Announcing Immunity Debugger v1.0

After almost a year of intensive development and internal use, we are
pleased to announce the public release of Immunity Debugger v1.0.

When we started developing Immunity Debugger our main objective was to
combine the best of the commandline based and GUI based debugger worlds.
The commandline because most of us come from a UNIX background, and it
just ends up being more efficient than clicking your way around. The GUI
because we understand that we are visual beings that often can
grasp more from a single look at a graphical layout than from two days
of x/x-ing memory pages.

The third feature we required was full flexible access to the debugging API,
the graphing engine, and the GUI API. Because having to Re-Compile
plugins is lame, we decided to make everything accessible from Python.
So we put everything together and developed something we feel very
comfortable using.

This means we ended up with a fully flexible and extendible Win32
debugger that has all of it's features, both debugging and graphical,
easily accessible from it's Python scripting engine.

And best of all, it's available for free. That's right, Immunity
Debugger is released for free, including free monthly updates.

Here's some cool features:

o The Python API ("Immlib/Lib reference" for full documentation)
o A full Python based graphing library
o Full debugger and GUI API access
o A flurry of cool example scripts such as:

- !heap A fully working heap dumping script (try the -d option!)
- !searchheap Searching the heap
- !hippie Trampoline hooks on RtlAllocateheap/RtlFreeHeap
- !modptr Dynamic search for function pointers in pages
- !findantidep Find address to bypass software DEP

o Writing your own scripts for your specific tasks is easy

Interested? Give Immunity Debugger a spin and download it from:
http://www.immunitysec.com/products-immdbg.shtml

For feedback or bug reports please contact support@immunityinc.com.

Happy debugging!

Thanks,
Team Immunity

PS: Yes, we will be implementing an interactive Python shell too.

"Immunity". And no mention of any antiē facilities.
One word, the forced indentation of code, thread over.

Is this yet another Olly clone?

Very good. Might come in handy one day for scripting Did you make your own disasm engine or...?

The GUI is 99,99% the same as Olly. Maybe the author take the disasm engine from Olly, cuz when you use ImmDBG to analyze Themida 1.9.1.0, it crashes exactly like Olly's famous instruction analysis bug (http://www.woodmann.com/forum/showthread.php?t=10134). Havent digged in further yet.

It seems like a Olly+Python debugger. It might be very useful in scripting and finding/writting exploits (as ImmunityInc stated)

As you guys easily guess, we license some of Ollydbg's Module and we put a some effort into our Python API for easy scripting.
We did fix some bugs, but apparently we miss the one that Thug4Lif3 mention, I will report it to the team and get it fixed for next release.

Thanks
Nico

Copied from another forum:

As I said on the other forum, that is not true, let me forward the information:
-------------------
NO, THERE IS NO BACKDOOR AT ALL IN IMMUNITY DEBUGGER. We don't get any
system information or "debugging sessions" (???) or anything else
weird like that.

Immunity Debugger does make an HTTP connection to Immunity to look for updates
much the way Firefox or any other modern software updates.

Again, NO, we don't do any data mining.

In any case, thanks for the free advertisement "goudatr0n".

If you are still afraid, here is the list of md5 hashes:
437152d25787a1a06597f387d8f4811f ImmunityDebugger_setup.exe

00ff5ccf4b35fa9117bef2f23e108f61 Bookmark.dll
20152f8682a9b103ae3e41e1075048a4 Cmdline.dll
1aa2be74e77da0370986222efd794edd debugger.pyd
88d1df93fdb89dfbf5f9dd9b617ef28e ImmunityDebugger.exe
10acf61aa4046b1fc8c8e434fbd291d6 ImmunityDebugger.ini
c739f6a204665c05ee75f9b8a4f10d2f LICENSE.txt
89d432e3e47cb9546bf4d9a91f6fda79 loaddll.exe
7d5221499f25014169d555ea428e6053 uninstall.exe
f102ee2438bf9bdf1e6e84627d927909 updater.exe

Cheers,
Nico
--------------

You can check it yourself if you want, but there is no such a thing as a backdoor, we don't log any 'debugging' information from our clients.

Nico

Well, explain these strings found around 000FA400 or so:

- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" (base64 encoding array, for those less knowledgeable in this...)
- "POST http://auth.immunityinc.com/ImmunityDebugger/ID_auth.py HTTP/1.1"
- "Referer: http://auth.immunityinc.com/immauth.html" (doesn't exist, how curious)
- "dbgid="
- "&integritycheck=0"
- "POST http://auth.immunityinc.com/ImmunityDebugger/ID_reg.py HTTP/1.1"
- "Referer: http://auth.immunityinc.com/auth.html" (also doesn't exist)
- "POST /ImmunityDebugger/ID_getads.py HTTP/1.1" (WTF?)
- "&version=%d%d%d%d %s%s%d%s%s%s&lic=%s%s"
- "http://debugger.immunityinc.com/ID_adref.py?referer=%s" (WTFx2)
- some sort of advertisement in several languages

File properties:

ImmunityDebugger.exe 1501184 bytes
MD5: 88d1df93fdb89dfbf5f9dd9b617ef28e
SHA1: dcbc68b22f152fccbf21b2b500c41682f0715c11
SHA256: f5e61159c3348dfb2b033780a0e488519513b762adcb8f9e46532710ccd8f32e

I don't care why you're doing it, any program that phones home is unacceptable.

Stop looking for a conspirancy here.
It's simple, the bussiness model of the software is "Ads" based, basically company hire ads to offer job to professional using a debugger (It's a way to give an extra-service to user and to companies), it's not harmful in any sense.
You can easily check that out, by clicking on any of the ads on the top right of the debugger.
On the other side, we sent the version of the product to the update server to check for new version and to inform the client about it. Yo, check your firefox, your itunes, your java extensions, etc, etc, they all do the same.
And if you still paranoid, it's simple. Sniff it and you will see.

Cheers
Nico
Immunity, Inc

In other words, adware? Major DO NOT WANT.

You basically took OllyDbg and added some crap to it.
I use none of those.

...and I'll let the other users here make up their own minds on what to think of this:


Thread over.

Howdy,

I have the highest regards for LLXX. I respect LLXX's opinion greatly.

There are not many people I have higher respect of BUT, If the Nico I know (We have met) were to voice his opinion on this I would be very happy.

Woodmann

Immunity Debugger is olly with python, that's all it is same bugs

nothing more nothing less and python addition is a bit sloppy too
i ve seen a few included .pys crashing and taking down immdbg along with it (simply not expected from a buffer overflow detecting,fuzzing,exploiting,advisoring team of so called experts who sell canvas kinda things for lots and lots of $$$$$$$ )

if this was a professional work that makes the makers swell with pride in releasing a top class product then i doubt it

for example if you read the help file a bit closely you would see it was given to a third class funky dude sweating out in sweatshops for peanuts like a monkey with an explicit order to find ollydbg and replace it with immdbg



and to echo the sentiments of many ive heard and talked with this phoning home and advertising in incomprehensible languages is simply undesireable and unwanted

sure addition of python is cool ( a few .pys have popped up here and there so there is a potential )the integration of graphing is cool giving it out free is cool (this graphing hasnt gone into rigourous testing simply try graphing without an exe doesnt handle the exception gracefully)

also there are a few glitches try hitting f4 while its actual hot key is alt+f3 (if you are mucking around a malware this kind of things are simply unacceptable )

hope the team of authors are reading this and would possibly try to eliminate and improve upon

I doubt this "nicolas.waisman" is the same as the Nico you know. (I know that one (http://www.woodmann.com/forum/member.php?u=11754) you're talking about.)

Woodmann, perhaps you're thinking about Nico Brulez.
Nico Waisman, I personally don't have any problems with adware or auto-updating, however, since many people do, you may want to include an option to disable auto-update-checking (perhaps present the user with this option the first time they run your program).

That's why I make sure that my firewall monitors/blocks both incoming and outgoing connection attempts. Nothing on my system phones home or anywhere but what I allow.

As for Immunity, I d/l'd it, but didn't see any notices clearly stating that the developer's business model is based upon ads-based revenue generation.

At it's most innocuous, careless. At it's worst, intentionally hiding something that would naturally turn us off.

Hey Woodmann; i think you were talking about me, since we met at Recon

IMO, this debugger should have been tested a bit more before release, in order to fix the bugs that were mentionned before.
Also, none of the bugs that i know of in Ollydbg, were fixed. (that fpu instruction bug, the first ctrl+g showing incorrect address, "disassemble" menu not always available etc).
This is sad, since they do debug a lot to find exploits, i am sure they have met some bugs and have fixed them. (which they apparently did, but the most basic ones are still present).

Would be cool if they had released a changelog to see what was fixed, and if it would affect us in anyway.

I haven't seen much changes beside cosmetics and the python integration (which is a nice idea, but this isn't enough for people to switch to it as i hardly use python anyway).

Imo, they should have kept the olly plugin "straight" compatibility, rather than changing the name to Immunity stuff.
It really looks like they changed all strings to Immunity.. The help file is a funny example.

Regarding the ADware Feature, i am sure some people have already patched it. I didn't because i don't need the debugger.. I'll use Olly until This one brings something really new.

hehe talking about funny help file here is a lol sentance



all those links are were dead for ages now

Looks like they really did just rename the thing blindly...

I always hate to see people so excited about their releases only to get gunned down, but you always know whose fault it is.
You really need to be open about everything your software is doing, and you should really make it more of your own thing rather than replacing a bunch of strings.

You really can’t hide things from the people in this field and anything you don’t reveal upfront just comes off as a sneeky trick.

I am sure you will learn from this lesson for your 2.0 release.

Better luck next time.


L. Spiro

Hey,

Who need Python, when we have ollyperl.dll

vecna

@ancev/vecna:

IMHO, Both Python and Perl are scripts, has similar approaches .. but I think Python is better supported in RE nowaday. There're IDAPython, PaiMei Framework, etc. and recently Sulley Fuzzing Framework. Now its ImmDBG with intergrated Python. Hookin APIs with ImmDbg via Python ImmLib is somehow comfortable in watchin the execution follow of the debugged program.

Python or Perl, its up to the user to choose which language is more familiar with him

And btw, are you Vecna from 29A? 29A guys always had the coolest idea for viruses I have ever seen :P

Just a little OT...
Something to read.
https://www.openrce.org/articles/full_view/29

Well I post this in a private list, for the users have little care when use, i don't know if this post is true or not, i post in crackslatinos only for personal care, most people say is a crap notice, but other donīt like the idea the a debugger sending info to a company who works in security and make money with this.(if you are looking a vulnerability zero day, i donīt think is a good idea, use a debugger who send info to this company)

But really i donīt know if this is true or not, i think is not true, but donīt use perhaps, hehehee.

Ricardo Narvaja