What's new in OllyDbg
Version 2.0
Hopefully I will have more time now for version 2.0. Currently I'm
working on analyzer. Global prediction of the contents of registers and
stack is practically finished. This was a very hard piece, and
initially veeery slow, but today I've found the way to accelerate it by
the factor 100+. Next I plan to implement known functions. Debugging
engine will follow.
Of course, OllyDbg 2.0 will work on all existing versions of 32-bit
Windows: 95, 98, ME, NT4, 2000 and XP. I don't know whether it will
make sense to play with Server 2003 at all, and Longhorn is not yet
ready.
Several weeks ago I've asked for help in the form of different Windows
versions that I'm going to use for debugging purposes. Honestly, I
haven't hoped for so many
offers:
- Windows 98
and/or 98 SE
- Windows ME
(Tony, this
was a nice gift!)
- Windows 2000 home
and/or professional
(thank you, Rudy! No such thing as a home edition?)
- Windows XP home
and/or professional
(thank you,
Peter!)
- Windows Server 2003
(many thanks, Casey!)
And my very special thanks to Reinhard - his post completed my
collection! So please send me no more Windows, now I have them all :)
Modified PDK from Alex Clarke. He wrote:
Oleh,
Firstly congratulations
and thanks for OllyDbg - it's incredibly good. I've been
playing with the SDK using C++ for a plugin. I've made a few
modifications that make the SDK header work better when
using it in C++ code in (at least) a couple of newer C++ compilers
(namely Borland C++ builder v1 and Visual Studio.net). They also remove
various errors/warnings and the need for unsigned characters (when
compiling .cpp's) or forcing byte
packing (any source file). Finally I've got intellisense working with
the SDK (the code hints in VisC).
Here's how
the edits work:
Firstly,
forcing compilation with 'chars unsigned as default' (when used
from a .cpp file) is not as much of a problem when using the SDK from
genuine C++ (i.e. when compiling a file with a .cpp extension).
The ANSI standard prohibits implicit casting between signed char *,
unsigned char * and char *. Since you've explicitly declared all the
necessarily unsigned char params/returns, Visual C++.net causes an
error if this is attempted regardless of the compiler switch setting.
Borland C++ builder (v1 - using the older ANSI rules) warns about
mixing types, but I'm pretty sure later versions will kick them out. I
appreciate that there is a problem with sign extension when using the
implied conversions, but this doesn't appear as if it will be a problem
in your API.
You don't
need to compile with 'byte packing' anymore (when using plugin.h
from either a .c or .cpp) - pushing/popping the packing for
definitions for the necessary structures and 'envelopes' should be
sufficient (the bookmark plugin is fine from both compilers).
I've
noticed that you return an enum in the Getstatus API. I've had a number
of problems with sending enums out of C++Builder, the reason being that
they are treated as bytes rather than longs if only small values are
defined for the type. I don't think that returning them will be any
problem, but you may get problems with builder if they are passed into
the routines. As a cautionary measure I have added the #pragmas to
declare your enums as longs (i'm guessing borland C++ compiler supports
this but don't know for sure). It should allow safe enumeration of
several of the sets of defines if desired.
Intellisense
didn't work. This is because it makes globally declared type info
available, but not global function prototypes unless they are in a
namespace or the code body is declared in the project somewhere. I've
put a namepace 'ODBG' around (just) the function declarations, and a
'using namespace ODBG' command to make it behave exactly as before when
the functions are not called in the global scope, but if you stick
ODBG:: in front of a function call you'll get a hint. Also I've tidied
up the extern "C"'s (should make older versions of intelisense / newer
versions of builder give more readable hints).
Afterthought:
Thrown in a header #ifdef block to stop cyclic includes too.
Find
attached the modified header, the import lib produced for builder and
the def file/import lib for vc7. The libs may work in different
versions of the respective compilers. VS.net didn't like
the VC50 one, but builder seemed to be fine with the borland one
(sending mine for the sake of completion).
Hope
that's useful.
AL :)
Alex Clarke
Thank you, Clarke! And here is the ZIP file.
Note, however, that I haven't checked it - as always, use at your own
risk!
Version
1.10 - final
Some errors reported for v1.10, but they all seem to originate in
plugins. So now I declare it final release. Project OllyDbg 1.xx is closed. Now
I will be able to continue my work on v2.0. When will it be ready?
Honestly, I don't know. Currently I'm working on a couple of not so
ambitious private projects (not related to debugging), so progress will
be not too fast. Hopefully I'll finish it before 80x86 architecture in
general and Windows in particular get obsolete :))
I have also updated the Plugin Development Kit. You may download the
actual version here.
From time to time, but not too
frequently, I will inform you here on the progress. My first
major goal is strongly improved analysis with much better prediction of
registers. Next I will try to accelerate run trace, which seems to be a
very powerful method of debugging, by executing or emulating simple
commands in the context of Debugger. Also I have some vague plans for a
built-in compileable scripting language... So don't feel you sad, the
future will be bright anyway!..
Oleh Yuschuk, a.k.a.
Olly
June 11, 2004
Version 1.10 - preliminary release
I have
corrected nasty crash on right click. File odbg110.zip
includes also updated help and version 1.10 of command line plugin. If
you report no critical errors, this version will be declared final in a
week.
Command-line
plugin now allows you to modify memory and registers, like:
SET EAX=0
CL=[BYTE 410000]
SET [461234]=ESI+1
To
issue commands from conditional logging breakpoint, precede them with a
point: .EAX=0. Plugin's
source, together with the new plugin API, will be uploaded in a week,
too.
Version 1.10c - third (final) beta
This is the last beta. There will be no more new features. For about
two weeks I will update the documentation and wait for your bug
reports. If nothing unforeseen will happen, I will make final release,
close this project and renew my work on v2.0.
New features:
- Now you can set analysis hints to force decoding of some byte
sequences. To set hint, select piece of code or data and from the
pop-up menu choose Analysis|Treat selection as, then your selection.
Selections in singular form set hint only on the first byte, in plural
- repeatedly on the whole selection. Proposed by Eric Simmons and
others. First I answered that
this feature would be too significant for v1.10; now, after considering
all possibilities, I've found more or less safe way to do this. Please
check!
- If debugged DLL has entry point, OllyDbg makes first pause on
this
entry point, then in LOADDLL.EXE. Proposed by Richard Ginzburg.
- Disassembler will display, on your request, RET instead of RETN. Proposed by Ib Larsen.
- Run Trace window now supports syntax highlighting. Proposed by X
Shadow.
- If command uses immediate constant that points to valid command
in code, Disassembler adds menu item "Follow immediate constant".
Proposed by KolAn and Paul Guerra.
- New copy-to-clipboard options: whole Information pane, line of
Run trace window. Proposed by sett07.
- Option to mark DLL as system or non-system. Important for Run
trace where you may request to trace over calls to system DLLs.
- If doubleword in Stack points to stack, press Enter to follow it.
Proposed by CoDe_Inject.
- Maximal length of argument string is changed from 1024 to 4096
characters. Requested by BlackArT.
- New CPU option: now you can specify the number of lines visible
after current command during stepping and tracing. Proposed by Phong
Tran and others.
- ODBG_Pausedex(reasonex,extmode,registers,debugevent)
extends functionality of ODBG_Paused(reason,registers).
Many requests. Extended flags in reasonex
proposed by Richard.
- Listmemory() is now
exported. Requested by lixg00.
There are many more requests in my list, but, unfortunately, they
will not appear in the final release. Usually this is due to
their complexity that may aversely influence the reliability of v1.10.
I have transferred all such requests to the list of wishes for version
2.0. Sorry.
Removed bugs:
- Registers menu option "Copy all registers to clipboard" now
copies EAX, too. Reported by many contributors.
- In code with non-standard alignment of sections, analysis and
displayed code were desynchronized, so click on some line selected
different line. Reported by comrade.
- Menu "Follow in Dump" now displays more intuitive items if one of
operands is implicit stack location (like in PUSH). Reported by Jacob
Benoit.
- OllyDbg now correctly disassembles VxDCall and VxDJump used by Win95
drivers. However, it assembles them to the same code. In almost
improbable case that anybody will use this pseudocommand, user must
correctly set bit 0x00008000 to distinguish between call and jump.
Reported by Jacob Benoit.
- OllyDbg compiled REP STOS
FWORD [EDI] and similar nonsense to REP STOS DWORD [EDI]. Reported
by Paul Guerra.
- OllyDbg now adds "Open with OllyDbg" to Explorer's menu in DLLs.
Reported by Truong Quoc Ngan.
- Names window sometimes lost its contents after new modules were
loaded. Reported by William Whistler.
If your bug is not here, this means that I was unable to reproduce
it. In this case, please send me the detailed, step-by-step, sequence
of actions. Don't forget to mention the version of your OS!
Vesrion 1.10b - second beta
There is a big useful new feature: OllyDbg now can debug standalone DLLs. Just drop DLL
into OllyDbg and see what happens. A brief walkthrough is
available here. Also new is a SEH chain window. Other changes:
- A very useful option to remove analysis from selection (shortcut:
Backspace);
- Attach window is resizeable (and even maximizable);
- New stack commands: push doubleword and pop doubleword;
- Option to copy all registers to clipboard.
Removed bugs:
- Assembler supports simplified form of IMUL: IMUL reg,const. This command
is disassembled as IMUL
reg,reg,const. One cannot search for IMUL using imprecise register
(IMUL R32,CONST - use IMUL R32,R32,CONST instead).
Reported by Alexandr Yakubtchik.
- Disassembler used address size instead of operand size to decode
size of immediate offset (JMP
FAR ssss:oooooooo). Reported by Karel;
- Tabs in source text in Disassembler comments and info pane were
displayed as small rectangles. Now they are extended to at most 8
spaces. Reported by Karel;
- ARPL was decoded
with 32-bit size of operands (correct decoding is ARPL r/m16,r16). Reported by
Karel;
- OllyDbg now should correctly work in multi-monitor
configurations, but I am unable to verify this. Please check! Reported
by Roel Verdult;
- 2-byte INT 3 (CD
03) was processed incorrectly. Reported by roticv.
That's all, enjoy and don't forget to report bugs! Unfortunately I'm
very busy now and cannot answer to you emails instantly, sorry. But,
earlier or later, I'll read then all :)
Version 1.10 - first beta
The list of improvements and corrected bugs is already long,
significantly longer than I've expected. I haven't finished yet with
old wishes and bug reports, and every day become several new. So I
decided to post preliminary, raw beta in the hope that your feedback
will help to improve the quality of final code. Remember, v1.10 is the last planned - afterwards I'll
concentrate on OllyDbg 2!
What's new here:
- On break, conditional logging breakpoints can pass several text commands to plugins,
see description of ODBG_Plugincmd()
below.
- New Security option: "Save user data outside any module to main
.udd file". Allows to keep
breakpoints and comments that belong to no particular module. CAVEAT: data is saved relative to
main program and will be corrupted if external code or main executable
are reallocated (this is possible, at least in theory). Proposed by
Francis Crick;
- Trace condition (Ctrl+T) includes option to pause trace after specified number of
commands is executed (more exactly, added to run trace).Counter
restarts automatically. Proposed by Marcus Matten;
- Conditional logging breakpoints support pass counter. For example, if you
set pass counter to 100, OllyDbg will skip first 100 occurences of
breakpoint and pause on 101st. Note that pass counter is not
restartable and is not saved to .udd file. Proposed by many
contributors. CAVEAT: I have
extended structure t_bpoint
to fit counter, any plugin that accesses it directly will fail! (AFAIK,
there are as yet no plugins that directly access t_bpoint).
- Possibility to reswitch to different
module directly from Disasembler (View|Module 'xxx'). Proposed
by Christian Martin;
- New shortcut: Ctrl+gray * (asterisk) for "set new origin here";
- Run Trace window optionally displays and logs to file modified
flags (C, P, A, Z, S, T, D, O only), controlled by Trace option "Show
flags". Proposed by Marcus Matten;
- Small improvement: if there is no break selected in conditional
breakpoint window, button "OK" remains disabled until any selection is
made;
New plugin functions:
- Callback function ODBG_Paused(int
reason,t_reg *registers). Called each time when debugged
application is paused;
- Callback function ODBG_Plugincmd(int
reason,t_reg *registers,char *cmd). Called when application is
paused on conditional breakpoint and this breakpoint contains commands
to be passed to plugins, separately for each command. I've modified
command-line plugin so that it accepts all commands that begin with
point (.), for example: .BP 410024; .G
- If parameter mode in
call to Browsefilename() is
ORed with 0x80, it opens Save File dialog instead of Open File;
- Function Settracecount(ulong
count), called after Settracecondition(),
sets number of commands to execute before run trace is paused;
- Function Settracepauseoncommands(char
*cmdset), called after Settracecondition(),
specifies set of commands to pause at;
- Functions Getbreakpointtypecount(ulong
addr,ulong *passcount) and Setbreakpointext(ulong
addr,ulong type,char cmd,ulong passcount) support pass count in
conditional breakpoints.
And, of course, removed (hopefully)
bugs:
- Column "Handle" is removed from Threads window. This column
falsely
displayed handle assigned to thread in OllyDbg. Such handles are
meaningless in the contents of debugged application;
- Analysis crashed on large modules due to overflow of jump-tracing
table. Reported by sonkite;
- Non-standard modules (with size not aligned on 4096 bytes) lost
all user-supplied information, like breakpoints or comments;
- On attempt to step over call to ExitThread()
or ExitProcess(), OllyDbg
attempted to set INT3
breakpoint on next command which in some cases was data. Reported by
Udi Shitrit;
- Request to flush gathered run trace data to file wrote invalid
commands. Additional tests necessary. Reported by Shinichy Yousho and
later by homunculus;
- OllyDbg haven't checked that .udd directory specified in .ini
file really exists. Reported by Phong Tran;
- After binary edit, Disassembler haven't updated selection, so
that it was possible that some command is only partially selected.
Reported by shanytc;
- OllyDbg crashed when it received command line in form "a.exe
%.622496x" or similar. First reported by Shimnobiton, later by wire;
Dump windows underlined fuxups outside the dumped memory area. Reported
by Jacob Benoit;
- Hex edit window behaved unpredictably when user moved from one
presentation to another and some characers were incomplete. Reported by
Jacob Benoit;
- FSAVE/FRSTOR and FLDENV/FSTENV displayed invalid
operand size when used with prefix 66. Reported by Alexandr Yakubtchik;
- Analyser hanged (forever or for several minutes) if function with
insufficient number of arguments was placed close to the beginning of
the memory block. Reported by Jacob Benoit;
- Cosmetical: "Save file" window called GetOpenFileName() instead of GetSaveFileName(). In case of
OllyDbg both calls give identical results, except that first marks
confirmation button as "Open" and second - "Save". Reported by Hunter;
- ESP was not logged to file opened in Run trace, even if
corresponding option was set. Reported by Chromix;
- Given (invalid) command MOV
QWORD [1234],0 (or many others between memory location and
constant), Assembler bravely compiled it to code with 8-byte immediate
constant! Bug reported by Eric Simmons;
- When opening executable with quoted argument line (a.exe "ab"
"cd") for the second time, OllyDbg removed outer quotes (a.exe ab"
"cd). This was not my fault, honestly, but a misfeature of GetPrivateProfileString()! Reported
by Rudy Penteado.
OllyDbg
1.09d
Download v1.09d now
Version 1.09d removes very annoying bug: crash while copying data to
clipboard. I have recived more than a dozen bug reports! To everybody
who
pointed me to this problem: thank you very much again!
Other bugfixes:
- ModRM register operand in SSE instructions like ADDSS
XMM0,XMM1 was falsely marked as memory at zero address. Analyzer
treated such commands as invalid and interpreted valid SSE code as
data.
Bug reported by Jussi Kivilinna.
- Patch window now updates on each modification of memory. Problem
reported
by Maurizio Scarano.
- OllyDbg improperly decoded size of pseudooperand CX/ECX
in commands like JCXZ/JECXZ, REP MOVSB
or LOOPW/LOOPD.
Bug reported by Karel.
Hey, what about v2.0?..
Version 2.0 slowly moves forward - too slowly because I'm still very
busy on my work and sometimes fall asleep before midnight! As you see,
I have really no time :) Speaking seriously, OllyDbg2 code is
already
900 K large and large parts of it, like GUI, disassembler, dump and
thread
manager are functional.
OllyDbg 1.09c
OllyDbg 1.09c is a bugfix that removes most of bugs reported since
version
1.09b was released. Other modifications are limited to the few listed
below.
As always, you are invited to send your opinions, comments and found
bugs
to Ollydbg@t-online.de:
- When stepping or animating, Disassembler window attempts to leave
1
or 2 completely visible strings below current command;
- Run trace saves 16 high-order bits of flag register;
- New global shortcut Ctrl+P opens Patches window;
- OllyDbg exports two new functions: int
Attachtoactiveprocess(int
newprocessid) and HWND Createpatchwindow(void).
Bugfixes:
- PEXTRW swapped MMX and
general-purpose
registers.
Bug reported by Valery CLAUDEPIERRE;
- Some error messages were covered by main window
when
this
was set always-on-top. Reported by Phong Tran;
- OllyDbg recognized some absolutely correct PE files as bad
due
to
unhappy section placement. Reported by Phong Tran;
- LOCK was allowed with
commands
that
didn't write to memory. Reported by Alexandr Yakubtchik;
- Assembler reported invalid mnemonics on IN
command, because scanner mixed mnemonics with operator IN. Reported
by Alexandr Yakubtchik;
- Added support for non-standard short PE Optional Header.
Bug
reported
by masquer;
- When paused on hardware breakpoint, OllyDbg was unable to
step over
some commands if automatical hardware breakpoints were allowed.
Reported
by Phong Tran;
- Too long program arguments (longer than 256 bytes)
caused
OllyDbg
to crash due to buffer overflow. First reported by mmmmmKay, confirmed
by Isaac and wire;
- Command LEA with 16-bit addressing
was
reporting
'Superfluous prefix' because it was marked as not accessing
memory.
Reported by Karel;
- NEAR/FAR modifiers were highlighted with random colours.
Reported
by Jacob Benoit;
- Problems converting Japanese UNICODE text to multibyte
(not
checked
because I don’t know Japanese). Reported by DokoDon;
- Commands SETZ, SETO...
with unused Reg field of ModRegRM byte not equal to 0 were not
recognized.
Now OllyDbg warns if option "Non-standard command forms" is not active.
Reported by Alexandr Yakubtchik;
- OllyDbg assembled and disassembled invalid command MOV
CS,R16 without warnings. Reported by Alexandr Yakubtchik;
- If you pressed Alt+F2 (or X on toolbar) but then decided not to
close
debugged
process, OllyDbg nevertheless removed all process data, making
debugging
impossible. Reported by bundy;
- If size of executable code was shorter than size of section or
size of
module shorter than 1 memory block, analysis disappeared when
scrolling
code. Reported by TBD.
OllyDbg 1.09b
Usually I upload intermediate releases without help. This time help
file is partially updated.
Quick bugfixes in 1.09b:
- Due to invalid processing of WM_WINDOWPOSCHANGED in support for
"always
on top" option, OllyDbg 1.09a was unable to restore maximized MDI
windows;
- OllyDbg 1.09a was unable to load plugins from different directory.
New features:
- Patch manager is perharps the most important new
feature.
OllyDbg
remembers all patches applied to debugged application in previous
debugging
sessions. From the Patch window, you can quickly apply patches or
restore
original code;
- With one command, you can copy all patches in a module to
executable
file;
- One MDI window may be declared as "always on top".
Attention, in
order to support this feature, plugins must pass WM_WINDOWPOSCHANGED to
Tablefunction();
- You can specify directories where OllyDbg saves .udd
files and
searches
for plugins;
- If selected command is a jump destination, OllyDbg can display "jump
from" path;
- On NT-based systems, Handles window displays list of
handles
owned
by debugged application;
- If command that you type in Assembler dialog contains comment, it
will
be automatically added to the command;
- You can reswitch between debugging options and appearance without
closing
options dialog;
Improved analysis:
- "Search for all intermodular calls" includes predicted calls;
- Option to trace registers in the whole procedure.
Previous
analyzer
predicted registers only within linear pieces of code (without jumps
from
outside);
- Option that tells Analyzer that unknown functions preserve
registersEBX, ESI
and EDI. If this is not true, contents of
registers may be predicted incorrectly, so use this option with care.
Bugfixes:
- In call tree, OllyDbg temporarily forgot calls predicted
in
previous
debugging session with register tracing;
- Sometimes OllyDbg created new .udd file (xxx_1, xxx_2
etc.)
after
each debugging session;
What was new in version 1.09:
- Additionally to MASM and IDEAL disassembling modes, version 1.09
supports
also HLA syntax (High Level Assembly, developed by Randall
Hyde).
HLA is public domain software, you can download it together with
documentation
and sources from http://webster.cs.ucr.edu;
- Analyzer knows that there is no return from calls to kernel32.ExitThread()
and kernel32.ExitProcess() and interpretes them as end of
procedure;
- If several executable modules have same short 8-byte name,
OllyDbg
renames
them to xxx_1, xxx_2 etc;
- To avoid mixing of .udd files in cases when main file and
DLL
have
same name, or if program uses DLLs with same name that reside in
different
directories, OllyDbg adds _1, _2 etc. to names of .udd files. This
feature
is active if option "Security|Ignore path and extention" is unchecked;
- Option to synchronize CPU with source;
- OllyDbg supports relative pathes to source files in Borland's
debugging
information generated by BCC5.5;
- Debugging engine now can step into unknown commands, like
SSE2
(new
Security option);
- Option to lock stack (i.e. stack window doesn't scroll
when
stepping);
- Register window displays debug registers DR0..3,6,7.
Debug registers are not saved to run trace and you can't modify them.
Caveat
plugin writers: size of structure t_reg is changed!
- From the dump of executable file, you can jump to it's memory
image in
Disassembler or CPU Dump;
- OllyDbg recognizes "real" (undocumented) SAL
instruction but, in accordance to Intel's documentation, assembles it
to SHL.
Both instructions have same effect;
- New undocumented opcode: ICEBP (INT1);
- Search for address and binary string in stack;
- Option to save width of columns to .ini file;
- Additionally to jumps, CPU info pane, list of known jumps and
corresponding
menus display local (intramodular) calls to selected instruction;
- If you browse cases, jumps or calls to location in
dialog,
Disassembler
jumps to corresponding commands as you change selection. On Cancel, old
selection is restored.
Bugfixes:
- If you close debugged program (Alt+F2), OllyDbg now
correctly
closes
all associated handles. Open handles made recompilation of executable
file
impossible;
- When file name contained spaces, under some circumstances
symbols
after space were interpreted as parameters in command line. This
explains,
for example, the great mystery of disappearing patches;
- OllyDbg correctly attaches to active process from
Task
Manager.
Caveat: format of JIT record in registry is changed (added quotes arond
file name), so new version will not recognize old JIT declaration;
- Short (no-operand) forms of INS and
OUTS
now recognized as I/O commands;
- Corrected invalid decoding and assembling of SSE
instructions MOVHLPS
and MOVLPS. Intel made it hard: MOVHLPS
is a register-register and MOVLPS is a
register-memory
form of the same command, and they behave differently...
- Sometimes OllyDbg crashed on "Execute till return". Heer
I
forgot
to check for a possible NULL pointer;
- Even when main module resides in system directory, it is
considered
now user code;
- Several cosmetical improvements.
OllyDbg 2
Having my Christmas vacations, I decided to add one more feature to
OllyDbg. One hour later, I understood that elegant solution is not
possible
without global modifications of existing data structures... and
suddenly
I found myself creating new project and writing first lines of new
debugger,
OllyDbg
2.
So now it is clear: there will be the second version. At a first
glance,
it will look very familiar: same windows, similar commands, no
colourful
butons or nerving assistents... Internally, however, I will change
almost
everything.
Debugging engine and disassembler will be redesigned from scratch.
New
OllyDbg will support SSE2. Analyzer will recognize inlined functions
(like
strcpy)
and predict contents of registers in the whole procedure, decode
standard
structures and log return values of API functions, recognize loop
variables
and SE handlers. Run trace will be significantly accelerated, I plan to
reach tracing speed up to 250000 commands per second. Source debugging
will be improved. Bad news: existing plugins will be not compatible.
New
OllyDbg will be even more memory-hungry than its predecessor.
I will continue development of old OllyDbg till version 1.10. Apart
from bugfixes, there will be only two significant new features: HLA
support
and option to read map files. If necessary, I will release bugfixes
even
after version 2.00 will be released. (However, don't expect it before
summer).
Why 1.08b
Two days after I have uploaded 1.08, a nasty
new
bug was reported: Assembler was unable to compile PUSH
const. This error was a result of another
last-minute bugfix. Version 1.08a corrected this frequently used
command.
Next day, another red alert came: run trace
saved
invalid values of registers EAX
and ECX. Due
to importance of run trace in program analysis, I was forced to replace
1.08a with 1.08b. Another small correction removes possible GPF in heap
window. Sorry...
What's new since 1.06
Since the last "stable" release 1.06, I've added lots of new
features
and corrected many errors. Full list of all changes is too long to
place
it here, I'll briefly describe only the most important of them.
Perharps the most important new feature in OllyDbg 1.08 is its
ability
to read debugging information in numerous Microsoft formats,
including
CodeView,
COFF,
PDB
and SYM, as implemented in dbghelp.dll. This
redistributable
file is included into .zip archive.
Command-line plugin implements command line in OllyDbg. Its
source
code is available under GPL.
Analysis was strogly improved. It recognizes loops
and
switches,
attemts to suggest the meaning of separate switch cases, recognizes SE
handlers and automatically extends functions with variable number
of
arguments. Sequences similar to ADD ESP,-4;
FSTP [DWORD SS:EBP] are recognized as floating point pushes.
With
some restrictions, analysis recognizes RETs
misused as JMPs. Using analysis data,
information
pane in CPU window (placed directly under Disassembler) shows list
of
all jumps to the current location. From the pop-up menu, you can
quickly
locate each jump. And, as a useful extra, you can analyze all modules
at
once.
New command "Search for|All intermodular calls" walks through
the code and locates all calls with the final destination outside the
current
module, for example, all API calls, even loaded with GetProcAddress().
I was frequently asked questions like "How could I set breakpoint on
all
calls to MessageBoxA?" Now it is very easy, just a few mouse
clicks...
Call stack backtraces the chain of calls and displays
arguments
of known or suggested functions on the stack, even if functions use
non-standard
prologs and epilogs. For every analyzed procedure, call tree shows
which
functions call it and which functions it calls.
List of windows displays basic window information (class and
window function, parent, styles) and allows to set breakpoints on
class,
single window or on selected messages or message groups.
Heap list displays all memory blocks allocated by debugged
application
on the heap. Unfortunately, this feature is not available on NT-based
systems
(NT, 2000, XP).
CPU Dump supports history of previous displayed
locations.
You may walk this history using same shortcuts as in Disassembler ('-'
and '+').
Syntax highlighting facilitates the readability of Assembler
code. You can highlight different types of commands, such as
FPU/MMX/SSE,
jumps and conditional jumps, pushes and pops, calls, returns,
privileged,
bad and filling commands. Optional highlighting of operands recognizes
general, FPU/SSE and segment/system registers, memory operands on the
stack
(i.e. accessed via ESP or EBP) and in ordinary memory, or constants
that
are valid memory addresses and all other constants.
Execution till user code (shortcut: Alt+F9) allows to return
back to debugged application from the system code. DLL is considered
system
if it resides in system directory.
Assembler supports AMD-specific instructions SYSCALL
and SYSRET, undocumented command FFREEP
STn and alias mnemonics JNAE, JAE
and SAL.
Expressions allow for several thousands symbolic constants,
like
WM_PAINT or O_RDONLY. New arithmetical operation 'IN' in
expressions
allows for easy specification of ranges.
And, of course, multiple bugfixes.
Bugs found during beta tests
This debugging session was the most successfull in the history of
OllyDbg. I was literally overflooded with your bug reports. To
emphasize
the high quality of bug hunting, I'll just mention that almost half of
found bugs existed already in version 1.06:
FoRrEsT GuMp: OllyDbg is unable to locate and/or process
debugging
information generated by MASM 7 - clarified,
dbghelp.dll supplied with WinXP is not 100% backward-compatible (?)
Jacob Benoit: Shift+BkSpc pressed several times in hex editor
puts it into locked state - corrected
Jacob Benoit: "Warn if not an adminstrator" - corrected
Alexandr Yakubtchik: Message "Process xxxx is active... Do you
really want to terminate..?" is very annoying - corrected,
new security option allows to close process without confirmation
Olly: When copying contents of the whole log window to
clipboard,
lines appeared in the inverse order - corrected
Udi Shitrit: OllyDbg is unable to find debug info for loaded
DLLs - corrected
(I hope)
Killy: If OllyDbg stops at entry to SFX extractor, there is
no way to restore breakpoints and analysis later - postponed
to 1.09
savage: On startup, CPU columns have invalid width when
non-default
fonts are restored from .ini file - corrected
savage: Color of border around CPU windows is not restored fom
.ini - corrected
Ben: Removing OllyDbg from Explorer menu doesn't work - corrected
M.A.Estro: OllyDbg crashes when one attempts to customize
highlighting
- oh no, yet another buffer overrun! corrected
Olly: Stack allows for "Go to" even if there is no program to
debug - corrected
Olly: Button "Restore defaults" in Code highlighting was placed
outside the visible area - corrected
Udi Shitrit: Problems with analysis when using CODEVIEW debug
info - corrected... i hope
Ricardo Narvaja: "Find references to|Selected command" and
"Search
for|All referenced text strings" don't show results - clarified
Che Ming: OllyDbg is unable to read .sym files - corrected
Greg Hoglund: during startup OllyDbg should enable the debug
privileges - done
Julien de Sainte Marie: if the main window is set as "Always
on Top", error msgbox is displayed under the window - processing
Olly: When program is running, source window displays EIP marker
in random position - corrected
Olly: Names window displays number of arguments for all labels
within the function - corrected
Jeffrey Riaboy: Pressing Alt key doesn't move focus to the main
OllyDbg menu - corrected
Alexandr Yakubtchik: Program linked with /ALIGN:0x200 crashes
OllyDbg - corrected!
X05: Problems with DebugBreak on Win2000 SP3 - corrected,
but there are problems with Win95: I can't distinguish between system
breakpoint
and call to DebugBreak
Udi Shitrit: Problems locating debugging information - corrected
Robin Keir: Invalid decoding of arguments for function socket()
- corrected
Ben: Any dropdown combobox under XP suspends corresponding
dialog
until user clicks several times around - unable to reproduce
Rudy Penteado: OllyDbg irreproducibly looses track for the code
analysis (possibly because it uses old analysis data) - clarified
DiamondCS: When new application is loaded, Name windows
disappear
but corresponding menu items remain in Windows menu - corrected
DiamondCS: Some newly opened windows don't appear in Windows
menu - I think, this errror was induced by a previous one
Alex Koegel: Short and long hex dumps should not truncate
leading
zeros because many utilities expect them while cut'n'pasting - I
agree,
corrected
Ben: When clicking on analyzed self-modifying code, OllyDbg
selects wrong line(s) - OllyDbg silently assumes that executable
code
doesn't change. The only reliable solution would be to keep the copy of
executable code at the moment of analysis. As a workaround, repeat or
remove
analysis. Sorry...
Ricardo Narvaja: OllyDbg is unable to step over F2:3410 (REPNE
XOR AL,10) - Although this command is in theory invalid, most (if
not
all) processors ignore REP/REPNE, corrected
Olly: When CPU window is minimized and OllyDbg terminates, in
the next session CPU pane limits are messed up - corrected
Sungazer: When highlighted disassembly is copied to clipboard
or file, text is unreadable - corrected
Ricardo Narvaja: Memory breakpoint on stack
doesn't work - Uh-oh, two bugs at once. First, OllyDbg didn't
checked
implicit memory operands of PUSH/POPs; second, Win95 removes memory
breakpoint
set in the stack - corrected
tOXIKO: When command is a jump destination but not a jump
itself,
"Find references to" proposes to search for references to a jump
destination
- corrected
DiamondCS: OllyDbg doesn't redraw Modules window when
application
gets closed from the main menu (Debug|Close) - corrected