM
yes, I have no problem with loaddll if Ollydbg is rebased at 0x1000000.
BeatriX
08-05-2007, 02:48 PM
It is me again I have fixed a bug on the opcode 83h (thanks to Yolejedi) and I have compiled the plugin for Immunity Debugger 1.00.

FullDisasm 1.63 :
http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm_OllyDbg.zip
http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm_ImmDbg.zip
Polaris
08-06-2007, 12:34 AM
Thanks for the update Beatrix. Seeing also the immunity-debugger version is quite refreshing, as I was afraid they did change Olly's internal plugin architecture.

Keep up the good job!
BeatriX
10-25-2007, 12:50 AM
new update for ImmDbg

ImmDbg is usually updated and "unfortunately", FullDisasm uses hardcoded addresses to hook some important functions. Until 1.2 ImmDbg version, there was no problem to use this method. 1.2 version has been deeply changed from the previous versions and so, the usage of hardcoded addresses is not the good way.

FullDisasm 1.7 is using a new method to patch needed routine in the .text section of ImmDbg. It's using a signature recognition by scanning the code during initialization. If ImmDbg staff don't use different compiler to build ImmDbg for next versions, i "think" it is a quite stable method. For the moment, 1.7 version is working under 1.00, 1.01 and 1.2 versions of ImmDbg.

FullDisasm 1.7 for ImmDbg 1.xx :

http://reverseengineering.online.fr/tools/FullDisasm/FullDisasm_ImmDbg.zip
dELTA
10-25-2007, 02:11 AM
Thanks for the update.
skippyVonDrake
11-12-2007, 12:29 PM
Beatrix, I'm using FullDisasm_OllyDbg_v1.63 and noticed the following while editing in Olly.
On below code I selected middle 2 lines and edited them.
0040100C 90 nop
0040100D 31DB xor ebx, ebx
0040100F 90 nop
00401010 9C pushfd
Replaced the 3 bytes with: 0F AE F9
And the result disassembled to:
0040100C 90 nop
0040100D 0FAE sfenceecx, edi ; Unknown command
00401010 9C pushfd
It looks right except I no longer see the new byte at 0040100F (F9).
If I select the lines again to edit them it is visible within the edit box.
Is this some display bug?
BTW thanks for plugin. It is much needed by me.
BeatriX
11-13-2007, 09:52 AM
0040100D 0FAE sfenceecx, edi ; Unknown command

First of all, we shouldn't see the "ecx, edi" arguments because there is no argument for this instruction. So, this is a small bug, I am going to fix it quickly

For the byte F9 located at 40100D, it is "normal" that you don't see it in the disassembly window because it is the mod/rm of "sfence". FullDisasm, for the moment, just display instructions and doesn't modify the 2nd column. In fact, we should see that :

0040100D 0FAEF9 sfence
00401010 9C pushfd

I am going to improve that point, I must admit it could be a source of confusion.
Thanks for the report
BeatriX
11-14-2007, 03:52 PM
it's me again. Here are the plugins with the improvements announced in the previous post.

FullDisasm 1.70 for OllyDbg 1.10 :

http://reverseengineering.free.fr/tools/FullDisasm/FullDisasm_OllyDbg.zip

FullDisasm 1.71 for ImmDbg 1.xx :

http://reverseengineering.free.fr/tools/FullDisasm/FullDisasm_ImmDbg.zip
JMI
11-14-2007, 05:02 PM
And our continuing appreciation for your ongoing efforts and for sharing them with our members.

Regards,
skippyVonDrake
11-15-2007, 08:14 AM
Works great! Thanks for the speedy update, Beatrix.