What's new in OllyDbg

Version 2.0

Hopefully I will have more time now for version 2.0. Currently I'm working on analyzer. Global prediction of the contents of registers and stack is practically finished. This was a very hard piece, and initially veeery slow, but today I've found the way to accelerate it by the factor 100+. Next I plan to implement known functions. Debugging engine will follow.

Of course, OllyDbg 2.0 will work on all existing versions of 32-bit Windows: 95, 98, ME, NT4, 2000 and XP. I don't know whether it will make sense to play with Server 2003 at all, and Longhorn is not yet ready.

Several weeks ago I've asked for help in the form of different Windows versions that I'm going to use for debugging purposes. Honestly, I haven't hoped for so many offers:
And my very special thanks to Reinhard - his post completed my collection! So please send me no more Windows, now I have them all :)


Modified PDK from Alex Clarke. He wrote:

Oleh,
 
Firstly congratulations and thanks for OllyDbg - it's incredibly good. I've been playing with the SDK using C++ for a plugin. I've made a few modifications that make the SDK header work better when using it in C++ code in (at least) a couple of newer C++ compilers (namely Borland C++ builder v1 and Visual Studio.net). They also remove various errors/warnings and the need for unsigned characters (when compiling .cpp's) or forcing byte packing (any source file). Finally I've got intellisense working with the SDK (the code hints in VisC).
 
Here's how the edits work:
 
Firstly, forcing compilation with 'chars unsigned as default' (when used from a .cpp file) is not as much of a problem when using the SDK from genuine C++ (i.e. when compiling a file with a .cpp extension). The ANSI standard prohibits implicit casting between signed char *, unsigned char * and char *. Since you've explicitly declared all the necessarily unsigned char params/returns, Visual C++.net causes an error if this is attempted regardless of the compiler switch setting. Borland C++ builder (v1 - using the older ANSI rules) warns about mixing types, but I'm pretty sure later versions will kick them out. I appreciate that there is a problem with sign extension when using the implied conversions, but this doesn't appear as if it will be a problem in your API.
 
You don't need to compile with 'byte packing' anymore (when using plugin.h from either a .c or .cpp) - pushing/popping the packing for definitions for the necessary structures and 'envelopes' should be sufficient (the bookmark plugin is fine from both compilers).
 
I've noticed that you return an enum in the Getstatus API. I've had a number of problems with sending enums out of C++Builder, the reason being that they are treated as bytes rather than longs if only small values are defined for the type. I don't think that returning them will be any problem, but you may get problems with builder if they are passed into the routines. As a cautionary measure I have added the #pragmas to declare your enums as longs (i'm guessing borland C++ compiler supports this but don't know for sure). It should allow safe enumeration of several of the sets of defines if desired.
 
Intellisense didn't work. This is because it makes globally declared type info available, but not global function prototypes unless they are in a namespace or the code body is declared in the project somewhere. I've put a namepace 'ODBG' around (just) the function declarations, and a 'using namespace ODBG' command to make it behave exactly as before when the functions are not called in the global scope, but if you stick ODBG:: in front of a function call you'll get a hint. Also I've tidied up the extern "C"'s (should make older versions of intelisense / newer versions of builder give more readable hints).
 
Afterthought: Thrown in a header #ifdef block to stop cyclic includes too.
 
Find attached the modified header, the import lib produced for builder and the def file/import lib for vc7. The libs may work in different versions of the respective compilers. VS.net didn't like the VC50 one, but builder seemed to be fine with the borland one (sending mine for the sake of completion).
 
Hope that's useful.
 
AL :)
 
Alex Clarke

Thank you, Clarke! And here is the ZIP file. Note, however, that I haven't checked it - as always, use at your own risk!

Version 1.10 - final

Some errors reported for v1.10, but they all seem to originate in plugins. So now I declare it final release. Project OllyDbg 1.xx is closed. Now I will be able to continue my work on v2.0. When will it be ready? Honestly, I don't know. Currently I'm working on a couple of not so ambitious private projects (not related to debugging), so progress will be not too fast. Hopefully I'll finish it before 80x86 architecture in general and Windows in particular get obsolete :))

I have also updated the Plugin Development Kit. You may download the actual version here.

From time to time, but not too frequently, I will inform you here on the progress. My first major goal is strongly improved analysis with much better prediction of registers. Next I will try to accelerate run trace, which seems to be a very powerful method of debugging, by executing or emulating simple commands in the context of Debugger. Also I have some vague plans for a built-in compileable scripting language... So don't feel you sad, the future will be bright anyway!..

Oleh Yuschuk, a.k.a. Olly
June 11, 2004


Version 1.10 - preliminary release

I have corrected nasty crash on right click. File odbg110.zip includes also updated help and version 1.10 of command line plugin. If you report no critical errors, this version will be declared final in a week.

Command-line plugin now allows you to modify memory and registers, like:

SET EAX=0
CL=[BYTE 410000]
SET [461234]=ESI+1

To issue commands from conditional logging breakpoint, precede them with a point: .EAX=0. Plugin's source, together with the new plugin API, will be uploaded in a week, too.


Version 1.10c - third (final) beta

This is the last beta. There will be no more new features. For about two weeks I will update the documentation and wait for your bug reports. If nothing unforeseen will happen, I will make final release, close this project and renew my work on v2.0.

New features:

There are many more requests in my list, but, unfortunately, they will not appear in the final release. Usually this is due to their complexity that may aversely influence the reliability of v1.10. I have transferred all such requests to the list of wishes for version 2.0. Sorry.

Removed bugs:

If your bug is not here, this means that I was unable to reproduce it. In this case, please send me the detailed, step-by-step, sequence of actions. Don't forget to mention the version of your OS!


Vesrion 1.10b - second beta

There is a big useful new feature: OllyDbg now can debug standalone DLLs. Just drop DLL into OllyDbg and see what happens. A brief  walkthrough is available here. Also new is a SEH chain window. Other changes:

Removed bugs:

That's all, enjoy and don't forget to report bugs! Unfortunately I'm very busy now and cannot answer to you emails instantly, sorry. But, earlier or later, I'll read then all :)



Version 1.10 - first beta

The list of improvements and corrected bugs is already long, significantly longer than I've expected. I haven't finished yet with old wishes and bug reports, and every day become several new. So I decided to post preliminary, raw beta in the hope that your feedback will help to improve the quality of final code. Remember, v1.10 is the last planned - afterwards I'll concentrate on OllyDbg 2!

What's new here:

New plugin functions:

And, of course, removed (hopefully) bugs:


OllyDbg 1.09d

Download v1.09d now

Version 1.09d removes very annoying bug: crash while copying data to clipboard. I have recived more than a dozen bug reports! To everybody who pointed me to this problem: thank you very much again!

Other bugfixes:

Hey, what about v2.0?..

Version 2.0 slowly moves forward - too slowly because I'm still very busy on my work and sometimes fall asleep before midnight! As you see, I have really no time :) Speaking seriously, OllyDbg2 code is already 900 K large and large parts of it, like GUI, disassembler, dump and thread manager are functional.
 


OllyDbg 1.09c

OllyDbg 1.09c is a bugfix that removes most of bugs reported since version 1.09b was released. Other modifications are limited to the few listed below. As always, you are invited to send your opinions, comments and found bugs to Ollydbg@t-online.de:

Bugfixes:



OllyDbg 1.09b

Usually I upload intermediate releases without help. This time help file is partially updated.

Quick bugfixes in 1.09b:

New features: Improved analysis: Bugfixes:

What was new in version 1.09: Bugfixes:




OllyDbg 2

Having my Christmas vacations, I decided to add one more feature to OllyDbg. One hour later, I understood that elegant solution is not possible without global modifications of existing data structures... and suddenly I found myself creating new project and writing first lines of new debugger, OllyDbg 2.

So now it is clear: there will be the second version. At a first glance, it will look very familiar: same windows, similar commands, no colourful butons or nerving assistents... Internally, however, I will change almost everything.

Debugging engine and disassembler will be redesigned from scratch. New OllyDbg will support SSE2. Analyzer will recognize inlined functions (like strcpy) and predict contents of registers in the whole procedure, decode standard structures and log return values of API functions, recognize loop variables and SE handlers. Run trace will be significantly accelerated, I plan to reach tracing speed up to 250000 commands per second. Source debugging will be improved. Bad news: existing plugins will be not compatible. New OllyDbg will be even more memory-hungry than its predecessor.

I will continue development of old OllyDbg till version 1.10. Apart from bugfixes, there will be only two significant new features: HLA support and option to read map files. If necessary, I will release bugfixes even after version 2.00 will be released. (However, don't expect it before summer).



Why 1.08b

Two days after I have uploaded 1.08, a nasty new bug was reported: Assembler was unable to compile PUSH const. This error was a result of another last-minute bugfix. Version 1.08a corrected this frequently used command.

Next day, another red alert came: run trace saved invalid values of registers EAX and ECX. Due to importance of run trace in program analysis, I was forced to replace 1.08a with 1.08b. Another small correction removes possible GPF in heap window. Sorry...
 

What's new since 1.06

Since the last "stable" release 1.06, I've added lots of new features and corrected many errors. Full list of all changes is too long to place it here, I'll briefly describe only the most important of them.

Perharps the most important new feature in OllyDbg 1.08 is its ability to read debugging information in numerous Microsoft formats, including CodeView, COFF, PDB and SYM, as implemented in dbghelp.dll. This redistributable file is included into .zip archive.

Command-line plugin implements command line in OllyDbg. Its source code is available under GPL.

Analysis was strogly improved. It recognizes loops and switches, attemts to suggest the meaning of separate switch cases, recognizes SE handlers and automatically extends functions with variable number of arguments. Sequences similar to ADD ESP,-4; FSTP [DWORD SS:EBP] are recognized as floating point pushes. With some restrictions, analysis recognizes RETs misused as JMPs. Using analysis data, information pane in CPU window (placed directly under Disassembler) shows list of all jumps to the current location. From the pop-up menu, you can quickly locate each jump. And, as a useful extra, you can analyze all modules at once.

New command "Search for|All intermodular calls" walks through the code and locates all calls with the final destination outside the current module, for example, all API calls, even loaded with GetProcAddress(). I was frequently asked questions like "How could I set breakpoint on all calls to MessageBoxA?" Now it is very easy, just a few mouse clicks...

Call stack backtraces the chain of calls and displays arguments of known or suggested functions on the stack, even if functions use non-standard prologs and epilogs. For every analyzed procedure, call tree shows which functions call it and which functions it calls.

List of windows displays basic window information (class and window function, parent, styles) and allows to set breakpoints on class, single window or on selected messages or message groups.

Heap list displays all memory blocks allocated by debugged application on the heap. Unfortunately, this feature is not available on NT-based systems (NT, 2000, XP).

CPU Dump supports history of previous displayed locations. You may walk this history using same shortcuts as in Disassembler ('-' and '+').

Syntax highlighting facilitates the readability of Assembler code. You can highlight different types of commands, such as FPU/MMX/SSE, jumps and conditional jumps, pushes and pops, calls, returns, privileged, bad and filling commands. Optional highlighting of operands recognizes general, FPU/SSE and segment/system registers, memory operands on the stack (i.e. accessed via ESP or EBP) and in ordinary memory, or constants that are valid memory addresses and all other constants.

Execution till user code (shortcut: Alt+F9) allows to return back to debugged application from the system code. DLL is considered system if it resides in system directory.

Assembler supports AMD-specific instructions SYSCALL and SYSRET, undocumented command FFREEP STn and alias mnemonics JNAE, JAE and SAL.

Expressions allow for several thousands symbolic constants, like WM_PAINT or O_RDONLY. New arithmetical operation 'IN' in expressions allows for easy specification of ranges.

And, of course, multiple bugfixes.



Bugs found during beta tests

This debugging session was the most successfull in the history of OllyDbg. I was literally overflooded with your bug reports. To emphasize the high quality of bug hunting, I'll just mention that almost half of found bugs existed already in version 1.06:

FoRrEsT GuMp: OllyDbg is unable to locate and/or process debugging information generated by MASM 7 - clarified, dbghelp.dll supplied with WinXP is not 100% backward-compatible (?)
Jacob Benoit: Shift+BkSpc pressed several times in hex editor puts it into locked state - corrected
Jacob Benoit: "Warn if not an adminstrator" - corrected
Alexandr Yakubtchik: Message "Process xxxx is active... Do you really want to terminate..?" is very annoying - corrected, new security option allows to close process without confirmation
Olly: When copying contents of the whole log window to clipboard, lines appeared in the inverse order - corrected
Udi Shitrit: OllyDbg is unable to find debug info for loaded DLLs - corrected (I hope)
Killy: If OllyDbg stops at entry to SFX extractor, there is no way to restore breakpoints and analysis later - postponed to 1.09
savage: On startup, CPU columns have invalid width when non-default fonts are restored from .ini file - corrected
savage: Color of border around CPU windows is not restored fom .ini - corrected
Ben: Removing OllyDbg from Explorer menu doesn't work - corrected
M.A.Estro: OllyDbg crashes when one attempts to customize highlighting - oh no, yet another buffer overrun! corrected
Olly: Stack allows for "Go to" even if there is no program to debug - corrected
Olly: Button "Restore defaults" in Code highlighting was placed outside the visible area - corrected
Udi Shitrit: Problems with analysis when using CODEVIEW debug info - corrected... i hope
Ricardo Narvaja: "Find references to|Selected command" and "Search for|All referenced text strings" don't show results - clarified
Che Ming: OllyDbg is unable to read .sym files - corrected
Greg Hoglund: during startup OllyDbg should enable the debug privileges - done
Julien de Sainte Marie: if the main window is set as "Always on Top", error msgbox is displayed under the window - processing
Olly: When program is running, source window displays EIP marker in random position - corrected
Olly: Names window displays number of arguments for all labels within the function - corrected
Jeffrey Riaboy: Pressing Alt key doesn't move focus to the main OllyDbg menu - corrected
Alexandr Yakubtchik: Program linked with /ALIGN:0x200 crashes OllyDbg - corrected!
X05: Problems with DebugBreak on Win2000 SP3 - corrected, but there are problems with Win95: I can't distinguish between system breakpoint and call to DebugBreak
Udi Shitrit: Problems locating debugging information - corrected
Robin Keir: Invalid decoding of arguments for function socket() - corrected
Ben: Any dropdown combobox under XP suspends corresponding dialog until user clicks several times around - unable to reproduce
Rudy Penteado: OllyDbg irreproducibly looses track for the code analysis (possibly because it uses old analysis data) - clarified
DiamondCS: When new application is loaded, Name windows disappear but corresponding menu items remain in Windows menu - corrected
DiamondCS: Some newly opened windows don't appear in Windows menu - I think, this errror was induced by a previous one
Alex Koegel: Short and long hex dumps should not truncate leading zeros because many utilities expect them while cut'n'pasting - I agree, corrected
Ben: When clicking on analyzed self-modifying code, OllyDbg selects wrong line(s) - OllyDbg silently assumes that executable code doesn't change. The only reliable solution would be to keep the copy of executable code at the moment of analysis. As a workaround, repeat or remove analysis. Sorry...
Ricardo Narvaja: OllyDbg is unable to step over F2:3410 (REPNE XOR AL,10) - Although this command is in theory invalid, most (if not all) processors ignore REP/REPNE, corrected
Olly: When CPU window is minimized and OllyDbg terminates, in the next session CPU pane limits are messed up - corrected
Sungazer: When highlighted disassembly is copied to clipboard or file, text is unreadable - corrected
Ricardo Narvaja: Memory breakpoint on stack doesn't work - Uh-oh, two bugs at once. First, OllyDbg didn't checked implicit memory operands of PUSH/POPs; second, Win95 removes memory breakpoint set in the stack - corrected
tOXIKO: When command is a jump destination but not a jump itself, "Find references to" proposes to search for references to a jump destination - corrected
DiamondCS: OllyDbg doesn't redraw Modules window when application gets closed from the main menu (Debug|Close) - corrected