Archive for the ‘RE Tools’ Category

OllyDbg v2

Posted: May 13, 2016 in OllyDBG v2
Tags: ,

I wan to share my OllyDbg v2 (shared by Vic) that i used for my RCE hobby :).

m4n0w4r

Download here:

https://goo.gl/HonQG0

Regards,

m4n0w4r

Advertisements

PeStudio 8.01

Posted: January 21, 2014 in PeStudio 8.01
Tags:

PeStudio is a free tool performing the static investigation of any Windows executable binary. A file being analyzed with PeStudio is never launched. Therefore you can evaluate unknown executable and even malware with no risk. PeStudio runs on any Windows Platform and is fully portable, no installation is required. PeStudio does not change the system or leaves anything behind.Among very famous security tools, PeStudio has proudly obtained Rank 4 on the Best 2013 Security Tools.

Indicators

PeStudio shows Indicators as a human-friendly result of the analyzed image. Indicators are grouped into categories according to their severity. Indicators show the potential and the anomalies of the application being analyzed. The classifications are based on XML files provided with PeStudio. By editing the XML file, one can customize the Indicators shown and their severity. Among the indicators, PeStudio shows when an image is compressed using UPX or MPRESS. PeStudio helps you to define the trustworthiness of the application being analyzed.

Virus Detection

PeStudio can query Antivirus engines hosted by Virustotal for the file being analyzed. This feature only sends the MD5 of the file being analyzed. This feature can be switched ON or OFF using an XML file included with PeStudio. PeStudio helps you to determine how suspicious the file being analyzed is.

And more…

Download here:

http://www.winitor.com/tools/PeStudio801.zip

Regards,

[Leaked]Hiew v8.40

Posted: January 5, 2014 in [Leaked]Hiew v8.40
Tags:

Features of release VIII:

  • view and edit files of any length in text, hex, and decode modes
  • x86-64 disassembler & assembler (AVX instructions include)
  • physical & logical drive view & edit
  • support for NE, LE, LX, PE/PE32+ and little-endian ELF/ELF64 executable formats
  • support for Netware Loadable Modules like NLM, DSK, LAN,…
  • following direct call/jmp instructions in any executable file with one touch
  • pattern search in disassembler
  • built-in simple 64bit decrypt/crypt system
  • built-in powerful 64bit calculator
  • block operations: read, write, fill, copy, move, insert, delete, crypt
  • multifile search and replace
  • keyboard macros
  • unicode support
  • Hiew Extrenal Module (HEM) support
  • ArmV6 disassembler

Regards,

OllyDbg 2.01

Posted: September 30, 2013 in OllyDbg 2.01
Tags:

September 27, 2013 – version 2.01

New version with many new features, among them:

  • Help on 77 pages. Please read it first – most of new features are described there
  • Multilanguage GUI (experimental, as yet no translation files – please do it by yourself)
  • Support for AVS instuctions (as yet no AVS2 and high 16 bytes of YMM registers are not displayed)
  • Call stack window (similar to the version 1.10)
  • Handles window (similar to the version 1.10)
  • SEH and VEH chains. To decode addresses of VEH handlers, OllyDbg hacks NTDLL.RtlAddVectoredExceptionHandler(), therefore process must be started from the OllyDbg
  • Multibyte character dumps
  • .udl image libraries, replace scan of object files from v1.10
  • Search for integers and floats in dump
  • Search for procedures (entry points)
  • Limited support for NTFS streams
  • Drive dump
  • Software breakpoints that use INT1, HLT, CLI, STI or INSB instead of INT3
  • Multiple watches in one line, support for repeat count
  • Dump of arrays of structures
  • Micro-analysers
  • Accelerated search
  • Assembling of immediate data statements (DB xx etc.)
  • Highlighting in run trace
  • Up to 2 ordinals per address
  • Limited support for Win95 via Microsoft Layer for UNICODE
  • More tricky code sequences
  • Show free memory, or was it the previous version?
  • Multiple bugfixes

Plugins compiled for OllyDbg 2.01 beta are 100% compatible with v2.01. PDK will be updated… soon…

Preliminary version of Disassembler 2.01 is almost ready. That is, the sources are more or less final but documentation and ready-to-use DLLs are still missing. I release Disasm 2.01 under GPL v3. Commercial licenses are also possible.

Download: http://www.ollydbg.de/odbg201.zip


Author : Deathway (Lo*eXeTools*rd)

This tool will help conversion VirtualOpcodes -> Assembly Instruction restoring the original code of your virtualized Application, the basic engine
was from CodeUnvirtualizer, my other tool

[Features]
– Supports WinLicense/Themida/CodeVirtualizer Cisc Machines
– Supports almost all common opcodes
– Supports CHECK_MACRO_PROTECTION
– Supppots MultiBranch Tech

[Use]
– Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn’t found you have to click again, after checking that the full machine was correctly deofuscated)

[v1.5]
– Fixed Unvirtualize with Jump on CISC machines
– Fixed some errors when handling signed constants on RISC
– Fixed an issue when processing MOVS instrution on CISC machine
– Fixed some inversion data when processing COMM, REGX, REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI)
– Fixed a problem when handling AH CH DH BH registers on COMM2 instructions
– Added MOVSX – MOVZX – XCHG – IMUL – MUL – DIV – IDIV – PUSHFD – POPFD instructions on RISC
– Added CALL [ESP+IMMC] on Cisc Machine
– Added support of dump files on RISC machines
– OreansAssember_Risc.cfg updated
– DLL Support on CISC and RISC machines

There is a fix regarding Risc machines, if you unvirtualized the opcodes, there is a high chance that you obtain the inversed form of this opcodes COMM REGX,REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI). This errrors is fixed on the latest version

DLL support is now avaible, however Risc machines must be initialized first (not a problem, since risc machines are always encrypted).

On both machines, it’s recommended the devirtualization once the eip reach the oep.

Thanks Deathway for sharing his plugin.

Download here:

http://www.mediafire.com/download.php?o627wzdrv35fbzw

Stud_PE 2.6.0.6

Posted: March 3, 2012 in Stud_PE 2.6.0.6
Tags:

Stud_PE The Portable Executables Viewer/Editor (32/64 bit PE files)
view/edit PE basic Header information (DOS also):
  -header structures to hexeditor;
view/edit Section Table:
  – add new section;
view/edit Directory Table:
  -Import/Export Table viewer;
  -Import adder;
  -Resource viewer/editor (save/replace ico/cur/bmp);
Pe Scanner (PEiD sig database):
  -400 packers/protectors/compilers;
Task viewer/dumper/killer;
PEHeader/Binary file compare;
RVA to RAW to RVA;
Drag’nDrop shell menu integration;
Basic HexEditor;

Process regions’ dumper/viewer/editor;

2.6.0.6 – 27 feb 2012
-switched the project from vc6 to VC8; just for your information about 60 Errors and 600 warnings after project conversion; take care, those secure crt fixups drived me crazy, errors may have slept through:); if so, please report and I’ll try to fix them;
– unfortunatelly VC8 breaks the w95 compatibility (shlwapi.dll appears at imports due to mfc AddToRecentFileList which links that dll, not known to w95 os; aslo IsDebuggerPresent not present in w95 but linked by vc8 …and who knows which other functins);
-fixed a gpf reported on program exit;
…more inside nfo.txt

Download here:

http://www.cgsoftlabs.ro/zip/Stud_PE.zip

Regards


As you see, this version already supports plugins. New plugin interface is similar to the old (v1.10) but is not backwards compatible. It includes more than 350 API functions, 60 or so variables and many enumerations and structures that all need to be documented. This will take a while, therefore I decided to make a preliminary release. It includes plugin header file (plugin.h) and commented bookmarks source code (bookmark.c). Writing your own plugins without the documentation is a pure masochism, but at least you will be able to analyse the structure of the interface and  send me your comments, wishes and suggestions.

This is the last alpha release. After plugin documentation is ready, I will call it 2.01 beta 1. Then I will start to write OllyDbg help and finally make the full 2.01 release. Till then, I plan no major changes.

Other new features in this version:

– Patch manager, similar to 1.10
– Shortcut editor, supports weird things like Ctrl+Win+$ etc. Now you can customize and share your shortcuts. I haven’t tested it on Win7, please report any found bugs and incompatibilities!
– Instant .udd file loading. In the previous versions I’ve postponed analysis, respectivcely reading of the .udd file till the moment when all external links are resolved. But sometimes it took plenty of time, module started execution and was unable to break on the breakpoints placed in the DLL initialization routine
– Automatic search for the SFX entry point, very raw and works only with several packers. Should be significantly more reliable than 1.10. If you tried it on some SFX and OllyDbg was unable to find real entry, please send me, if possible, the link or executable for analysis!
– “Go to” dialog lists of matching names in all modules
– Logging breakpoints can protocol multiple expressions. Here is an example: I ask OllyDbg to protocol the contents of EAX, EBX and 4 memory doublewords starting at address ESP. Expressions must be separated by commas, repeat count has form SIZE*N, N=1..32:

Breakpoint with multiple expressions to protocol

This is what you will see in the log when breakpoint is hit:

Multiple expressions protocolled

Many not-so-important new features:

– Thread names (MS_VC_EXCEPTION)
– UNICODE box characters clipboard mode
– Multiline debugging strings (of large size)
– On debug string, OllyDbg attempts to find call to OutputDebugString()
– INT3 breakpoints set on the first byte of edited memory area are retained
– Decoding of User Shared Data block
– Addressing relative to module base
– If plugin crashes, OllyDbg will report its name
– etc, etc.

I have received many bug reports. Some of them are solved, some are not. There is a very nasty bug that I was unable to reproduce: OllyDbg crashes with memory access violation inside the GlobalAlloc()?!! Either OllyDbg unintentionally taints internal data structures used by memory manager, or some virus scanner overreacts, or this is a bug of Windows itself? If you have any clue, please let me know.

That’s all for now. I will make a short vacations, a week or so, and in order to keep my sanity will not check for new emails. Please have some patience!

Download here: http://ollydbg.de/odbg201d.zip

Bookmark Plugin : http://ollydbg.de/plug201d.zip

Regards