Plugin OllyDbg : FullDisasm

BeatriX · Post by **BeatriX** » Tue Nov 13, 2007 10:52 am

0040100D 0FAE sfenceecx, edi ; Unknown command

First of all, we shouldn't see the "ecx, edi" arguments because there is no argument for this instruction. So, this is a small bug, I am going to fix it quickly

For the byte F9 located at 40100D, it is "normal" that you don't see it in the disassembly window because it is the mod/rm of "sfence". FullDisasm, for the moment, just display instructions and doesn't modify the 2nd column. In fact, we should see that :

0040100D 0FAEF9 sfence
00401010 9C pushfd

I am going to improve that point, I must admit it could be a source of confusion.
Thanks for the report

BeatriX · Post by **BeatriX** » Wed Nov 14, 2007 4:52 pm

it's me again. Here are the plugins with the improvements announced in the previous post.

FullDisasm 1.70 for OllyDbg 1.10 :

http://reverseengineering.free.fr/tools ... llyDbg.zip

FullDisasm 1.71 for ImmDbg 1.xx :

http://reverseengineering.free.fr/tools ... ImmDbg.zip

Post by **JMI** » Wed Nov 14, 2007 6:02 pm

And our continuing appreciation for your ongoing efforts and for sharing them with our members.

Regards,

skippyVonDrake · Post by **skippyVonDrake** » Thu Nov 15, 2007 9:14 am

Works great! Thanks for the speedy update, Beatrix.

BeatriX · Post by **BeatriX** » Wed Feb 11, 2009 3:51 pm

FullDisasm 2.0 is released. This version is able to decode undocumented instructions called 'aliases' by Christian Ludloff. (usually used by malicious codes).
For fun, you can also display instructions with the GNU Assembler syntax (AT&T).

FullDisasm 2.0 :

http://beatrix2004.free.fr/FullDisasm/F ... ImmDbg.zip
http://beatrix2004.free.fr/FullDisasm/F ... llyDbg.zip

Post by **JMI** » Wed Feb 11, 2009 4:11 pm

And thanks again for sharing with our community.

Regards,

BeatriX · Post by **BeatriX** » Thu Feb 12, 2009 11:51 am

gloups...there was a small bug in the OllyDbg plugin (something stupid!). (thanks to our russian friends for the remark on cracklab.ru

). It is ok now.

RaMMicHaeL · Post by **RaMMicHaeL** » Sun Apr 19, 2009 11:56 am

Great plugin, thanks!

I found a bug, though.
It crashes on a DEP-enabled system.
That's because the second call of VirtualProtect does not work - the last parameter cannot be zero.

BeatriX · Post by **BeatriX** » Mon Apr 20, 2009 3:35 pm

thanks for encouragements and the bugfix. Is it working with this version ?

http://beatrix2004.free.fr/FullDisasm/FullDisasm.zip

RaMMicHaeL · Post by **RaMMicHaeL** » Tue Apr 21, 2009 11:48 am

Yes, you fixed it.

A feature request:
Fix the cursor position.
For example, look at the following commands:

Code: Select all

00401050 > $ 51             push ecx
00401051   . F3:            movq xmm0 , qword ptr [eax]
00401055   . 8B40 08        mov eax , dword ptr [eax+08h]

OllyDbg sees that as the following:

Code: Select all

00401050 > $ 51             PUSH ECX
00401051   . F3:            PREFIX REP:                              ;  Superfluous prefix
00401052   . 0F7E00         MOVD DWORD PTR [EAX],MM0
00401055   . 8B40 08        MOV EAX,DWORD PTR [EAX+8]

And when you click on mov eax , dword ptr [eax+08h], movq xmm0 , qword ptr [eax] is selected.
Perhaps you could do that by modifying the opcodes table (I guess OllyDbg has one) of OllyDbg.

Thanks

+ I've just noticed the bytes 0F7E00 disappear. Another thing for you to fix

BeatriX · Post by **BeatriX** » Wed Apr 22, 2009 8:17 am

ok ok

you are right, the "cursor position bug" is quite annoying but I must admit I have seen it since a long time and...just waiting someone complain about that

So, I think I have fixed these two bugs (only for OllyDbg for the moment) :

http://beatrix2004.free.fr/FullDisasm/F ... llyDbg.zip

tell me if it is ok for you.

RaMMicHaeL · Post by **RaMMicHaeL** » Wed Apr 22, 2009 11:45 am

It crashes on _Readmemory

Parameters:

Code: Select all

CPU Stack
Address   Value      ASCII Comments
0012A79C  \0046138B    ; RETURN from OLLYDBG.004A3530 to OLLYDBG._Readmemory+7F
0012A7A0  /041F81F5    ; Arg1 = FullDisasm.41F81F5
0012A7A4  |00CC2D18    ; Arg2 = 0CC2D18
0012A7A8  |0000D000    ; Arg3 = 0D000

Error:

Access violation when writing to [041FD000] - Shift+Run/Step to pass exception to the program

BeatriX · Post by **BeatriX** » Wed Apr 22, 2009 3:49 pm

hu..what is the target you debug with OllyDbg ? I had never seen such block sizes (0D000h) ! I think it is ok now :

http://beatrix2004.free.fr/FullDisasm/F ... llyDbg.zip

RaMMicHaeL · Post by **RaMMicHaeL** » Thu Apr 23, 2009 2:59 am

Now it works

.

And the cursor position works correctly, but only if the target is not analyzed.
Otherwise OllyDbg treats the unknown commands as data, and the bug persists.

RaMMicHaeL · Post by **RaMMicHaeL** » Fri May 22, 2009 2:30 pm

OK, seems like there's a serious problem with the latest version you've posted.
Analysis of code takes forever - OllyDbg just hangs.

I don't think it behaved like this with the previous version, but I cannot check it, as you replaced the previous version with the latest one.

Cheers.