OllyDbg 2.01



Help on 77 pages. Please read it first - most of new features are described there

Multilanguage GUI (experimental, as yet no translation files - please do it by yourself)

Support for AVS instuctions (as yet no AVS2 and high 16 bytes of YMM registers are not displayed)

Call stack window (similar to the version 1.10)

Handles window (similar to the version 1.10)

SEH and VEH chains. To decode addresses of VEH handlers, OllyDbg hacks NTDLL.RtlAddVectoredExceptionHandler() , therefore process must be started from the OllyDbg

, therefore process must be started from the OllyDbg Multibyte character dumps

.udl image libraries, replace scan of object files from v1.10

Search for integers and floats in dump

Search for procedures (entry points)

Limited support for NTFS streams

Drive dump

Software breakpoints that use INT1, HLT, CLI, STI or INSB instead of INT3

Multiple watches in one line, support for repeat count

Dump of arrays of structures

Micro-analysers

Accelerated search

Assembling of immediate data statements (DB xx etc.)

Highlighting in run trace

Up to 2 ordinals per address

Limited support for Win95 via Microsoft Layer for UNICODE

More tricky code sequences

Show free memory, or was it the previous version?

Multiple bugfixes

traceapi.dll

problem

GlobalAlloc()

KERNEL32.UnhandledExceptionFilter()

NTDLL.KiUserExceptionDispatcher()

NTDLL.ZwContinue()

NTDLL.NtQueryInformationProcess()

NTDLL.ZwContinue()

ZwContinue()

NtQueryInformationProcess()

notadebugger.exe

ollydbg.exe

GetProcAddress()

ollydbg.exe

notadebugger.exe



August 30, 2012 - major update for plugin authors. Bookmark plugin, August 30, 2012 - major update for plugin authors. OllyDbg

__cdecl

__stdcall

_Disasm@32

_Disasm

Disasm

OllyBugs

If you need some API function or family that is not yet documented, drop me a mail and I'll try to describe it ASAP.



August 18, 2012 - OllyDbg 2.01 beta 2. OllyDbg (already updated), Bookmarks plugin, test application

August 18, 2012 - OllyDbg 2.01 beta 2. OllyDbg (already updated), Bookmarks plugin, preliminary plugin API

MOV SS,anything

PUSHF

JE

JZ

Update:

No, I haven't removed all bugs at the first try. I have kept some information about menu items directly in the menu, using dwItemData in MENUITEMINFO. It seems that Windows also uses this item! Now I have moved pointers to data to another location.

fully documented

You may already start writing your plugins. If you need some API function or family that is not yet documented, drop me a mail and I'll try to describe it ASAP.





Start thread - start new thread that increases counter each 100 milliseconds;

Suspend last - suspends last created thread. There is no corresponding "Resume" button, use OllyDbg;

New process - starts new instance of itself;

New suspended - starts new instance of itself in suspended state;

FatalExit() - calls FatalExit(), what else?

Current Dir - displays current directory;

Load ws2_32 - loads ws2_32.dll (must be present on all systems);

Unload ws2_32 - unloads ws2_32.dll;

Set filter - calls SetUnhandledExceptionFilter(). The handler only displays the error. Note: it won't work on stack overflow;

Sedt VEH - calls AddVectoredExceptionHandler(), same note as above;

Read [00000000] - attempts to read memory at zero address;

0 : 0 - integer division by zero;

INT3 - executes INT3;

INT ff - executes INT FF;

JMP 123456 - jumps to (most probably) non-existing memory;

Stack overflow - calls function that recursively calls itself;

1.0 : 0.0 - floating-point division by zero. Note where this exception is reported!

Set Trap - sets bit T (single-step trap);

POP SS/PUSHF - executes POP SS, PUSHF, POP EAX and displays the contents of EAX (and especially bit T);

MOV SS/PUSHF - executes MOV AX,SS; MOV SS,AX, PUSHF, POP EAX and displays the contents of EAX (and especially bit T);

INT 2D - executes INT 2D, has special meaning under Windows;

String A - executes OutputDebugStringA() (ASCII version);

String W - executes OutputDebugStringW() (UNICODE version);

ZwAlloc(0) - allocates memory block at address 00000000. Try Read [00000000] afterwards and be astonished!

plugin.h

bookmark.c











April 11, 2011 - OllyDbg 2.01 alpha 3.



April 11, 2011 - OllyDbg 2.01 alpha 3. Here it is!

Debugging | Use HW breakpoints for stepping

DWORD=="text"

Appearance | ASCII code page







February 20, 2011 - OllyDbg 2.01 alpha 2.



February 20, 2011 - OllyDbg 2.01 alpha 2. Here it is!

this version is compatible with Windows 7







February 08, 2011 - Thank you for your help!





I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.

Diagnostic-Code: smtp; 550-5.7.1 {mx051} The recipient does not accept mails

from 't-online.de' over foreign mailservers 550 5.7.1 ( http://portal.gmx.net/serverrules ) (in reply to RCPT TO

command)





February 06, 2011 - A desperate call for help!



"a logical extension of ICorDebugProcess Interface"

- Given ICorDebugProcess, how can I call ICorDebugProcess2 methods in Borland?

- Given running .NET application, is there a way to get correspondence between CIL code and compiled native code directly, without ICorDebug xxx ?

ollydbg@t-online.de







November 20, 2010 - OllyDbg 2.01 intermediate alpha .

November 20, 2010 - OllyDbg 2.01 intermediate alpha . Here it is.

dbghelp.dll

dbghelp

AND IT IS STILL NOT FIT FOR WINDOWS 64!!!









Last update: June 04, 2010 - final release (corrected).

Tittan

Jack

prn

William

PUSH AH

mailnew2ster

Ange

Eric, deepzero

karmany

John

Aaron

Ivar

Rinze

ESP

NCR

numax

locklose

edemko

LOOPZ

LOOPNZ

Without your help, OllyDbg 2.0 would not exist. Thank you very much!



Last update: December 03, 2009

Please read it carefully before complaining:

1. OllyDbg 2.0 is rewritten from scratch.

2. No, plugins are not yet implemented.

3. Yes, they will be implemented again - presumably in v2.02.



odbg200j

odbg200h





December 3, 2009

The last beta, with rudimentary help (and I hope to improve it in the release). The only really new feature (commented out in the second beta) is debugging of child processes. Other modifications are evolutional: much more stable (and tricky) debugging engine, more known functions, more or less consistent support for UNICODE and UTF8 in dialogs and comments, many bugfixes.

Please check this version thoroughly and don't forget to report all errors, including grammatical. The release will follow soon!

March 28, 2009

The second beta. I've planned that it will come with the more or less complete help file. Unfortunately, I had no time to write it. Therefore there will be also the third beta release... soon.

There are many - over 20 - bugfixes in the beta 2, some of them are really critical. As promised, there are no significant changes, with two exceptions. The recognition of UNICODE strings is vastly improved, they are no longer limited to ASCII subset (option " Use IsTextUnicode() ". Also I recognize strings in the UTF-8 format. By the way, if you have some small sample program with the free source that uses UTF-8 strings, please send it to me (together with the screenshot of displayed strings) so that I will be able to test OllyDbg.

The second new feature is in the run trace. New option "Pause when EIP points to modified command" helps, for example, to find the real entry point of the SFX-ed code. Just don't forget to create backup first (or use another new option, Auto backup user code )!

December 23, 2008

The first beta release. "Beta" means that there will be no significant changes till the final v2.00. Now it supports memory and hardware breakpoints. They are fully conditional, and the number of memory breakpoints is unlimited. Fast command emulation takes memory breakpoints into account. In fact, run trace may be much faster than the full-speed run if the number of false access violations is high. Active hardware breakpoints turn emulation off, but this may change in the future.

SSE registers are fully supported. OllyDbg understands all command set extentions up to SSE4. AMD's SSE5 is not supported, but as far as I know, there are no SSE5-capable processors yet.

Help on command covers all FPU commands. Help on some registers and bits is also available.

Autoupdate of dump windows may also be useful.

August 21, 2008

Big update. Powerful run trace, profiling, analysis, many small improvements and multiple bugfixes. Support for AT&T syntax is experimental and limited to disassembler. If you find any errors, please let me know!

May 24, 2008

Internal emulation of simple commands ( Options|Run trace|Allow fast command emulation ) has made run and hit trace 15 (fifteen!) times faster. On my Athlon 4000+, standard run trace executes 35000 commands per second. With the emulation on, OllyDbg traces 500000 commands! For simple programs, this may be close to the real-time execution - in the step-by-step mode, with the full protocolling.

Emulation covers only the small subset of 80x86 commands - moves, PUSH / POP , arithmetical and boolean operations, comparisons, shifts, jumps, calls, returns and LEA s. No multiplications, prefixes, loops or string operations, no FPU or MMX; still, OllyDbg passes to the application less than two percents of commands.

Frequently one uses run trace together with the run trace condition, like: "stop trace when EAX==0x123456". Up to now, the inetrpreter parsed conditional expression on each step. However, this was too slow for the accelerated trace. Now I compile expressions to the simple pseudocode and use a very quick interpreter to estimate the condition. As a result, the above comparison is processed in only 130 nanoseconds. Not bad!

Oh yes, and command help now includes the string commands, too.

May 8, 2008

Improved and bug-fixed debugging engine. Help on all 8086 commands, except for string manipulations.

April 19, 2008

Pre-alpha 5: hit trace! Maybe you have tried to use hit trace in the version 1.10, only to discover that it doesn't work with non-trivial programs. Hit trace in version 2 is different: instead of replacing all recognized commands with INT3 , I set breakpoints dynamically on all non-processed branches. It seems that 20-30 thousand breakpoints is not a problem for the new debugger. Also in this release: just-in-time debugging, command line, several bugfixes. Help on command is ready for all non-SSE/non-FPU commands till LEA .

March 11, 2008

Pre-alpha 4: name lists, search for text strings, floating-point constants and intermodular calls, run trace conditions, syntax highlighting (but default colours are not yet set), pause on thread, names of the arguments on the stack etc. The analysis of large modules is much faster now.

December 25, 2007

Pre-alpha 3: many different features like attaching to running process, detaching, run trace (as yet without fast stepping), real-time stack analysis, recognition of TLS callbacks, guarded memory, intermodular calls etc. Look at the comment column in the list of calls - you will enjoy it!

October 20, 2007

Removed 5 bugs; strongly improved functionality of existing windows; reduced number of false switches

October 09, 2007

First buggy pre-alpha code









October 11, 2007 - First bug reports





Thank you!

And - thank you again! Please keep it this way!



October 09, 2007 - Pre-alpha version





download this

errorlog.txt







July 08, 2007 - UDD files

June 03, 2007 - Development continues

int main()

{

MessageBox(NULL,"I'm a little, little code in a big, big world... Hello, world!",

"Hello, world",MB_OK);

return 0;

}

hOwner

Text

Caption

Type

May 18, 2007 - Happy birthday, Version 2?

precompiled table of known functions as resource;

recognition of functions that play with return address on the stack (like allocation of huge local data) - important, because a lot of sensible analysis depends on it;

comment operands of assembler commands - currently it's just a stub without intellect;



save data to .udd file;

on-line analysis of stack data;

copy modifications to executable file;

April 17, 2007 - Command search.



XOR EAX,EAX

MOV EAX,[EBX]

sixteen

8B03 - the simplest form

8B43 00 - form without SIB with 1-byte zero displacement

8B83 00000000 - form without SIB with 4-byte displacement

8B0423 - form with SIB byte without scaled index



8B0463 - same



8B04A3 - same



8B04E3 - same



8B4423 00 -

SIB byte, 1-byte displacement, no index

8B4463 00 - same

8B44A3 00 - same



8B44E3 00 - same



8B8423 00000000 - SIB byte, 4-byte displacement, no index



8B8463 00000000 - same



8B84A3 00000000 - same



8B84E3 00000000 - same



8B041D 00000000 - SIB byte, 4-byte displacement, scale 1, no base





R8 - any 8-bit register

R16 - any 16-bit register

R32 - any 32-bit register

REG - any general register (size is not important, assumed R32 in address)

RA,RB - semi-defined 32-bit registers

SEG - any segment register

FPUREG - any floating-point register

MMXREG - any MMX register

SSEREG - any SSE register

CRREG - any CR register

DRREG - any DR register

CONST - any constant

ANY - any operand or memory address (size is not important)

MOV ANY,ANY

MOV





MOV [ANY],ANY





try

catch

MOV [FS:ANY],ANY





XOR RA,RA





XOR XA,XB

XOR









JMP [R32*4+CONST]

LEA RA,[RA*5]

[RA*4+RA]

this







February 24, 2007 - Progress.





November 12, 2006 - Analyser.































