Debugging

OllyDbg - BoomBox

http://rapidshare.com/files/25394210/request.php_3

OllyDbg - Chinese
http://rapidshare.com/files/25394358/request.php_554

OllyDbg - CiM’s
http://rapidshare.com/files/25394505/request.php_1206

OllyDbg - Diablo’s

http://rapidshare.com/files/25395171/request.php_2

http://letitbit.net/download/6bb575376676/d2k2.ollydbg.public2008-updated.rar.html ==new==

OllyDbg - ExeCryptor
http://rapidshare.com/files/25395311/request.php_553

OllyDbg - Hacnho’s
http://rapidshare.com/files/25395639/request.php_4

OllyDbg - OllyICE

http://rapidshare.com/files/25395646/request.php_5

ollyice 2007.9.21

http://rapidshare.com/files/60720683/OlyICE2007.9.21.rar

bigice 5
http://rapidshare.com/files/26791856/bigice5.zip

OllyICE v1.10

http://rapidshare.com/files/132790837/odbg110_OllyICE_v1.10_update.rar

OllyDbg - Shadow
http://rapidshare.com/files/25395640/request.php_6

OllyDbg - Unmodified!
http://rapidshare.com/files/25395641/request.php_1

OllyDbg-flyODBG

http://rapidshare.com/files/26789936/flyjnop790.zip

ollydbg - ricardo nar.

http://rapidshare.com/files/26791858/ricarcdon.zip

OllyDbg_SLV edition
http://rapidshare.com/files/26791862/slv.zip

OllyDbg -Arabic
http://rapidshare.com/files/26791864/ice1_3.zip

Ollydbg - xp
http://rapidshare.com/files/26771160/ollydbg_110_xp.rar

Ollydbg - greenstyle

http://rapidshare.com/files/26436069/ollydbg_Green_Style_20by_20jnop790.rar

OllyDbg - armadillo
http://rapidshare.com/files/34817803/odbg_204_20armadillo_20with_20tools.zip

OllyDbg - xp+ dct
http://rapidshare.com/files/34821367/ODbg_20xp_20DCT.zip

OllyDbg - ADO
http://rapidshare.com/files/34821368/ODbgADO.zip

OllyDbg - SND
http://rapidshare.com/files/34821374/ODbgSnD.zip

OllyDbg -D2K2
http://rapidshare.com/files/34821377/ODbgD2k2.zip

OllyDbg - DeFixed

http://rapidshare.com/files/39044055/DeFixed_Edition.rar

OllyDbg - DeFixed v2 (foff)

http://rapidshare.com/files/60718378/DeFixed_Edition_v2.rar

OllyDbg - ExeCryptor

http://rapidshare.com/files/39851301/exec.olly.zip

olly bronco (mod. for execryptor )

http://rapidshare.com/files/66345462/OllyDbg_v1.10_Bronco.rar

olly YPOGEiOS DOX DiViSiON

http://rapidshare.com/files/66345700/YGS-DOX_OllyDBG.v1.10.Mod-YPOGEiOS.rar

OllyDbg’ - Snd version all plugins and olly patched :

http://rapidshare.com/files/44123914/0_1_1_YDbg_Beta_Full.7z

the 0dbg for Themida/WinLicense V1.9.3.0

http://rapidshare.com/files/50611549/The0DBG.exe

HanOlly

http://rapidshare.com/files/64369450/odbg110__HanOlly_edition_for_themida_1.9.rar

ollydbg modified for themida 1.9.5

http://rapidshare.com/files/65716863/O_ll_y_Dbg_modify_for_themida1.9.5.EXE

ollydbg modified for themida and execryptor

http://letitbit.net/download/d35cd7115999/RAMODBG.rar.html

ollydng Sabre Gold

DarkOlly

http://rapidshare.com/files/137296680/DarkOlly.7z

OllyDbg 1.10 - kamal

http://letitbit.net/download/9e844d493204/OllyDbg-1.10-by-kamal.rar.html

OllyDbg v1.10 LifeODBG v1.4

http://letitbit.net/download/686a95302760/OllyDbg-v1.10-LifeODBG-v1.4.rar.html

OllyDBG The_Best_version==new==

http://rapidshare.com/files/142544485/OllyDBG_The_Best_version.rar

http://letitbit.net/download/ffb745506367/OllyDBG-The-Best-version.rar.html

ollydbg moded by DeRoX  ==new==19 nov 2008

http://letitbit.net/download/9cde79762956/odbg110-Olly-DRX-Lite.rar.html

OllyDbg 2

OllyDbg 2 2a 20 oct 2007

http://rapidshare.com/files/64369705/ollydbg_2a-_20_oct07.exe

OllyDbg v2.00 Alpha 4

http://letitbit.net/download/a51bdc740372/OllyDbg-v2.00-Alpha-4.zip.html

OllyDbg v2.00 Alpha Sabre-Gold==new==

http://letitbit.net/download/357163436792/OllyDbg-v2.00-Alpha-Sabre-Gold.rar.html

oLLYdbg 2.00 g==new==

http://letitbit.net/download/0768f7669997/odbg200g.zip.html

ollydbg1.1 BY INREv team==new==

http://letitbit.net/download/fc3c1941207/ollydbg1.1-beta2-INRev.rar.html

http://letitbit.net/download/6faed3180832/odbg1.10-beta1–INRev.rar.html

Debugging Tools for Windows

dbg X86

http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

=================

SoftIce

98

http://rapidshare.com/files/50615930/Sic_v4.2.7_RC1_9x__IceExt_v0.7.part1.rar

http://rapidshare.com/files/50615933/Sic_v4.2.7_RC1_9x__IceExt_v0.7.part2.rar

http://rapidshare.com/files/50615934/SoftICE_20v4.3.2.2485.rar

xp

http://rapidshare.com/files/50615935/SoftIce_20v4.2.7_20RC1_20XP.exe

=================

Syser Debugger

Syser Debugger 1.92

http://rapidshare.com/files/42710603/download.php

Syser Debugger 1.93

http://rapidshare.com/files/48708302/download.php

Syser DebuggeR 1.97.1900.1016

http://rapidshare.com/files/119028937/Sys.Debug.v1.97.1900.1016.zip

Syser.Debugger.v1.97.1900.1038

http://rapidshare.com/files/131394971/Syser.Debugger.v1.97.1900.1038.zip

Syser Debugger 1.99.1900.1095 ==new==

http://letitbit.net/download/2f637f902443/SYSKERNDEBUG.1.99.1900.1095.rar.html

=================

Immunity Debugger

ImmunityDebugger v 1.0

http://debugger.immunityinc.com/download/ImmunityDebugger_setup.exe

or

http://rapidshare.com/files/47096385/ImmunityDebugger_setup.exe

ImmunityDebugger v 1.5 FULL (SCRIPT+PLUGIN)

part 1 & 2:

http://rapidshare.com/files/138160039/ImDbg.v1.5.7z.001

http://rapidshare.com/files/138158243/ImDbg.v1.5.7z.002

PASS:http://reversengineering.wordpress.com/debuggers/

ImmunityDebugger 1.73 RemoveAD KuNgBiM ==new 19 nov 2008 added== hot

http://rapidshare.com/files/165317164/ImmunityDebugger_1.73_RemoveAD_KuNgBiM.7z.002
http://rapidshare.com/files/165319412/ImmunityDebugger_1.73_RemoveAD_KuNgBiM.7z.001

=================

IDA Pro

IDA Pro Advanced v5.1.0.899

http://letitbit.net/download/555d66375926/IDAProAdvancedv5.1.0.899.rar.html

Fix

http://letitbit.net/download/3df899307180/IDAProAdvancedv5.1.0.899Fix.rar.html

DataRescue IDA Pro Advanced v5.1.0.899  + SDK + FiX

http://letitbit.net/download/077cd4773868/DataRescue.IDA.Pro.Advanced.v5.1.0.899.rar.html

IDA PRO 5.1 SDK

http://letitbit.net/download/a91b81999543/IDA-5.1-SDK.part02.rar.html

http://letitbit.net/download/e5e2e4967183/IDA-5.1-SDK.part01.rar.html
Datarescue ida pro advanced  v5.1 windows patch

LAN patch
Key blacklist patch
Russian IDA data file read patch

http://letitbit.net/download/9a8fec832094/datarescue.ida.pro.advanced.v5.1.windows-patch.rar.html

IDA Pro v5.20 Advanced Full MegaPack

by cracklab

http://letitbit.net/download/b96428300403/download.php-action-get-n-MjE1.html

after download rename it to “IDA Pro v5.20 Advanced Full MegaPack.rar”

IDA Pro 5.2 addons

idsutil5.20

Flair5.10

http://letitbit.net/download/f09e75790522/IdaPro5.2-addons.rar.html

DataRescue IDA Pro Advanced v5.2 SDK

http://letitbit.net/download/85acc3208403/idapro52sdk.part02.rar.html

http://letitbit.net/download/307d35980633/idapro52sdk.part01.rar.html

=================

Zeta Debugger

Zeta Debugger v1.4

http://letitbit.net/download/b06dd5445683/Zeta.Debugger.v1.4-full.zip.html

Zeta Debugger v1.5==new==

http://letitbit.net/download/e0881a39387/zd1.5-setup.zip.html

=================

Linux Debugger

EDB Linux Debugger 0.8.12

http://www.codef00.com/projects/debugger-0.8.12.tgz

0.9.1

http://www.codef00.com/projects/debugger-0.9.1.tgz

0.9.2 released 2008-07-29
http://www.codef00.com/projects.php#Debugger

0.9.4 2008-08-12==new==

http://www.codef00.com/projects/debugger-0.9.4.tgz

=================

java Debugger

JDebugTool Pro v4.1.1==new==

http://letitbit.net/download/baf0a2105543/JDebugTool-Pro-v4.1.1.rar.html

http://rapidshare.com/files/137998716/JDebugTool_Pro_v4.1.1.rar

pass:http://reversengineering.wordpress.com

=================

other debuggers

Obsidian - Non-intrusive Debugger + src ==new==

http://letitbit.net/download/e7fa3b610314/Obsidian–src.rar.html

VB Debugger [source code] + compiled with VB 6==new==

http://letitbit.net/download/f2e228167354/vb-debug-src.7z.html

MiniDBG with source==new==

http://letitbit.net/download/5731ca759728/debugger.rar.html

The DvLabs posting demonstrates how to dynamically analyze a 32-bit Windows binary file in WinDbg using hit tracing. Hit tracing is the process of dynamically tracking execution flow in order to narrow your field of focus when reverse engineering a binary file. This saves you from wasting time looking at uninteresting parts of the code.

While Cody Pierce focused on using WinDbg for hit tracing, we're going to show you how to use OllyDbg.

Implementing hit tracing in OllyDbg is rather straightforward.

• Set an INT3 breakpoint on every command within the region of interest.
• When a command with a breakpoint executes, OllyDbg removes the breakpoint and marks the instruction as a hit.

When dynamically reverse engineering a binary file, one problem with logging executed regions of code is that a lot of the code that gets logged (contains hits), we don't really care about, like GUI events. We'll call this UNINTERESTING CODE. The code we do want to focus on is INTERESTING CODE.

To solve the problem of highlighting only INTERESTING CODE we'll use a plugin that Moti wrote for OllyDbg "back in the day," called "OllySnake." This plugin overlays the built-in OllyDbg hit trace feature to filter out UNINTERESTING CODE.

So, how does the plugin work?

As an example, let's say that we want to narrow our focus to the notepad.exe code that handles the "About" command.

• First, we instruct OllyDbg to trace all events that occur when we execute notepad.exe (including the "uninteresting events," such as GUI events like mouse movements, etc.).
• Next, we save the hit trace snapshot.
• Now that we have a snapshot of the UNINTERESTING CODE, we click on the "About" menu item to trigger and log the INTERESTING CODE.
• Finally, we save a hit trace snapshot that includes both the UNINTERESTING CODE and the INTERESTING CODE.

Can you guess what we do next? We diff the two snapshots to find just the INTERESTING CODE!

Manually Unpacking a Morphine-Packed DLL with OllyDbg

Unpacking executables in OllyDbg is usually pretty straight-forward, but sometimes, we come across a DLL that is packed, which can affect how we approach the problem. Due to the way OllyDbg uses the loaddll.exe wrapper to analyze DLLs, the DLL's initialization code will run before we hit our startup breakpoint, allowing the code to perform debugger detection or any other nasty tricks before we get a chance to stop it.

This tutorial gives a step-by-step illustrated guide to unpacking a Morphine-packed DLL using OllyDbg. In this case, our target is a piece of malware identified by Kaspersky Anti-Virus as "Trojan-Proxy.Win32.Agent.jz". RDG packer detector tells us that it is packed by Morphine 2.7.

If we load the file as-is, OllyDbg will detect that it is a DLL file, and prompt us to use LOADDLL.EXE to analyze it.

This is not what we want, so we close this out. Before we load this bug into Olly, we are going to make a small change, to make Olly think that our target is a standalone executable instead of a DLL. We do this by using Stud_PE to locate the "Characteristics" field of the PE header. There is a single bit that we want to toggle in the byte at 0x117. We can do this by changing the value 0x21 to 0x01. Save the file, and now we can load it into OllyDbg as if it were an EXE.

Now when we load the file into Olly, we are taken to the ModuleEntryPoint, and can begin our unpacking.

When a morphine-packed DLL runs, it will unpack the original file and then copy it to memory allocated by VirtualAlloc. All we need to do in order to dump the original file is to interrupt this process and dump the memory before it is loaded and executed. We can do this by finding the VirtualAlloc function (use CTRL-G to go to a memory location by address or by exported name) and setting a breakpoint on it.

Some packers may use anti-debugging tricks or check the first few bytes of the imported functions to insure that they do not have software breakpoints set. In this case however, there are no tricks, and we can simply set our breakpoint at the start of the VirtualAlloc subroutine, and run the code by pressing F9.

Once we come to the breakpoint, the original code is unpacked and ready to be copied. We can locate the code in memory by going to the OllyDbg memory map window and right-clicking on the first section after the PE header, and selecting "Dump". This opens a window with our dump in "Disassemble" mode. Right-click on the window and choose "Hex->Hex/ASCII (16 Bytes)" and you'll see the hexdump as shown below.

Scroll through the output and find the PE header, starting with the familiar bytes "MZ" followed by the usual "This program must run under Win32" verbage. If this is present, it means our unpack worked, and we can dump the memory by right-clicking on the dump window and selecting "Backup->Save data to file".

At this point all we need to do with the memory dump is delete the bytes preceding our PE header, and truncate the file at the proper length. I usually use Linux for my low-level file manipulation, but since I know most of you reading this tutorial are working on Windows, I'll show the process using the UltraEdit-32 hex editor.

First, open the memory dump file in UltraEdit and locate the MZ bytes indicating the start of the PE header. Note the offset into the file, in this case, 0x4969 hex, in decimal, 18793.

Go to the start of the file, select the first byte, right-click and choose Edit->Hex Insert/Delete or hit CTRL-D. In the dialog that pops up, choose "Delete" and enter the number of bytes to delete up to the PE header start.

Now all we have to do is truncate the file at the correct location. (It won't hurt anything in terms of functionality if you skip this step; the file will just be larger than it needs to be.) Save the file in UltraEdit, then open the saved file in Stud_PE. Look at the "Sections" tab, and note the RawSize and RawOffset fields of the last section of the file. Add them together, and that tells you the overall raw size of the original file. In this case, 0x25800 + 0x3800, which equals 0x29000.

Go back to UltraEdit, and select the byte at offset 0x29000. Hit CTRL-D to bring up the delete bytes dialog again, and now enter a sufficient number of bytes to truncate the rest of the file.

We now have a copy the original DLL as it was before being packed by Morphine. We can verify its integrity by loading it into Stud_PE and checking that all of the components of the file have sane values and that the import table actually shows imports from various system DLLs, which would not have been shown in its packed state. The export table should now also show any exported functions in the DLL.