Archive for January 12, 2010

AnalyzeThis+ 0.24

Posted: January 12, 2010 in RE Tools

Author SMK

I made some improvements to AnalyzeThis mainly to analyze a memory section which originally reports “this section is not associated with any module”…..

Sometimes (especially when dealing with packers) you may need to run OllyDbg’s code analysis function, only to find it’s not available to you because the EIP is currently outside the code segment as defined by the PE header. AnalyzeThis! is an OllyDbg plugin to allow OllyDbg’s analysis function to operate outside of the marked code segment, by telling OllyDbg the current segment *is* the code segment.

Caveats: OllyDbg can only store one analysis table, so if you analyze a new segment, it will remove any existing analysis that has been done.

Source code has not been included; not because I don’t want to release it at this time, but because I can’t find it offhand. If you really need it, email me and I’ll look harder for it.

Download here:
http://tuts4you.com/request.php?2848

Regards

OllyTiper 1.2

Posted: January 12, 2010 in RE Tools
Tags:

Author : Ryokou

OllyTiper is a plugin for OllyDbg v1.10, to improve OllyDbg’s operation. Most of the content from the KanXue patch features the “to Ollydbg increase in operating functions useful shortcut keys,” a text, in which pairs of KanXue and heXer, and other features provide practical recommendations friend expressed his gratitude In addition, the note most of the content is copied from the kanxue’s “to Ollydbg increase in operating functions useful shortcut keys,” a paper and made the appropriate changes, in this in a right kanxue grateful.

1. Disassembly Window
(1) View data
push A480033 / / If you press Shift, then the data window to display the data A480033
mov eax, 401000 / / this line by Shift, the data window to display data on 401,000
mov eax, [401000] / / this line by Shift, the data window to display data on 401,000
mov [ebp-4], esp / / this line press Shift, then the data window to display the value of ebp-4 (note the EIP must point to the current line)
mov eax, [esp +10] / / this line by Shift, the data window to display the value of esp +10 (Note that the EIP must point to the current line)
JNZ 401000 / / this line by Shift, the data window to display data on 401,000

(2) copies of current address
00401092 68 00000080 PUSH 80000000 / / select this going-rate, press Ctrl + X, will address “00,401,092” copy to the clipboard.

(3) Calculate the size of holding down the CTRL to select data link, and drag the mouse, you can select data to calculate the size of the
———————————————
2. Data Window
(1) Fast positioning
00406000 00 10 40 00 00 00 00 00 00 00 00 00 CA 2E 40 00
^
Move the cursor to “00.104 million” first byte 00, double-click, disassembly window displays 00.406 million, according to SHIFT, disassembly window displays 401,000.

(2) Calculate the size of selecting data and hold in the data window, hold down the left button, drag the column can be prompted to select data to see the start address and end address, and choose the size of the data.
———————————————
3. Stack Window
0012FF44 00401D8A / / double-click, disassemble the window displays the contents of the address 0401D8A; or Shift, Data window displays the contents of the address 0401D8A
0012FF48 00000000

Download here:
http://www.mediafire.com/download.php?mmim1yzymoz

Regards