Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Plugin OllyDbg : FullDisasm

Plugin related discussions.

For plugins, tools and tutorials see <a href="/collaborative/tools/index.php/Category:OllyDbg_Extensions">OllyStuph</a>
Information
Junior Member
Posts: 10
Joined: Tue May 27, 2003 8:28 pm

Post by Information »

please use od's imagebase + rva to hook od's function, some home made od have it's own imagebase.
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

huhu..ok. It is fixed now in the 1.6 version :

http://reverseengineering.online.fr/too ... Disasm.dll
Information
Junior Member
Posts: 10
Joined: Tue May 27, 2003 8:28 pm

Post by Information »

hi, great Beatrix,
thanks for your quickly reply.

it seems you forget change serveral address:
_ODBG_Plu> 68 49928101 PUSH 1819249H ; ASCII "FullDisasm 1.6 (using BeaEngine) - FRET 2007"
017F104D 6A 00 PUSH 0H
017F104F E8 03060000 CALL 17F1657H
017F1054 68 76928101 PUSH 1819276H ; ASCII " Written by BeatriX (FRET) - copyright 2007"
017F1059 6A FF PUSH 0FFFFFFFFH
017F105B E8 F7050000 CALL 17F1657H
017F1060 E8 930A0000 CALL 17F1AF8H
017F1065 68 F6908101 PUSH 18190F6H
017F106A 6A 04 PUSH 4H
017F106C 68 00F00A00 PUSH 0AF000H
017F1071 68 00104000 PUSH 401000H // should be imagebase+0x1000, same in restore proc
017F1076 E8 296B0200 CALL 1817BA4H

after fix, still crash, call 429b31, seems another hard coded address. you can rebase your od with any pe tools and do the test.
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

ha sorry ! Here is another correction :) version 1.61

http://reverseengineering.online.fr/too ... Disasm.dll

You say I can rebase od easily to test my dll but, I can't succeed in that task. First, TLS must be modified and there are a lot of hardcoded addresses in the od code. You can't rebase OllyDbg only by modifying ImageBase... Do you use a homemade tool to do that ?
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

beatrix rebasing can be accomplished with editbin (edit bin in masm32 hutchs package) it is simply a wrapper for passing arguments to link.exe

this post might help you (ive rebased a few but never tried rebasing ollydbg) also the loaddll might not work properly if od is rebased (i think i saw such comment in loaddll source by oleh)

also im not sure if od has reloc tables intact (ill check later not possible atm) if the reloc section is intact rebasing the exe is easy

showpost.php?p=56898&postcount=4

full thread
showthread.php?t=8865&highlight=rebase
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

ok :) great. Thanks blabberer. It is working perfectly. So now, I can say FullDisasm 1.61 is stable and works with an OllyDbg version rebased at 0x1000000.
Information
Junior Member
Posts: 10
Joined: Tue May 27, 2003 8:28 pm

Post by Information »

good, it works now, thank you! an option for auto replace od's disassemble func will be good(eg, after load an file, disassemble with this plugin auto).
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

the 1.62 version save automatically the disassemble engine used (ollydbg engine - fulldisasm engine (global mode) or fulldisasm engine (local mode)) and restore it each time you run ollydbg.

FullDisasm 1.62 :

http://reverseengineering.online.fr/too ... Disasm.dll
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

no problem :) beatrix
btw did you confirm if loaddll works well too by loading a dll for debugging
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

yes, I have no problem with loaddll if Ollydbg is rebased at 0x1000000.
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

It is me again :) I have fixed a bug on the opcode 83h (thanks to Yolejedi) and I have compiled the plugin for Immunity Debugger 1.00.

FullDisasm 1.63 :
http://reverseengineering.online.fr/too ... llyDbg.zip
http://reverseengineering.online.fr/too ... ImmDbg.zip
User avatar
Polaris
Posts: 223
Joined: Sun Jun 02, 2002 2:00 pm
Location: Invincible Cyclones Of FrostWinds
Contact:

Post by Polaris »

Thanks for the update Beatrix. Seeing also the immunity-debugger version is quite refreshing, as I was afraid they did change Olly's internal plugin architecture.

Keep up the good job! :yay:
Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

new update for ImmDbg

ImmDbg is usually updated and "unfortunately", FullDisasm uses hardcoded addresses to hook some important functions. Until 1.2 ImmDbg version, there was no problem to use this method. 1.2 version has been deeply changed from the previous versions and so, the usage of hardcoded addresses is not the good way.

FullDisasm 1.7 is using a new method to patch needed routine in the .text section of ImmDbg. It's using a signature recognition by scanning the code during initialization. If ImmDbg staff don't use different compiler to build ImmDbg for next versions, i "think" it is a quite stable method. For the moment, 1.7 version is working under 1.00, 1.01 and 1.2 versions of ImmDbg.

FullDisasm 1.7 for ImmDbg 1.xx :

http://reverseengineering.online.fr/too ... ImmDbg.zip
User avatar
dELTA
Posts: 4209
Joined: Mon Oct 30, 2000 7:00 am
Location: Ring -1

Post by dELTA »

Thanks for the update. :yay:
"Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."
skippyVonDrake

Post by skippyVonDrake »

Beatrix, I'm using FullDisasm_OllyDbg_v1.63 and noticed the following while editing in Olly.
On below code I selected middle 2 lines and edited them.
0040100C 90 nop
0040100D 31DB xor ebx, ebx
0040100F 90 nop
00401010 9C pushfd
Replaced the 3 bytes with: 0F AE F9
And the result disassembled to:
0040100C 90 nop
0040100D 0FAE sfenceecx, edi ; Unknown command
00401010 9C pushfd
It looks right except I no longer see the new byte at 0040100F (F9).
If I select the lines again to edit them it is visible within the edit box.
Is this some display bug?
BTW thanks for plugin. It is much needed by me. :)
Locked