It would be _so, so good_ if OllyDbg (or a plugin) could detect code sequences and comment them accordingly (and then it'd be easy to make a public library for known code sequences). For example, this is the start of a UPX-packed exe (nothing unfamiliar ...
<pre>00406A90 > &#036; 60 PUSHAD
00406A91 . BE B0604000 MOV ESI, 004060B0
00406A96 . 8DBE 50AFFFFF LEA EDI, DWORD PTR [ESI+FFFFAF50]
00406A9C . 57 PUSH EDI
00406A9D . 83CD FF OR EBP, FFFFFFFF
00406AA0 . EB 10 JMP SHORT 00406AB2
00406AA2 90 NOP
00406AA3 90 NOP
00406AA4 90 NOP</pre>
Obviously a few of those bytes change (addresses etc) so a bitmask would also be required, but that's the only 'hurdle', if you could call it that. It could then automatically add comments that have been associated to that byte sequence.

I would be willing to pay for such a plugin to be made, but I think its the sort of plugin that everyone would benefit most from if it was free and available to everyone, so then a public database of code sequences can be built... almost like snort the IDS, how it analyses network traffic for known byte sequences

Anyway, just an idea ... if anyone wants to turn it into a reality I for one would be very grateful!

Good idea!http://www.polarhome.com:793/~teerayoot/html/icon/icon14.gif

Indeed, that would be very cool.

MrSmith

Try using PEiD. it could be helpful

Thanks en0n, but PEiD is only useful for detecting packer/compiler etc, it can't be used to detect little code snippets scattered throughout programs (like anti-debug tricks, etc)

We can make MAP files and use MapConv
-koncool