Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Plugin OllyDbg : FullDisasm

Plugin related discussions.

For plugins, tools and tutorials see <a href="/collaborative/tools/index.php/Category:OllyDbg_Extensions">OllyStuph</a>
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

0040100D 0FAE sfenceecx, edi ; Unknown command

First of all, we shouldn't see the "ecx, edi" arguments because there is no argument for this instruction. So, this is a small bug, I am going to fix it quickly :)

For the byte F9 located at 40100D, it is "normal" that you don't see it in the disassembly window because it is the mod/rm of "sfence". FullDisasm, for the moment, just display instructions and doesn't modify the 2nd column. In fact, we should see that :

0040100D 0FAEF9 sfence
00401010 9C pushfd

I am going to improve that point, I must admit it could be a source of confusion.
Thanks for the report :)
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

it's me again. Here are the plugins with the improvements announced in the previous post.

FullDisasm 1.70 for OllyDbg 1.10 :

http://reverseengineering.free.fr/tools ... llyDbg.zip

FullDisasm 1.71 for ImmDbg 1.xx :

http://reverseengineering.free.fr/tools ... ImmDbg.zip
JMI
Senior Member
Posts: 5329
Joined: Wed Apr 25, 2001 2:00 pm

Post by JMI »

And our continuing appreciation for your ongoing efforts and for sharing them with our members. :yay:

Regards,
JMI
skippyVonDrake

Post by skippyVonDrake »

Works great! Thanks for the speedy update, Beatrix. :D
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

FullDisasm 2.0 is released. This version is able to decode undocumented instructions called 'aliases' by Christian Ludloff. (usually used by malicious codes).
For fun, you can also display instructions with the GNU Assembler syntax (AT&T).

FullDisasm 2.0 :

http://beatrix2004.free.fr/FullDisasm/F ... ImmDbg.zip
http://beatrix2004.free.fr/FullDisasm/F ... llyDbg.zip

Image
JMI
Senior Member
Posts: 5329
Joined: Wed Apr 25, 2001 2:00 pm

Post by JMI »

And thanks again for sharing with our community.

:yay:

Regards,
JMI
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

gloups...there was a small bug in the OllyDbg plugin (something stupid!). (thanks to our russian friends for the remark on cracklab.ru :) ). It is ok now.
RaMMicHaeL
Junior Member
Posts: 10
Joined: Wed Jan 14, 2009 2:11 pm

Post by RaMMicHaeL »

Great plugin, thanks!

I found a bug, though.
It crashes on a DEP-enabled system.
That's because the second call of VirtualProtect does not work - the last parameter cannot be zero.
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

thanks for encouragements and the bugfix. Is it working with this version ?

http://beatrix2004.free.fr/FullDisasm/FullDisasm.zip
RaMMicHaeL
Junior Member
Posts: 10
Joined: Wed Jan 14, 2009 2:11 pm

Post by RaMMicHaeL »

Yes, you fixed it.

A feature request:
Fix the cursor position.
For example, look at the following commands:

Code: Select all

00401050 > $ 51             push ecx
00401051   . F3:            movq xmm0 , qword ptr [eax]
00401055   . 8B40 08        mov eax , dword ptr [eax+08h]
OllyDbg sees that as the following:

Code: Select all

00401050 > $ 51             PUSH ECX
00401051   . F3:            PREFIX REP:                              ;  Superfluous prefix
00401052   . 0F7E00         MOVD DWORD PTR [EAX],MM0
00401055   . 8B40 08        MOV EAX,DWORD PTR [EAX+8]
And when you click on mov eax , dword ptr [eax+08h], movq xmm0 , qword ptr [eax] is selected.
Perhaps you could do that by modifying the opcodes table (I guess OllyDbg has one) of OllyDbg.

Thanks :)

+ I've just noticed the bytes 0F7E00 disappear. Another thing for you to fix ;)
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

ok ok :) you are right, the "cursor position bug" is quite annoying but I must admit I have seen it since a long time and...just waiting someone complain about that :) So, I think I have fixed these two bugs (only for OllyDbg for the moment) :

http://beatrix2004.free.fr/FullDisasm/F ... llyDbg.zip

tell me if it is ok for you.
RaMMicHaeL
Junior Member
Posts: 10
Joined: Wed Jan 14, 2009 2:11 pm

Post by RaMMicHaeL »

It crashes on _Readmemory

Parameters:

Code: Select all

CPU Stack
Address   Value      ASCII Comments
0012A79C  \0046138B    ; RETURN from OLLYDBG.004A3530 to OLLYDBG._Readmemory+7F
0012A7A0  /041F81F5    ; Arg1 = FullDisasm.41F81F5
0012A7A4  |00CC2D18    ; Arg2 = 0CC2D18
0012A7A8  |0000D000    ; Arg3 = 0D000
Error:
Access violation when writing to [041FD000] - Shift+Run/Step to pass exception to the program
BeatriX
Junior Member
Posts: 25
Joined: Tue Aug 08, 2006 3:32 pm

Post by BeatriX »

hu..what is the target you debug with OllyDbg ? I had never seen such block sizes (0D000h) ! I think it is ok now :

http://beatrix2004.free.fr/FullDisasm/F ... llyDbg.zip
RaMMicHaeL
Junior Member
Posts: 10
Joined: Wed Jan 14, 2009 2:11 pm

Post by RaMMicHaeL »

Now it works :yay: .

And the cursor position works correctly, but only if the target is not analyzed.
Otherwise OllyDbg treats the unknown commands as data, and the bug persists.
RaMMicHaeL
Junior Member
Posts: 10
Joined: Wed Jan 14, 2009 2:11 pm

Post by RaMMicHaeL »

OK, seems like there's a serious problem with the latest version you've posted.
Analysis of code takes forever - OllyDbg just hangs.

I don't think it behaved like this with the previous version, but I cannot check it, as you replaced the previous version with the latest one.

Cheers.
Locked