I wan to share my OllyDbg v2 (shared by Vic) that i used for my RCE hobby :).
Download here:
Regards,
m4n0w4r
Archive for the ‘RE Tools’ Category
PeStudio is a free tool performing the static investigation of any Windows executable binary. A file being analyzed with PeStudio is never launched. Therefore you can evaluate unknown executable and even malware with no risk. PeStudio runs on any Windows Platform and is fully portable, no installation is required. PeStudio does not change the system or leaves anything behind.Among very famous security tools, PeStudio has proudly obtained Rank 4 on the Best 2013 Security Tools.
Indicators
PeStudio shows Indicators as a human-friendly result of the analyzed image. Indicators are grouped into categories according to their severity. Indicators show the potential and the anomalies of the application being analyzed. The classifications are based on XML files provided with PeStudio. By editing the XML file, one can customize the Indicators shown and their severity. Among the indicators, PeStudio shows when an image is compressed using UPX or MPRESS. PeStudio helps you to define the trustworthiness of the application being analyzed.
Virus Detection
PeStudio can query Antivirus engines hosted by Virustotal for the file being analyzed. This feature only sends the MD5 of the file being analyzed. This feature can be switched ON or OFF using an XML file included with PeStudio. PeStudio helps you to determine how suspicious the file being analyzed is.
And more…
Download here:
http://www.winitor.com/tools/PeStudio801.zip
Regards,
Features of release VIII:
- view and edit files of any length in text, hex, and decode modes
- x86-64 disassembler & assembler (AVX instructions include)
- physical & logical drive view & edit
- support for NE, LE, LX, PE/PE32+ and little-endian ELF/ELF64 executable formats
- support for Netware Loadable Modules like NLM, DSK, LAN,…
- following direct call/jmp instructions in any executable file with one touch
- pattern search in disassembler
- built-in simple 64bit decrypt/crypt system
- built-in powerful 64bit calculator
- block operations: read, write, fill, copy, move, insert, delete, crypt
- multifile search and replace
- keyboard macros
- unicode support
- Hiew Extrenal Module (HEM) support
- ArmV6 disassembler
Regards,
September 27, 2013 – version 2.01
New version with many new features, among them:
- Help on 77 pages. Please read it first – most of new features are described there
- Multilanguage GUI (experimental, as yet no translation files – please do it by yourself)
- Support for AVS instuctions (as yet no AVS2 and high 16 bytes of YMM registers are not displayed)
- Call stack window (similar to the version 1.10)
- Handles window (similar to the version 1.10)
- SEH and VEH chains. To decode addresses of VEH handlers, OllyDbg hacks NTDLL.RtlAddVectoredExceptionHandler(), therefore process must be started from the OllyDbg
- Multibyte character dumps
- .udl image libraries, replace scan of object files from v1.10
- Search for integers and floats in dump
- Search for procedures (entry points)
- Limited support for NTFS streams
- Drive dump
- Software breakpoints that use INT1, HLT, CLI, STI or INSB instead of INT3
- Multiple watches in one line, support for repeat count
- Dump of arrays of structures
- Micro-analysers
- Accelerated search
- Assembling of immediate data statements (DB xx etc.)
- Highlighting in run trace
- Up to 2 ordinals per address
- Limited support for Win95 via Microsoft Layer for UNICODE
- More tricky code sequences
- Show free memory, or was it the previous version?
- Multiple bugfixes
Plugins compiled for OllyDbg 2.01 beta are 100% compatible with v2.01. PDK will be updated… soon…
Preliminary version of Disassembler 2.01 is almost ready. That is, the sources are more or less final but documentation and ready-to-use DLLs are still missing. I release Disasm 2.01 under GPL v3. Commercial licenses are also possible.
Download: http://www.ollydbg.de/odbg201.zip
Oreans UnVirtualizer ODBG Plug-in (WL/TMD/CV)
Posted: March 10, 2012 in Oreans UnVirtualizer ODBG Plug-inTags: Oreans UnVirtualizer ODBG Plug-in
Author : Deathway (Lo*eXeTools*rd)
This tool will help conversion VirtualOpcodes -> Assembly Instruction restoring the original code of your virtualized Application, the basic engine
was from CodeUnvirtualizer, my other tool
[Features]
– Supports WinLicense/Themida/CodeVirtualizer Cisc Machines
– Supports almost all common opcodes
– Supports CHECK_MACRO_PROTECTION
– Supppots MultiBranch Tech
[Use]
– Right-click on the jump leading to the Virtual Machine Area and press Unvirtualize (If machine isn’t found you have to click again, after checking that the full machine was correctly deofuscated)
[v1.5]
– Fixed Unvirtualize with Jump on CISC machines
– Fixed some errors when handling signed constants on RISC
– Fixed an issue when processing MOVS instrution on CISC machine
– Fixed some inversion data when processing COMM, REGX, REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI)
– Fixed a problem when handling AH CH DH BH registers on COMM2 instructions
– Added MOVSX – MOVZX – XCHG – IMUL – MUL – DIV – IDIV – PUSHFD – POPFD instructions on RISC
– Added CALL [ESP+IMMC] on Cisc Machine
– Added support of dump files on RISC machines
– OreansAssember_Risc.cfg updated
– DLL Support on CISC and RISC machines
There is a fix regarding Risc machines, if you unvirtualized the opcodes, there is a high chance that you obtain the inversed form of this opcodes COMM REGX,REGX (like XOR EDI,ESI was decoded as XOR ESI,EDI). This errrors is fixed on the latest version
DLL support is now avaible, however Risc machines must be initialized first (not a problem, since risc machines are always encrypted).
On both machines, it’s recommended the devirtualization once the eip reach the oep.
Thanks Deathway for sharing his plugin.
Download here:
0day in {REA_TEAM} 