Log in

View Full Version : [POLL] what features do you want in OllyDbg 2.0


TBD
January 7th, 2003, 01:58
this thread will contain features wanted by user that want to be implemented in OD 2.0

so ppl, let your imagination go wild (but reasonable, as no system debugger a la SoftICE, to make coffee, ...).

for example i want:
- an user customizable interface
- start Analyzer from anywere in the code (for "weird" packed programs)

Anonymous
January 7th, 2003, 03:05
Signatures would be nice. As in, you could present Ollydbg a piece of ASM code with wildcards for the arguments/addresses that get changed/relocated/etc each time the program is loaded, and Ollydbg will search the program and mark these sections with user definable text.

Anonymous
January 7th, 2003, 05:04
Posibility to change the path to the source files would be great. At the moment the source files have to be located at their original place at compile time.

Anonymous
January 7th, 2003, 08:21
Ability to disassemble DLLs directly, without requiring a host EXE! Also ability to disassemble without debugging, which would allow OllyDbg to disassemble ntoskrnl.exe, and more

Anonymous
January 7th, 2003, 08:27
Less errors!!!!!

TBD
January 7th, 2003, 09:27
Anonymous - "Less errors!!!!!" doesnt help at all ... please specify what errors

Anonymous
January 7th, 2003, 09:38
I've noticed Ollydbg 1.8b doesn't seem to disassemble some opcodes produced by Borland C++ builder 5, and they obviously are not data as I can single step through them.

TBD: I'll try and get an distributable EXE so you can see it in action, or at least screenshot of Ollydbg's screen where it happens.

Anonymous
January 7th, 2003, 09:45
one of the trends in software these days is to add skins and other bloated stuff. my main wish for ollydbg is for it to remain lean and efficient.

Anonymous
January 7th, 2003, 09:46
in case my last post wasnt clear - please do *not* add skin support to ollydbg.

Anonymous
January 7th, 2003, 09:49
I agree - OllyDbg's current GUI/structure is perfect for a debugger/disassembler. I hope it doesn't change, but rather just gets added to (if it aint broke, dont fix it!)

Anonymous
January 7th, 2003, 14:22
From what I understood the version 1.09 should be ready at the end of January.
Frist can you list all new functionality of this version.
Why you are taking about version 2 and not version 1.10.
I am sure that there is in OllyDbg creator mind a very nice list of news features, why don't propose this list first them wait our feedback ?

Anonymous
January 7th, 2003, 22:47
create a dir for plugins

TBD
January 8th, 2003, 02:16
> Why you are taking about version 2 and not version 1.10.
because i have information that 1.10 will be the last version of
1.xx series and only bug fixes, no added features

[SPOILER]
Olly already started working on OllyDbg 2.0 ... so that's why i
started this poll. PLEASE DO NOT bug Olly about 2.0 version,
post your requests here !
[end spoiler]

ps. a lot of Anonymous posts ... why are you so lazy to login ?

Anonymous
January 8th, 2003, 02:19
what would be nice is the ability to explicitly save a "project" file containing the bpx's and comments for a file you are debugging, and then reload it at any time on a separate executable. (maybe this could written as a plugin?) this would be very useful when commenting and setting bpx's on an executable that dynamically unpacks itself at runtime, as it would let us comment and set bpx's after unpacking, and reloard these on the next run after the app unpacks. while we are asking for the moon: if ollydbg could automatically load and save these based on the initial self-unpacking warning that olly already gives, that would be heaven.

Anonymous
January 8th, 2003, 06:20
Select a procedure enter some value of eax,ebx, .... and have a quick watch of possible result at the end of the procedure

Anonymous
January 8th, 2003, 08:22
I already specified them...

Anonymous
January 8th, 2003, 09:04
show the symbols of masm32

Anonymous
January 8th, 2003, 09:12
and show the source code will helpfull

Ricardo Narvaja
January 8th, 2003, 14:38
For me:

1)in the offset window, jump to the same sentence in disassemble window (CPU)
2)The size of the windows isn't predictable it changes and put in every size, the option in appearence RESTORE SIZE etc etc don't function.
3)The option of dissasemble only of dlls
4)BPXS in dlls dont erase in RESTART
5)EXECUTE SAL instruction
6)Run in more packed programs (PELOCK, etc)
7)trace into options (MORE SLOW - MORE QUICK - VERY SLOW) and in the very slow case, this options trace for use in very short portions of the code tracing and storings ALL sentences in ALL sections, DLLS etc.
8)Option for jmp to other section stops OLLY (for packers)
9)Option for Breakpoint in memory acess only read, only execute and only write.

Ricardo Narvaja

Anonymous
January 8th, 2003, 14:59
Would be useful if the logger view when you are setting log breakpoints that if Olly think the value in a register wrote to the logger points to a string, to log that string to the file too, and not just the address of it. Also, if the data is short (say, under 20 bytes) add optional possibility of dumping that too, or a portion of it if it's too much data.

This would make the logs far more useful, as having a file full of pointers all pointing to the same data that has been over-writen afterwards is kinda pointless.

Anonymous
January 8th, 2003, 20:27
seems not able to debug pelock!!

TBD
January 8th, 2003, 22:50
> show the symbols of masm32
> and show the source code will helpfull


already available see here ("http://www.rohanpall.com/ollydbg/?action=vthread&forum=1&topic=40")

Wayne
January 9th, 2003, 01:50
Add a "Search for text" capability to the right-click menu in Resource Strings

Wayne
January 9th, 2003, 05:41
In the Breakpoints window, a Delete All would be very handy, I had about 200 or more breakpoints set and its taking a while to delete them using the delete key on my keyboard 8)

Wayne
January 9th, 2003, 05:45
Also, in Resources Strings, you can double-click on a string and it'll take you to that string in the CPU/code window (which is excellent!), but that only seems to work if its from the EXE - it doesnt seem to work if the Resources Strings are from a DLL - itd be excellent if it could do that also

Anonymous
January 9th, 2003, 09:35
Compilation programs name, version ,....
Packed programs name, version,....
Ini file to add new unpacker
Set macro record senario
ex: run--> bp messagebox --> d eax --> if eax == xxx --> bp API --> ....
Convertor hex-->dec-->ascii on right click or Ctlr right click or ...
More option in watch ex:
all address in a procedure
watch expression
when the value of .. is true
when the value of .. change
....

Anonymous
January 9th, 2003, 09:41
MSDN API help on Ctrl+...

Anonymous
January 9th, 2003, 09:46
A function like view tree but more graphical there we can navigate throught one procedure to sub-procedure and vis-versa

Guybrush
January 9th, 2003, 09:49
-An option in de mdi child windows to make it ontop of others, maybe a checkstate in the systemmenu of all the child windows.

it's annoying because i always like the CPU window maximized. and if i for example open a log window, it will minimize the main window...

-make it look for plugins in the directory ./plugins instead of the current dir

-maybe an option to customize the right click menu of the CPU window and maybe others, it has TOO MUCH options, i usually spent most of the time clicking and searching in the menus.
Wouldnt it be alot easier if you can just add the ones you almost use everytime and put the other ones in a submenu's like advanced, dump, other or something.

Anonymous
January 9th, 2003, 11:27
View resources of executable files (*.exe, *.dll, ...) and display
like Borland Resource Workshop , eXeScope, Resource Hacker

What I would like the most is when you open a dialog box, the possibility to select a buttom, whole form or ... and put a breakpoint onclick, on load on mouse up down,.....

Or select select a buttom and display all api called after the click.

helloword
January 9th, 2003, 12:04
Shortcuts maintenace

Anonymous
January 9th, 2003, 12:35
Wizard builder for coditional search, breackpoint,....

Anonymous
January 10th, 2003, 04:49
The powerful ATTACK fuction. If you can attack eveything at anytime, OllyDbg can work like TRW 2000 and softice. That means you can not be troubled by the anti-debugg examination.

TBD
January 10th, 2003, 05:25
ATTACK? could you expand on this subject a bit ... some examples would be nice

Anonymous
January 10th, 2003, 06:20
Sorry it is ATTACH, not attack.

Anonymous
January 10th, 2003, 12:39
"Attach to process" can be disabled very easily however for certain applications, and once it is disabled, Ollydbg can't do anything to get it disabled unless you terminate it and restart it at OEP.

So really I don't see how it can be improved ? Ollydbg needs to be attached to the process to find any information about it, so "attach when EIP between these ranges" and the like are out, if that's what your thinking of.

Anonymous
January 10th, 2003, 16:36
The talk is what features do you want in OllyDbg 2.0, you see.

_Servil_
January 10th, 2003, 17:11
1. more power to survive some compressed applications' trick (invalid opcodes, SEH, clearing debug registers, int 2Eh...).

2. feature to load/save analysis info to preserve labels etc. on program change (not offsets only replace some code)

3. when i debug MASM32 application with debug info present and change the code sometimes the changed part isn't disassembled, even if I reanalyze the code (respective udd file must be deleted).

4. if i trace with F8 thru a call it sometimes lose the control of the debugger (setting bpt on next opcode and preforming run execute immediatelly). caused by recursive calling?

5. Set Real SFX entry here... either dosn't work or I don't know to use it. Tried on some packed programs, even easy (UPX), and it never didn't start at the opcode I assigned new OEP (always NEP).

6. Other wishez I forgot to meant ;=)

_Servil_
January 10th, 2003, 17:14
7. resouce strings dereferencer? (the way w32dasm does)

To authors: keep up the work olly has bugs but it's the best debugger working on my XP at this time.

_Servil_
January 10th, 2003, 17:17
8. and yes, /tracex <loeip> <hieip>

Ricardo Narvaja
January 11th, 2003, 12:51
the posibility of MODIFY EIP in registers

Ricardo

luucorp
January 11th, 2003, 22:51
OD 1.08b has error with API: FreeLibraryA while free 1 .dll but program doesn't finish.

--.od 2.0 will fix it

lylu
January 12th, 2003, 00:40
1.AutoSave when making analysis.
2.Replace [local.1] with user defined string as [lpstr]
3.Support hiding procedure.
4.Recognize user defined function with it's arguments.

Ricardo Narvaja
January 12th, 2003, 02:40
The posibility of modify EIP in the register window, is this possible?

Ricardo

Anonymous
January 12th, 2003, 08:29



in CPU window, Ctrl-G, enter new EIP. On the line with new selection right-click, Set new origin here, done...

Ricardo Narvaja
January 14th, 2003, 00:27
Tracex low eip high eip exists.

In SET CONDITION in EIP IS IN RANGE put in the first box the low eip anf in the other box the HIGH EIP and check the box, goto DEBUG -TRACE INTO and OLLY trace and stops when EIP>low and EIP<high.

Ricardo

Anonymous
January 14th, 2003, 13:11
the posibility of insert some extra lines of code in especific locations.

like the amazing tool: TOPO


Microman

_Servil_
January 15th, 2003, 12:13
9. Context menu item "Copy selected line(s)" in run trace

Anonymous
January 16th, 2003, 14:51
Ability to dump memory from range X - Y to file.

Squidge
January 16th, 2003, 15:01
You can dump memory in a variety of file formats already with 1.08 - what format do you actually want ?

Anonymous
January 16th, 2003, 17:02
I want to select exact starting address and length, then just dump as binary.

Squidge
January 17th, 2003, 05:29
see what you mean. if this is to dump a packed program, try OllyDump, otherwise select "backup -> save to file" and trim the file produced with ultraedit or similar

Anonymous
January 17th, 2003, 06:42
I would like to see a "Search for ASCII" in the cPU window.

Anonymous
January 20th, 2003, 01:44
What is ollydump?

helloword
January 22nd, 2003, 12:48
More options in ressources
Dialog: Details, Dump, structure, the form,…
Bitmap: Details, Dump, image
…..
also possibility to add breakpoint

TBD
January 22nd, 2003, 23:04
helloword: breakpoint when accessing the resources ?

OllyDump is a plugin, you could find it on ODF (hint: use the forum search)

"Search for ASCII" - use binary search (CTRL+B) or Search for/All referenced text strings

ффффф
January 23rd, 2003, 19:33
ффффффф

F7
January 23rd, 2003, 19:44
Oopss Sorry

1. Jump to code adress in stack segment...
Simple
xxxxx: aaaaaa retn to kernel32 aaaaaaaa
Double click on addr goes here in code window
Double click on jmp xxxxx goes to this addr.... Esc return back...aka IDA
Breakpoints sometimes not saving
Bookmarks shortkeys move to Ctrl+Shift+NUM
Settings to shortkeys....
Very slow but HIGH quality analys....
Button clear all *.udd and temp files
Nice Breakpoints on condition... EAX and ECX > 40000 and Addr =55555
Simple ANTI RIng 3 debug codes... and option to turn this feature....
In win 2000 sp3 after program loaded OllyDbg sees exeption....And program colud not be debugged
Small lagss ((

Forgive me my mistakes....and my bad ENG...

WRT:F

TBD
January 23rd, 2003, 22:41
ффффф or F7 ... "Button clear all *.udd and temp files" it is possible with gigapede's cleanupex plugin

blabberer
January 26th, 2003, 08:53
hi tbd tx for responding to my heap post
well i have made 3 posts so far two anon and one with oh me anon

the first post concerned with copy to exe file and it seems there are no solutions to it if possible that could be taken up

now as to new feature a search AND REPLACE facility would be great if possible

say i got a garbage structure in the application i find its signature
now i ctrl+ b with the bytes and ctrl+l shows it is being repeated 25 times in the application
replacing each occurances by a jmp is tedious suppose it is 50 bytes all i have to do now is like this

ctrl + b (my bytes) ok <----- it points to the bytes
select
ctrl + e (my replace bytes) ok
select all you changed exactly(this is also a problem some times what you changed is in the middle of opcode no alt+u like ida is possible)
right click
binary copy
ctrl +l<----- points to next place
select arbitarily some bytes (must be more than required other wise the next operation will paste only some bytes)
binary paste
ctrl +l
boooh (you might say why dont you use hiew or hexwork or blah blah but you know better)

F7
January 26th, 2003, 20:30
No in plugin sux....in app )
ФФФ - Power Speak RU?

blabberer
January 28th, 2003, 01:33
oops it seeems some thing has been done before have to see the cmdline
havent used it yet
Posted: Nov 21, 2002 22:36:58
Quote

Cvx: yes it is possible, check cmdline plugin by Olly for more information

TBD
January 28th, 2003, 02:02
> the first post concerned with copy to exe file and it seems there are
> no solutions to it if possible that could be taken up

could you post the link of your previous post or repost the question again
in bugs area ?

blabberer
January 28th, 2003, 03:00
hi tbd

here is the link to the query
http://www.rohanpall.com/ollydbg/?action=vthread&forum=1& amp;topic=100
("http://www.rohanpall.com/ollydbg/?action=vthread&forum=1&topic=100
")
one more way to do it is copy to exefile in diffname and reload the file that has diffname

but i came back here again today second time was to query about the cmdline plugin search and replace facility i dont see any thing that remotely resembles some thing like search and replace in that plugin
A---> at,a,asm,ac B----> bp,bpx,bpd,bc,brk c----->calc,c.cpu,close,cs
D--->d,dump,da,db,dc,dd,du,dasm,dw E---->exit F--->follow,fr G---->g,ge
H--->hr,hw,he,hd,help,h I,J,K,N,U,V,X,Y,Z---> no valid command exists L--->l,log M--->mr,mw,md,mod,mem O--->orig,opt,open P-->pause Q--->Quit R---> run,rst S--->stk,stop,s,si,so,sn,sob T-->t,ti,to,tc,toc,tr,tu W--->watch,w


what did you mean by check cmdline plug in for more info

TBD
January 29th, 2003, 05:26
oh me anon:there is no way to do search&replace now. but you are free to implement in a plugin

i found no problem with multiple assembling(assemble copy to exefile, save, another assemble, copy to exefile, save different name). i think this is good way to do patching.

blabberer
January 29th, 2003, 06:27
i am free to implement it in a plugin well thats a positive answer i was looking for a toy and you suggest me to make one :-{}
-(&#92;_/)
(0'.'0)
{ }
("_("

well here is a weird bear

by the way i never said i had any problems with saving in a different name

i wanted to save it in the same name

just plain save and continue without reloding from the same place

just like using notepad scribble save ,delete save,

rescribble save,delete all save look at the blank page and draw a teddy bear

and save that is what it is not doing

anyway thanks for reply

TBD
January 29th, 2003, 07:46
oh me anon: not possible. sorry.

Sungazer
January 31st, 2003, 02:42
Maybe it´s mentioned before, but i think it would be cool, if Ollydbg would be able to dereference Resource Strings and and show them in the assembly window like W32dasms "Possibly String reference to...".

Show possible dialog references like W32dasm does and be able to jump to possible location of these dialogs in the assembly listing.

and last i´d like to be able to store those udd and bak files in a seperate directory, because the main directory get´s crowded very fast

PS. Ollydbg realy rockz

_Servil_
February 2nd, 2003, 08:37
feature request:

- consideration of recursive calls handling on step_over,
- consideration of recursive calls handling on trace_over,
- highlighting trace log lines of function body on the same level of nesting?

Anonymous
February 2nd, 2003, 20:42
In the "BREAKPOINTS" window, it would be very nice if you could select more than one breakpoint to delete&#92;enable&#92;disable. For example shift+select and ctrl+select to add&#92;remove selections. Also in the breakpoints window, in the right click popup menu an option to "add comment" to any of the breakpoints for visual reference.

Another think that i think would be an awesome feature in olly would be a window, perhaps called "patches". Then you could add patch bytes to a PATCHES window just like you do with breakpoints. Then in this PATCHES window you would be able to enable&#92;disable the modified code "patches". If you dont understand what i mean please post and i will try to elaborate more

Thats all i can think of now, other than that GREAT APP

Peace,
Mikelo2k

Anonymous
February 6th, 2003, 23:31
my feature suggestions for the next major release:

- include this ("http://www.rohanpall.com/ollydbg/?action=vthread&forum=1&topic=40") in the help file ;-)
- tree view of procs for small/medium programs
- network debugging for using a monitor attached to another computer for
i.e. fullscreen apps or just extending workspace across computers
- option to lock the current EIP highlight bar in the center
(text scrolls instead of bar)

And finally: Keep up the excellent work. OllyDbg gets continously better.

fxcb

TBD
February 7th, 2003, 06:59
Olly:
"Yeah, I read it periodically. Most of ideas are just small improvements.
What I need is global changes, like: display all handles owned by process (this idea is so good, I'll definitely add it to 1.10)"

so ppl, let your mind get wild and think of MAJOR changes that you want it implemented in OD 2.0

anyway, thanks for ideeas. togheter we can make a *excellent* tool !

Sungazer
February 12th, 2003, 01:00
P-Code debuging would be nice...
But i don´t know if it´s not a bit exaggerated, because i don´t really know how
OD internal works. Maybe it´s just about extending some opcode tables and recognition procedures, and maybe it would mean to rewrite large part´s of the programm.

Another nice addon would be the possibility to save all patched bytes to an Executable, not just the ones which are selected, because sometimes the patch locations are far away from another.

Anonymous
February 12th, 2003, 03:29
fix the bug where you reload a file and for some reason (the file is not packed) it says "some breakpoints are outside..." and then disables all your breakpoints.

Anonymous
February 19th, 2003, 15:53
Acelerator for "Search for - All referenced text strings" and "Search for text" inside this, could be usefull.

Anonymous
February 20th, 2003, 00:11
Selection printing in all windows, especially in dissasembly

Better analysis like mfc ordinals

Intelligent disasm searching, like search for procs that call mfc or sys, for procs that have case sequence, all I/O, disk read/writes etc.

Dialog always on top settings for watches, bp and other windows

Context menu or hot tip on registers to investigate pointed data

A stable 2.0 release ASAP

thanks

Anonymous
February 24th, 2003, 09:14
New little tricks :

Backinp up a snapshot of a process at a time to be able to reload latter the snapshot and continuing the debugging ...

o-o-o

helloword
February 28th, 2003, 04:32
I will be nice to have some features like the DeDe software by DaFixer.
And also the way that it’s organise the info by
Classes Info
Units Info
Froms
Procedures

In the Procedures you have the Class Name column and by clicking one Class Name the system display all Events or Controls related to this class.
And by clicking in the event the system land you directly to entry point of the procedure that call the event of the class.
This can some you a lot of time.

In Ollydbg we have the Memory Map and possibility to dump the resources of the module.
In Ollydbg we can also set-up on the dump a breakpoint on memory access.

In my opinion, Ollydbg should from the recourses add some options to extract the class, the events of the class and the most important to make the relationship between the event and the code procedure of the program.

Anonymous
February 28th, 2003, 08:07
why not just run dede and export the output to ollydbg ?

helloword
March 1st, 2003, 06:08
Add in the trace feature an option that logs only the API that have been called by the procedure or branche

squire
March 1st, 2003, 09:05
when can we expect 2.0 ?

Anonymous
March 2nd, 2003, 14:58
Remember Winscope? I think OllyDbg2 should have different levels. One such level, macroscopic in nature, should just give a trace of all the APIs and functions executed up to a point. Then if a more detailed analysis is needed one could zero in on a more detailed listing.

tno
March 3rd, 2003, 12:54
First large praise to the programmers of ollydbg, it has some feature, which makes some more understandable.

Here my suggestions:

1. a freely configurable window layout, with several, over shortcuts switchable screens. In principle, the implied functionality of the plugins StayOnTop and HideCaption, additionally with the extension to make scroll main window left/right and down/up over shortcuts.

2. It should be able to switch between different, before stored window layouts.

3. more than one dump window, which remains keeping constant in the layout. So far the additionally opened dump windows are not longer opened automatically after a restart of the program.

4. The width of the columns in the CPU window should be stored and loaded with the program start again. It could store into the configuration of the window layout.

5. A search for all contents in the cpu window, as if it would be a text, like wdasm32.

thx+cu
tno

Anonymous
March 3rd, 2003, 19:47
idea: Olly using LoadLibrary to scan .dlls

Anonymous
March 4th, 2003, 05:33
It is nice to have lastbreakfromip where it shows last ip before break

Darus
March 4th, 2003, 13:42
Yop everybody, for the future release of olly i would like to have .lng files to traduce the soft, it's possible ?

fr
March 5th, 2003, 11:38
the binary search feature is extremely useful. what would be amazing would be ability to use wildcards in the search.

[thEpOpE]
March 5th, 2003, 17:13
Please... Search in binary is very useful... but search&replace in a block of memory would be much better

Anonymous
March 6th, 2003, 06:54
[bfr[/B]

Binary string (Ctrl+B) - displays dialog allowing to specify search pattern. Maximal size of search pattern is 256 bytes. You can exclude some bytes or nibbles from the comparison. For example, if you specify pattern 12 ?? ?6 78, it will match both 12 34 56 78 and 12 00 06 78, but not 12 34 55 78. You can also ignore case of ASCII/UNICODE characters.

HEX control allows you to exclude single nibbles or bytes from the comparison. Type question mark (?) in HEX control to mark nibbles as masked. If you paste to the HEX control, OllyDbg scans text on clipboard and extracts hexadecimal digits (0..9, A..F, a..f) and question marks (?), ignoring all other symbols. Additionally, you can make search case-insensitive.

Sometimes you may need to locate some piece of code in the different version of debugged program. If code contains no relocations, you can select it, make binary copy to clipboard, open another version and paste the contents of clipboard to the HEX control of search window. Another option (binary copy with masked fixups) replaces fixups with question marks, creating search patterns that are insensitive to the load address.

blabberer
March 6th, 2003, 07:05
oops forgot to sign sorry

Anonymous
March 12th, 2003, 05:06
Hi,
it would be nice if ollydbg could show the last eip before break point.
Regards.

Anonymous
March 12th, 2003, 08:08
A good feature will be a deattach from the debugee app.

helloword
March 16th, 2003, 08:42
Possibility to patch the file in another way

ex: the API ShowWindow:
00401796 push 1 ; /ShowState = SW_SHOWNORMAL
00401798 push dword ptr ds:[403017] ; |hWnd = NULL
0040179E call <jmp.&USER32.ShowWindow> ; &#92;ShowWindow

By double clicking on ShowState, Ollydbg should display the list of ShowState of this API means:
SW_HIDE
SW_MAXIMIZE
SW_MINIMIZE
SW_RESTORE
SW_SHOW
SW_SHOWDEFAULT
SW_SHOWMAXIMIZED
SW_SHOWNORMAL
....

and if we select another ShowState ex: SW_HIDE, then Ollydbg modify automaticly
push 1
by
push 0

Anonymous
March 18th, 2003, 16:46
We should have an additional tracer but this time more API oriented then asm.

This tracer should display info on Functions called, API call , thread , window and dialog messages , object , event and procedure add to that possible income and return value

SmartCheck is an excellent example.

Ollybdg do an excellent relationship job between the asm an API but can improve the relationship between asm and dialog messages , object , event ,...

Anonymous
March 25th, 2003, 05:29
Showing Masm32's symbols (and source).

Adding support for the great x86-64 platform. Pb is : which OS should one choose.

blabberer
March 28th, 2003, 00:44
004012F9 Main MOV DX, WORD PTR DS:[EBX] ; EDX=77ED0009
004012FC Main MOVZX EDX, DX ; EDX=00000009
*** blah blah *******
004012F6 Main JNZ Breakpoint at oRdiNarY.004012F8
004012F8 Main POPAD ; ECX=B133C53E, 004012F9 Main MOV DX, WORD PTR DS:[EBX] ; EDX=77ED000A
this is a short clip of runtrace log
that popad and loop is executed 823 times

as you can see in profile below

Profile of oRdiNarY
Count Address First command Comment
14752. 004012F4 OR CL, CL
13929. 004012DE MOV EBX, DWORD PTR SS:[EBP-4]
824. 00401373 CMP DWORD PTR DS:[4031D3], 0
823. 004012C8 MOV EAX, DWORD PTR DS:[ESI]
823. 004012F8 POPAD
823. 00401367 DEC DWORD PTR DS:[4031D3]
822. 0040132D CMP ECX, DWORD PTR DS:[4030A4]
821. 0040134B CMP ECX, DWORD PTR DS:[4030A8]

and iam interested only in the value of ecx register in popad

as these commands show
004012EE |. 895D FC ||MOV DWORD PTR SS:[EBP-4], EBX ; KERNEL32.77ED77B2
******
0040130C |. 8B4D FC |MOV ECX, DWORD PTR SS:[EBP-4]
0040130F |. 3B0D 9C304000 |CMP ECX, DWORD PTR DS:[40309C]

now option to log specifically something like this this to rtrace.txt would be usefull in analysing situation

some thing like log ecx when command is popad at 4012f8 or similar

i hope i am clear if not do ask

blabberer
March 28th, 2003, 00:54
hi tbd
really do you read this post and convey those mutterings to oleh ;}
i hope so ;}}

Anonymous
March 29th, 2003, 13:13
oh me anon olly checks this thread. also i found a bug that will be fixed in 1.09c sometime in the future (regarding bad PE header)

keep the ideeas coming guys.

TBD

ps. i forgot the password

Anonymous
March 29th, 2003, 17:18
i think this may have been posted before, but i still get the occasional : "some breakpoints were outside..." and then olly disables all breakpoints when the app restarts. its not a big deal, since we can view break point windor and re-enable them, but its an inconvenience and seems to happen at unpredictable times (note this is not a packed app).

blabberer
March 30th, 2003, 07:30
ooh tx for reply tbd,;}}} no answers by you in this page (page no 4) so thought let me bait a question

apart from logging there is no way to copy a selection in rtrace and rtrace log required to be enabled before runtrancing else if you rtrace and then want to save something it wont be possible hope this can also be by passed (just like adding copy to clipboard in stack which seems to be pretty usefull)

and then ms excel type auto filter if possible in rtrace will be an added advantage so in the above situation i apply auto filter and select popad which shows all popads one below one ( profile does it but shows only one instruction

and marking and using + or minus to navigate makes it possible for me to view all the popads still making it kind of spreadsheet will be making it more convinient
( i got this idea when i exported the rtrace.txt as rtrace.csv to excel and
used auto filter (success % 75 % file not loaded completly)

and tbd you can put your nick in box and post even if you dont remember password
hahahahaha isnt kind of teaching the teacher ;}}}}}}

Anonymous
April 2nd, 2003, 12:29
the ability to directly load a dll for simple dissasembly would be nice, without having to attach to a specific application.

Anonymous
April 3rd, 2003, 15:51
Possible Reference to String Resources "BLABLA"
Exist already

but not
Possible Reference to Menu Resources MenuID_xxx: "BLABLA"
Possible Reference to Dialog DialogID_xxx, CONTROLE_ID: yyy "BLABLA"
and all other ressources

those feature exist in W32Dasm

Anonymous
April 23rd, 2003, 04:31
Trw2000-like interface option with pmodule option would be great!!

Anonymous
April 25th, 2003, 04:11
Would be nice with "Copy code only"

blabberer
May 5th, 2003, 03:15
well hiding one of the default colums by clicking or some thing else would be great for copying dissembly and comments now we have to drag the colums and hide them and copy

ENLIL58
May 5th, 2003, 04:24
How about saving/loading comments/labels and un-losable comements. My one and only annoyance with OD is that after spending days debugging a prog, adding a mountain of useful comment and label so that it is easier to understand how the prog works and then you go and alter the prog - 'PUFF' - OD now interpretates to prog as being new and re-analyses it and you LOSE ALL THOSE NICE COMMENTS AND LABELS - this is well out of order. OD should have some option for it to scan the prog and identify where the comments should now be offset to !!

This would be great and would save a few heartattacks, and the smashing of a computer or 2 ))

Anonymous
July 16th, 2003, 11:03
i don´t known if this is crazy, but could be possible to make olly to run in a virtual machine (i heard something like that for java) so if something goes wrong you don´t have to restart the pc, because the problem is not in your computer is in a process that can be finished without affecting the session.

Teerayoot
July 16th, 2003, 22:35
no more bugs!

Teerayoot
July 17th, 2003, 00:00
Thread analyser .

Anonymous
July 17th, 2003, 05:30
to do a virtual machine would mean writing a complete processor emulator, which would be a complete nightmare. plus someone would always find a to detect your emulator by using undocumented opcodes/options and see if the result is different on your emulator and the real cpu.

emulators/virtual machines do exist however, but only for dos - check out "TR".

Anonymous
July 17th, 2003, 05:31
be able to break into any running app like softice

silver
July 19th, 2003, 15:14
file analyzer-compression, compilers

comrade
July 20th, 2003, 18:46
Multiple data dump windows please. I know you can use +/- to switch between locations, but still it would be nice to watch two or more sets of data at once.

Anonymous
July 25th, 2003, 13:50
It would be interesting to have debugger with some kind of simple script language.
IDA has script language support, something similar in debugger would be very useful to automate different complex tasks.

Anonymous
July 29th, 2003, 10:35
"SAVE POINT": save datas(registers,stack and ......) in harddisk,so we can begin from the save point by loading data from harddisk in the next time and also we can go back without restarting

Anonymous
July 30th, 2003, 00:46
Ability to break on one place when some event occured in anothor place. Something like break on 402000h when ecx==2h on the 401FF00h. Remember ecx value on 401FF00h and if we break on 402000h check ecx and continue if FALSE.

Anonymous
August 1st, 2003, 17:40
My most important wish is a user interface that is customizable as close to softice as possible (my permanent typos are starting to wear my nerves thin ;-)).

Anonymous
August 1st, 2003, 19:58
Anonymous - Posted: Mar 25, 2003 05:29:20

Adding support for the great x86-64 platform. Pb is : which OS should one choose.


WindowsXP 64 seams to be a good choice...


Teerayoot - Posted: Jul 16, 2003 23:35:57

no more bugs!


What about no more moron so you can leave now?

Anonymous
September 14th, 2003, 19:07
The ability to run a code analysis on *any* code in the disassembler
window, not just code marked as being in the executable segment.

Anonymous
September 15th, 2003, 05:03
flirt technology, ala IDA

Anonymous
September 25th, 2003, 09:05
I'm new to debugging, so please forgive any newbie misunderstandings. I'd like to add that Olly is a really superb tool and full of power even for new users - thanks to all involved.

1. Stepping / trace ranges. I debug programs which have frequent calls to external modules (mfc700, ntdll, etc), yet I'm hardly ever interested in stepping through external functions. When I'm stepping through long lists of instructions with F7, I often fall into another module and have to bring myself out with Ctrl-F9 etc. What I want is a feature that behaves like 'step into' *but only for specified modules* (e.g. 'never step into ntdll'). This differs from 'step over' because I need to 'step into' a function within the current module (or other specified modules).

2. An easier way to switch between loaded modules. The only way I've found is to open up the 'modules' window (Alt-E) and double-click a module name.

3. A simple, one-click method of committing changes to the file being debugged.

4. Maybe this is too basic for the average user, but an ASM instruction reference for newbies would be a really useful resource; something along the lines of right-clicking or hovering over an instruction name will bring up a small explanation of its function and any parameters it can take.

helloword
September 26th, 2003, 09:02
Possibility to translate piece of asm to language programing code.
For example
If we identify a portion of asm as being an if condition in Visul basic for example.
Olly should change this asm

mov eax,..
mov edx,...
cmp eax, edx
jne 023213

to

If eax > edx then jne 023213

Anonymous
September 26th, 2003, 09:07
mov eax,..
mov edx,...
add eax, 50
inc edx
cmp eax, edx
jne 023213

to

eax = eax + 50
edx = edx + 1
If eax > edx then jne 023213

Anonymous
October 3rd, 2003, 11:22
a wizard to generate function descriptions in common.arg

Anonymous
October 6th, 2003, 14:56
DrCOM Monitor http://www.ddevel.com/
("http://www.ddevel.com/
")

Object name/clsid.
The object reference count.
The time of creation.
The objects interface name/iid.
The reference count.
The memory address of the object.
Automation supporting ( in which case the objects methods may be invoked ).
Object creation type e.g. singleton or not

spongebob
November 2nd, 2003, 12:56
I would really like a Memory Searcher!

You search for a value in memory, and then you can filter your search results by saying 'value has changed' or 'value has increased', and you will eventually get the location of your value. Then have another search that finds the pointer to the value you just found.

It's annoying to have to use an extra program to do this, that's why I think it would be great if it was integrated into Olly.

bboitano
November 4th, 2003, 10:39
A comprehensive manual for us Newbies would be good

Epsylon3
December 27th, 2003, 16:27
TreeView of Hierarchy of calls in Run trace !

comrade
December 28th, 2003, 22:53
TreeView of Hierarchy of calls in Run trace !

Not just for Run Trace, perhaps while manually debugging and stepping as well
Its very easy to get lost in complex code.

Lord_Looser
February 26th, 2004, 11:35
disassembling running processes without debugging it

prejker
April 22nd, 2004, 06:57
It would be nice to have a function to allocate user defined ammount of space in the debugged app where u can inject your code. (sth like ADump or DumpFX)
It would be also nice to have a function to copy data from a file to a
user defined memory address because 'binary edit' has got a limited editbox and sometimes i must paste data 3 times.

thx and keep up the good work with olly its superb

Ziyi
April 28th, 2004, 08:49
-Toggle-switch on child window
-Can customize the child window opacity
-A window dock bar
-Supply language file for localization
-.chm support

j_petrucci
April 28th, 2004, 15:08
Hey TBD, did you remember to send all our suggestions to Olly? ;p

bye

TBD
April 28th, 2004, 23:10
j_petrucci: Olly is checking this thread periodically and he will try to add the features as he can.

after he finishes the documentation for 1.10c and plugin architecture he will go back to 2.x development. till then - use 1.10c

seven757
May 7th, 2004, 20:20
ring 0, with sysinternal's DLL, like windbg

ShadowDark
May 11th, 2004, 12:31
some of Cript APIs and others interpretations... of ADVAPI32.dll...
bytes...

P.D: only comentary of parameters...

Lord_Looser
May 13th, 2004, 07:15
demangle symbolic names similar to MS C++ Name Undecorator/Dependency Walker x86’s undecorated function names.
example:
?set_terminate@@YAP6AXXZP6AXXZ@Z --> void (*set_terminate(void (*)(void)))(void)

focht
May 13th, 2004, 11:36
demangle symbolic names similar to MS C++ Name Undecorator/Dependency Walker x86’s undecorated function names.


Hi,

its already does that stuff... it exports that kind of functionality (to be used in plugins) too:


extc int cdecl Demanglename(char *name,int type,char *undecorated);


Example where ollydbg uses image/dbg helper API to undecorate stuff:


Call stack of main thread

Address Stack Procedure / arguments Called from Frame
0012C974 00462A13 IMAGEHLP.UnDecorateSymbolName OLLYDBG._Demanglename+101 0012C9B4
0012C9B8 0046348A OLLYDBG._Demanglename OLLYDBG._Quickinsertname+1D1 0012C9B4
0012C9BC 0012D03C Arg1 = 0012D03C ASCII "MSVCP71.??0?&#036;basic_istringstream@DU?&#036;char_traits@D@std@@V?&#036;allocator@ D@2@@std@@QA
0012C9C0 00000033 Arg2 = 00000033
0012C9C4 0012C9D4 Arg3 = 0012C9D4 ASCII "MSVCP71.std::basic_istringstream<char,std::char_traits<char>,std::all ocator<char>
0012CBD8 0045C6AC OLLYDBG._Quickinsertname OLLYDBG.0045C6A7 0012CBD4
0012CBDC 00459210 Arg1 = 00459210
0012CBE0 00000033 Arg2 = 00000033
0012CBE4 0012D03C Arg3 = 0012D03C ASCII "MSVCP71.??0?&#036;basic_istringstream@DU?&#036;char_traits@D@std@@V?&#036;allocator@ D@2@@std@@QA
0012D2C8 0045E833 OLLYDBG.0045B434 OLLYDBG.0045E82E 0012D2C4
0012D2CC 01FE0000 Arg1 = 01FE0000
0012DA8C 0042EDE5 OLLYDBG.0045E3B4 OLLYDBG.0042EDE0
0012F5AC 00438B03 ? OLLYDBG.0042E1E0 OLLYDBG.00438AFE
0012F5B0 0012FF34 Arg1 = 0012FF34
0012FF8C 004ABAF3 OLLYDBG.00434F0C OLLYDBG.004ABAF0 0012FF88
0012FF90 00400000 Arg1 = 00400000 ASCII "MZP"
0012FF94 00000000 Arg2 = 00000000
0012FF98 00551F0F Arg3 = 00551F0F
0012FF9C 0000000A Arg4 = 0000000A


Maybe you have an old version of debug helper library or ollydbg is not setup correctly...

Regards,

A. Focht

Lord_Looser
May 13th, 2004, 16:48
Thanks for your detailed replaying.

But OllyDbg is cutting away functions’ return value type and parameters. It returns just [scope::]name.
basic_istringstream is only a template and all type statements between ‘<’ and ‘>’ are no function parameters.
compare to undname 0x1000 ....

The complete demangled function name – better say function prototype (?) – should be ...
"public: ?? ?? std::basic_istringstream<char,struct std::char_traits<char>,class std::allocator<char> >::basic_istringstream<char,struct std::char_traits<char>,class std::allocator<char> >( ?? ) throw( ?? )"


compare this function pointer with no scope (using namespace std)
mangled: ?set_terminate@@YAP6AXXZP6AXXZ@Z
OllyDbg: set_terminate
undname: void (*set_terminate(void (*)(void)))(void)

---------

C:&#92;>undname.exe /show_flags
Usage: undname [flags] fname [fname...]
or: undname [flags] file

where flags are the following OR'd together:

0x0001 Remove leading underscores from Microsoft extended keywords
0x0002 Disable expansion of Microsoft extended keywords
0x0004 Disable expansion of return type for primary declaration
0x0008 Disable expansion of the declaration model
0x0010 Disable expansion of the declaration language specifier
0x0060 Disable all modifiers on the 'this' type
0x0080 Disable expansion of access specifiers for members
0x0100 Disable expansion of 'throw-signatures' for functions and pointers to functions
0x0200 Disable expansion of 'static' or 'virtual'ness of members
0x0400 Disable expansion of Microsoft model for UDT returns
0x0800 Undecorate 32-bit decorated names
0x1000 Crack only the name for primary declaration; return just [scope::]name. Does expand template params
0x2000 Input is just a type encoding; compose an abstract declarator
0x8000 Disable enum/class/struct/union prefix
0x20000 Disable expansion of __ptr64 keyword

focht
May 13th, 2004, 23:34
Hi again,

yes the flags given by ollydbg to the image helper API are preset in that way (cutting the interesting info for some ppl away).

Maybe there can be some configuration option added to control this behaviour..

While comparing this behaviour to VS.NET 2003 debugger (my primary choice for _any_ source level stuff) i noticed ollydbg doesnt walk the callstack to its top... (only a limted set of stack frames are displayed)

As i stated some times before ... i think the way, symbolic debugging is handled by ollydbg needs some rework..

Regards

Goudaman
May 16th, 2004, 14:00
I may be dense and this might already be there but, can you add a way of automatically logging function return values? What i do now is use the search thing to find all the "mov EAX, R32 &#92;n RET"s and "mov EAX, CONST &#92;n RET"s and put conditional log breakpoints on them to log the value of EAX , which is really tedious. Also can you make the "Watch" window auto find string addresses like the Registers pane? Great job though! It already kicks WinDbg's ass for normal user mode applications. Also about focht's post: Why wouldn't you just use the debugger that came with your high-level language? Isn't the whole point of OllyDbg to debug stuff where you dont have the source or that is coded in asm?

prejker
July 16th, 2004, 01:05
it would be nice to have an option to ignore breakpoints that we set for certain adresses. for ex. you set a breakpoint on GetWindowTextA and the app that you are debugging calls this api in a loop in some threads - that makes it hard to find what you are looking for so if there could be an option to exclude some addresses from the breakpoint it would be much easier to find what you are looking for.

blabberer
July 18th, 2004, 02:15
prejiker may be what you are looking for is already implememted
have you tried going to break points window and disabling the specific break point if not try it and see
well but a hot key would be fine though to disable and enable it again