top of page
Search
hopkinmckensie521h

Ollydbg Patch Plugin



If you don't have you plugin source code or cannot rebuild it yourself it is possible to try to patch the plugin dll to let it load in Olly. This is tricky because you need to patch the version number, and probably the callbacks in the dll concerned by the plugin api. The procedure is described in a screencast.




Ollydbg Patch Plugin



This plugin makes your copy of OllyDbg portable, which means that you can copy the OllyDbg folder to another location without having to fix ollydbg.ini manually.OllyDbg v1.10 and OllyDbg v2 are supported.


While creating mods for Sid Meier's Pirates!, I found it very frustrating to try to make substantial changes to the game's executable using IDA Pro because the built-in assembler is very limited and can only assemble one instruction at a time, and if you make a mistake you may have to type the whole program again from scratch! Furthermore, the free hex editors for Windows tend to be buggy, and typing machine code into a hex editor is error-prone. So I created a basic assembly IDE to help me write mods and patch executables, called ExePatch. I didn't expect to release it, but I thought it might be helpful for others.


How could you make OllyDbg avoid the traps set by the malware? You could change the control flow of the program by patching the jumps. Alternately you could manually modify the values of the fields that the program is checking within the PEB. Since verifying the PEB is a common anti-debugging technique, some kind programmers have created plugins that allow OllyDbg to "fool" the anti-debugging malware. The PhantOm plugin is one of them.


Install the PhantOm plugin from _plugins/download/download.php?view.1276. Unzip the downloaded file and copy the DLL into the same directory as OllyDbg executable. Rerun OllyDbg and activate the plugin by going to: Plugins -> PhantOm -> Options -> Hide from PEB. Put breakpoints in the CALLS to sub_4010000. PhantOm was designed to work in Windows XP. Some of the locations for PEB fields have changed, so in Windows 2008 PhantOm may protect against only some PEB anti-debugging tricks. Which of the following was PhantOm capable of avoiding?


Patch the conditional jump(s) that are leading the program to CALL sub_4010000 during the first three checks on the PEB. Also put a breakpoint on ther first instruction of sub_4010000 to monitor when it is called. Once you have activated PhanOm and patched the conditional jump(s), restart and run the program through the debugger (you may need to enter the Patch window to re-patch the conditional jumps). You will find out that you are not able to avoid calling the sub_4010000 by managing those three initial PEB reads. Explain why.


How would you patch the program so that the TLSCallback_0 function does not call exit? In order to perform the patch you need to at least be able to open the Lab16-02.exe without trying to go through the TLSCallback_0 function. To do this: Options - Debugging options - Events: set Make first pause = System breakpoint.


Patches: o PEB.IsDebugged o PEB.NtGlobalFlag o PEB.HeapFlag o NtQueryInformationProcess o NtSetInformationThread o FindWindowA o FindWindowW o FindWindowExA o FindWindowExW o EnumWindows o Process32NextW o OutputDebugString o NtQueryObject o GetTickCount o NtOpenProcess o BlockInput o NtClose o GetStartupInfo o NtQuerySystemInformation o NtYieldExecution o GetForegroundWindow o EnumDesktopWindows o GetWindowThreadProcessId Future: o Custom patcheshooks.


To use, cópy the plugin tó OllyDbgs plugin diréctory and once yóu load, or áttach, OllyDbg to thé module you wánt to debug, usé the plugins ménu to find possibIe references to résources within that moduIe.


OllyDump is a plugin (.dll) which dumps the active process to an executable file (PE). Now, press F8 until it takes the jump and reaches to the address (00401000). Once there, we will use OllyDump to dump the original code. Go to Plugins->OllyDump->Dump debugged process. We will be presented with the screen shown below in Fig-5. As we can see, the Entry point was the address of the packed executable which is being modified to a new address and being assigned to the EIP register for executing the next instruction.


In this module, we'll elaborate on a scenario where dynamic analysis is failing. We'll demonstrate how to reverse engineer a piece of malware code and patch it, so it may go through the dynamic analysis process. 2ff7e9595c


0 comments

Recent Posts

See All

Comments


bottom of page