Keep Low. Move Fast. Kill First. Die Last. One Shot. One Kill. No Luck. Pure Skill.
http://p4r4n0id.com/
http://p4r4n0id.com/
A forum for reverse engineering, OS internals and malware analysis
You can write python plugins for OllyDbg2 using the OllyDbg2-Python
Here is my colour and highlighting scheme for olly v2.
Or the whole configuration:
Code: Select all
Preview (yeah it looks like olly 1.0 arrangement... you know.. old habits):[Colour schemes]
Scheme name[*]=Instructions-Status-Dump Xyl
Foreground_1[*]=*,FFFFFF,0,C0C0C0,800000,*,*,FFFFFF,800000,C0C0C0,*,*,*,*,*,*
Foreground_2[*]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[*]=C0C0C0,C0C0C0,C0C0C0,*,FFFFFF,*,*,*,*,808080,*,*,*,*,*,*
Background_2[*]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[*]=0
Modified commands[*]=0
Scheme name[*]=Registers-Stack Xyl
Foreground_1[*]=C0C0C0,FFFF,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[*]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[*]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[*]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[*]=0
Modified commands[*]=0
[Highlighting schemes]
Scheme name[*]=Code Highlight Xyl
Foreground_1[*]=*,*,*,*,*,*,*,*,*,*,*,*,0,0,FF,0
Foreground_2[*]=0,0,0,*,800000,0,*,*,0,*,*,0,0,0,0,*
Background_1[*]=*,*,*,*,*,*,*,*,*,*,*,*,*,FFFF,FFFF,*
Background_2[*]=FFFF00,FF00,*,FF,*,*,*,*,*,*,*,*,*,*,*,*
Operands[*]=1
Modified commands[*]=1
Or the whole configuration:
Code: Select all
[Settings]
Check DLL versions=0
GUI language=0
Topmost window=0
Show main menu items that don't apply=0
Show popup items that don't apply=0
Show toolbar=1
Use system colours in toolbar=0
Status in toolbar=1
Flash duration=1
Autoupdate interval=4
Mode of main window=0
Restore windows=7423
Bring OllyDbg to top on pause=1
Restore window positions=1
Restore width of columns=0
Restore sorting criterium=1
Highlight sorted column=1
Right click selects=1
Index of default font=1
Index of default UNICODE font=3
Index of default colours=0
Code highlighting=0
Horizontal scroll=0
Snow-free drawing=1
Append arguments=1
Allow diacritical symbols=1
Decode pascal strings=1
Use IsTextUnicode=0
String decoding=2
File graph mode=1
Put ASCII text to clipboard=0
Monitor internal memory allocation=0
Dialog font mode=0
Font in dialogs=0
Align dialogs=1
Global search=1
Aligned search=0
Search accuracy=0
Ignore case=0
Search direction=1
Floating search with margin=0
Allow extra commands in sequence=1
Allow jumps into the sequence=0
Keep size of hex edit selection=1
List sorting mode=0
Modify FPU tag=0
MMX display mode=0
Show tooltips in dialog windows=1
X options coordinate=1062
Y options coordinate=462
Last selected options pane=7
Last edited font in options=0
Last edited scheme in options=6
Last edited colour index in options=9
Last edited highlighting in options=7
Last edited highlighting index in options=13
Warnmode when not administrator=1
Warnmode for packed code in Analyzer=0
Warnmode when INT3 breakpoint is corrupt=0
Warnmode when breakpoint set on non-command=0
Warnmode when EIP set on non-command=0
Warnmode when clipboard size too large=0
Warnmode when all threads are suspended=0
Warnmode when thread is changed=0
Warnmode when process is still running=6
Warnmode when active when closing OllyDbg=6
Warnmode when unable to close process=0
Warnmode when executable differs from udd=0
Warnmode when INT3 in udd has different cmd=0
Warnmode when fixups are modified=0
Warnmode when IAT is copied back to exe=0
Warnmode when IAT is autocopied back to exe=0
Warnmode when copy of executable file changed=0
Warnmode when memory breakpoint on stack=0
Warnmode when modified debug registers=0
Warnmode when launching loaddll=0
Warnmode when EIP inside the patch=0
Only ASCII printable in dump=0
Code page for ASCII dumps=1252
Code page for multibyte dumps=65001
Underline fixups=1
Show jump direction=1
Show jump path=1
Show grayed path if jump is not taken=1
Fill rest of command with NOPs=1
Action on letter key in Disassembler=1
Wide characters in UNICODE dumps=1
Disable GDI scripting support=0
Automatically backup user code=0
Visible lines when scrolling disasm=1
IDEAL disassembling mode=0
Disassemble in lowercase=0
Separate arguments with TAB=0
Extra space between arguments=0
Show default segments=1
Always show memory size=1
NEAR jump modifiers=0
Alternative forms of conditional commands=1
Use short form of string commands=0
Use RET instead of RETN=0
SSE size decoding mode=0
Jump hint decoding mode=0
Size sensitive mnemonics=1
Top of FPU stack=1
Show symbolic addresses=1
Show local module names=0
Demangle symbolic names=0
Show call arguments=0
Type of break command=0
Use hardware breakpoints for stepping=1
Hide unimportant handles=1
Show original handle names=0
Permanent breakpoints on system code=0
First pause=2
Pause on attach=1
Pause on Loaddll=1
Assume flat selectors=0
Ignore access violations in KERNEL32=1
Ignore INT3 in MSCORWKS=1
Ignore INT3=0
Ignore TRAP=0
Ignore access violations=0
Ignore division by 0=0
Ignore illegal instructions=0
Ignore all FPU exceptions=0
Ignore all service exceptions=0
Ignore custom exception ranges=1
Call UnhandledExceptionFilter=0
Report ignored exceptions to log=1
Autoreturn=0
Use DebugBreakProcess=0
Use ExitProcess=1
Warn when frequent breaks=1
Allow command emulation=0
Debug child processes=0
Animation delay index=0
Stop on new DLL=0
Stop on DLL unload=0
Stop only on selected modules=0
Stop on debug string=0
Stop on new thread=0
Stop on thread end=0
Enable use of debugging data=1
Use dbghelp to walk stack=0
Use Microsoft Symbol Server=0
Hide missing source files=1
Hide internal compiler names=1
Skip leading spaces from source=1
Hide Call DLL window on call=0
Pause after call to DLL is finished=1
Allow .NET debugging=0
Scan registry for GUIDs on starup=0
Run trace protocolling options=0
Run trace buffer size index=2
Trace over system DLLs=1
Trace over string commands=1
Save traced commands=0
Save accessed memory to trace=0
Save FPU registers to trace=0
Synchronize CPU and Run trace=1
Set breakpoints on callbacks in hit trace=0
Hit trace mode for indirect jumps=0
Stop hit trace if not command=0
Hit trace outside the code section=2
Keep hit trace between sessions=0
Show symbolic names in protocol range list=0
Allow automatic SFX extraction=0
SFX extraction mode=0
Use real SFX entry from previous run=1
Ignore SFX exceptions=1
Use predictions in search=1
References include indirect jumps=1
Add origin to search results=0
Default resource language=9
Gray inactive windows=1
Gray register names=0
Center FOLLOWed command=1
Decode registers for any IP=1
Hide current registers warning=0
Remove code hilite on register hilite=1
Automatically select register type=0
Enable SSE registers=0
Label display mode=0
Highlight symbolic labels=0
Log buffer size index=2
Tabulate columns in log file=0
Append data to existing log file=0
Auto analysis=1
No predicted registers in system DLLs=0
Fuzzy analysis=1
Report problems during analysis=0
Decode tricks=1
Mark tricks=0
Search for library functions=1
Decode ifs as switches=0
Mark only important operands=0
Functions preserve registers=0
Ignore braces in udd path=1
Guess number of arguments=1
Guess arguments from mangled names=1
Guess meaning of guessed arguments=1
Show uncertain arguments=1
Rename value dependent arguments=0
Show predicted values=1
Show ARG and LOCAL in disassembly=1
Use symbolic names for ARG and LOCAL=1
Show ARG and LOCAL in comments=1
Show loops=1
Accept far calls and returns=0
Accept direct segment modifications=0
Accept privileged commands=0
Accept I/O commands=0
Accept NOPs=1
Accept shifts out of range=0
Accept superfluous prefixes=0
Accept default prefixes=1
Accept valid LOCK prefixes=1
Accept unaligned stack operations=1
Accept suspicious ESP operations=0
Accept non-standard command forms=1
Accept access to nonexisting memory=0
Accept interrupt commands=0
Block external WM_CLOSE=1
Activate speech=0
Translate commands and registers=1
Skip leading zeros in hex numbers=1
[OllyDbg]
Placement=123,100,1001,686,0
[INT3 breakpoints]
Placement=258,200,744,175,1
Appearance=1,6,1,0,0
Columns=54,54,72,240,1536
Sort=0
[History]
Log file=log.txt
Trace save file=trace.txt
Data directory=udd
Standard library directory=udl
Plugin directory=plugins
API help file=
Alternative initialization file=ollydbg.ini
Last viewed file=
Last keyboard shortcuts file=shortcuts.ini
Last object or library file=
Last image library file=
Debug data directory[0]=
Debug data directory[1]=
Debug data directory[2]=
Previous JIT=
Executable[0]=
Arguments[0]=
Current dir[0]=
Executable[1]=
Arguments[1]=
Current dir[1]=
Executable[2]=
Arguments[2]=
Current dir[2]=
Executable[3]=
Arguments[3]=
Current dir[3]=
Executable[4]=
Arguments[4]=
Current dir[4]=
Executable[5]=
Arguments[5]=
Current dir[5]=
[CPU]
Placement=22,22,392,315,3
Offset[0]=37
Offset[1]=-6
Offset[2]=0
Offset[3]=-33
[CPU Disasm]
Appearance=1,6,0,0,7
Columns=54,102,240,1536
[CPU Info]
Appearance=1,6,0,0,0
[CPU registers]
Appearance=1,7,1,0,0
Local=0,66816
[CPU Dump]
Appearance=1,6,1,0,0
Columns=54,288,102
Local=00011001
[CPU Stack]
Appearance=1,7,1,0,0
Columns=54,60,1536
Local=00090104
[Dialog placement]
Select range of exception codes=502,249
Assemble=533,108
[Search]
Placement=132,132,392,243,1
[Search tab]
Appearance=1,6,1,0,0
Columns=
Sort=0
[Run trace data]
Placement=135,257,918,175,1
Appearance=1,6,1,0,7
Columns=54,48,54,54,240,144,1536
Sort=0
[Call stack]
Placement=22,22,624,175,1
Appearance=1,6,1,0,0
Columns=54,54,270,168,54
Sort=0
[Hardware breakpoints]
Placement=0,0,828,175,1
Appearance=1,6,1,0,0
Columns=30,54,54,54,72,240,1536
Sort=0
[Memory breakpoints]
Placement=176,176,588,175,1
Appearance=1,6,1,0,0
Columns=54,54,54,30,72,1536
Sort=0
[Threads]
Placement=110,110,708,175,1
Appearance=1,6,1,0,0
Columns=36,54,108,108,54,54,54,72,72,72
Sort=0
[Windows]
Placement=88,88,792,175,1
Appearance=1,6,1,0,0
Columns=78,192,54,54,54,48,54,54,54,54,72
Sort=0
[Memory]
Placement=66,66,858,175,1
Appearance=1,6,1,0,0
Columns=54,54,96,60,144,30,48,48,1536
Sort=0
[Log data]
Placement=44,44,378,175,1
Appearance=1,6,1,0,0
Columns=54,1536
Sort=0
[Modules]
Placement=22,22,990,175,1
Appearance=1,6,1,0,0
Columns=54,54,54,96,72,96,240,1536
Sort=0
[ODbgScript]
Restore Script window=0
Restore Script Log=0
[Filedump]
Placement=242,242,468,175,1
Appearance=1,6,1,0,0
[Ignored exceptions]
Range[0]=0 ffffffff
[Colour schemes]
Scheme name[0]=Black on white
Foreground_1[0]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[0]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[0]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[0]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[0]=0
Modified commands[0]=0
Scheme name[1]=Yellow on blue
Foreground_1[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[1]=0
Modified commands[1]=0
Scheme name[2]=Marine
Foreground_1[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[2]=0
Modified commands[2]=0
Scheme name[3]=Mostly black
Foreground_1[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[3]=0
Modified commands[3]=0
Scheme name[4]=Scheme 4
Foreground_1[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[4]=0
Modified commands[4]=0
Scheme name[5]=Scheme 5
Foreground_1[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[5]=0
Modified commands[5]=0
Scheme name[6]=Instructions-Status-Dump Xyl
Foreground_1[6]=*,FFFFFF,0,C0C0C0,800000,*,*,FFFFFF,800000,C0C0C0,*,*,*,*,*,*
Foreground_2[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[6]=C0C0C0,C0C0C0,C0C0C0,*,FFFFFF,*,*,*,*,808080,*,*,*,*,*,*
Background_2[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[6]=0
Modified commands[6]=0
Scheme name[7]=Registers-Stack Xyl
Foreground_1[7]=C0C0C0,FFFF,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[7]=0
Modified commands[7]=0
[Highlighting schemes]
Scheme name[1]=Christmas tree
Foreground_1[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[1]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[1]=1
Modified commands[1]=1
Scheme name[2]=Jumps and calls
Foreground_1[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[2]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[2]=0
Modified commands[2]=0
Scheme name[3]=Memory access
Foreground_1[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[3]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[3]=1
Modified commands[3]=1
Scheme name[4]=Hilite 4
Foreground_1[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[4]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[4]=0
Modified commands[4]=0
Scheme name[5]=Hilite 5
Foreground_1[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[5]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[5]=0
Modified commands[5]=0
Scheme name[6]=Hilite 6
Foreground_1[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Foreground_2[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_1[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Background_2[6]=*,*,*,*,*,*,*,*,*,*,*,*,*,*,*,*
Operands[6]=0
Modified commands[6]=0
Scheme name[7]=Code Highlight Xyl
Foreground_1[7]=*,*,*,*,*,*,*,*,*,*,*,*,0,0,FF,0
Foreground_2[7]=0,0,0,*,800000,0,*,*,0,*,*,0,0,0,0,*
Background_1[7]=*,*,*,*,*,*,*,*,*,*,*,*,*,FFFF,FFFF,*
Background_2[7]=FFFF00,FF00,*,FF,*,*,*,*,*,*,*,*,*,*,*,*
Operands[7]=1
Modified commands[7]=1
[Fonts]
Font name[0]=OEM fixed font
Font data[0]=0,0,0,0,0,0,0,0,0,0,0,10
Face name[0]=
Font name[1]=Terminal 6
Font data[1]=9,6,700,0,0,0,255,0,1,1,0,0
Face name[1]=Terminal
Font name[2]=System fixed font
Font data[2]=0,0,0,0,0,0,0,0,0,0,0,16
Face name[2]=
Font name[3]=Courier (UNICODE)
Font data[3]=14,0,400,0,0,0,1,2,5,-2,0,0
Face name[3]=Courier New
Font name[4]=Lucida (UNICODE)
Font data[4]=10,6,400,0,0,0,1,2,5,0,0,0
Face name[4]=Lucida Console
Font name[5]=Font 5
Font data[5]=9,6,700,0,0,0,255,0,1,1,0,0
Face name[5]=Terminal
Font name[6]=Font 6
Font data[6]=0,0,0,0,0,0,0,0,0,0,0,16
Face name[6]=
Font name[7]=Font 7
Font data[7]=14,0,400,0,0,0,1,2,5,-2,0,0
Face name[7]=Courier New
OllyDbg 2.01 has some kind of bug not present in earlier versions that makes it hang when pausing execution of certain software. Specifically I have only noticed this so far for Playstation 2 emulation program pcsx2. I have not investigated a lot but the OllyDbg window stops responding when telling it to pause the debugged application, then remains in that state. However I also noticed that if I try to kill the debugged process in task manager or simply do the following in code:
Just a heads up, maybe others will find the same problem in malware, maybe not.
Code: Select all
then OllyDbg leaves the not responding state and can be interacted with again. I have not looked at the pcsx2 source code but I know that a lot of effort has been spent to optimize it and that it thus probably makes use of techniques rare elsewhere, especially in other types of software and also uses a lot of exception handling. if(NULL == (hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId)))
{
return 1;
}
if(FALSE == TerminateProcess(hProc, 0))
{
return 1;
}
Just a heads up, maybe others will find the same problem in malware, maybe not.
