Archive for August, 2011

Author : by deepzero, 2011


Private exe Protector (PEP) is a lower end intermediate PE file protection and licensing solution. The price, 200$, is quiet high, which might be one of the reasons this protector is rarely being used.  I chose it here because there is little to no documentation available on version 3.x. From the PEP
Private exe Protector (PEP) is a professional licensing, anti-tampering and software examination system. PEP works with traditional methods, such as file compression, code fragment encryption, metamorphic loading, protection from debugging and file tampering , and features new innovative techniques, including data protection with stolen resources technique and partial code execution on a virtual machine. Licensing functions can be automatically integrated into the protected program, which allows the end user to quickly and securly manage all licences issued with the built in licence manager. All in all, it is the ideal solution for software developers.

Tools used
OllyDebug 1.10, LordPe, ImpRec, CFF Explorer, PiD, ResHacker, HexEdit (all freeware).
OllyDebug plugins: ollyadvanced, MultiMate assembler, odbgscript, IDAficator,AnalyzeThis!

Download tutorial here :


As you see, this version already supports plugins. New plugin interface is similar to the old (v1.10) but is not backwards compatible. It includes more than 350 API functions, 60 or so variables and many enumerations and structures that all need to be documented. This will take a while, therefore I decided to make a preliminary release. It includes plugin header file (plugin.h) and commented bookmarks source code (bookmark.c). Writing your own plugins without the documentation is a pure masochism, but at least you will be able to analyse the structure of the interface and  send me your comments, wishes and suggestions.

This is the last alpha release. After plugin documentation is ready, I will call it 2.01 beta 1. Then I will start to write OllyDbg help and finally make the full 2.01 release. Till then, I plan no major changes.

Other new features in this version:

– Patch manager, similar to 1.10
– Shortcut editor, supports weird things like Ctrl+Win+$ etc. Now you can customize and share your shortcuts. I haven’t tested it on Win7, please report any found bugs and incompatibilities!
– Instant .udd file loading. In the previous versions I’ve postponed analysis, respectivcely reading of the .udd file till the moment when all external links are resolved. But sometimes it took plenty of time, module started execution and was unable to break on the breakpoints placed in the DLL initialization routine
– Automatic search for the SFX entry point, very raw and works only with several packers. Should be significantly more reliable than 1.10. If you tried it on some SFX and OllyDbg was unable to find real entry, please send me, if possible, the link or executable for analysis!
– “Go to” dialog lists of matching names in all modules
– Logging breakpoints can protocol multiple expressions. Here is an example: I ask OllyDbg to protocol the contents of EAX, EBX and 4 memory doublewords starting at address ESP. Expressions must be separated by commas, repeat count has form SIZE*N, N=1..32:

Breakpoint with multiple expressions to protocol

This is what you will see in the log when breakpoint is hit:

Multiple expressions protocolled

Many not-so-important new features:

– Thread names (MS_VC_EXCEPTION)
– UNICODE box characters clipboard mode
– Multiline debugging strings (of large size)
– On debug string, OllyDbg attempts to find call to OutputDebugString()
– INT3 breakpoints set on the first byte of edited memory area are retained
– Decoding of User Shared Data block
– Addressing relative to module base
– If plugin crashes, OllyDbg will report its name
– etc, etc.

I have received many bug reports. Some of them are solved, some are not. There is a very nasty bug that I was unable to reproduce: OllyDbg crashes with memory access violation inside the GlobalAlloc()?!! Either OllyDbg unintentionally taints internal data structures used by memory manager, or some virus scanner overreacts, or this is a bug of Windows itself? If you have any clue, please let me know.

That’s all for now. I will make a short vacations, a week or so, and in order to keep my sanity will not check for new emails. Please have some patience!

Download here:

Bookmark Plugin :