Hi TBD, here it is finally

GODUP - Godfather+ Olly Debugger Universal Plug-in
ver. 1.0

This plug-in consist of 5 handy tools:

1. Map loader
2. Resource viewer
3. Process info
4. IDA signature loader
5. Notepad

1. Map loader - use it for loading map files produced by compiler or by
IDA. You can use it to load label names and/or to load comments from .map file.
There is no any checking if map file match currently debugged process.

2. Resource viewer - use it for looking to your resources ;-) This is
probably only viewer which works through direct memory access - means that you
can even look to resources of compressed (protected) executables.
NOTE: Still in experimental phase.

3. Process info - Give you basic information about process + try to
recognize compiler and protection mechanism. . Process info use signature file
signs.txt from PE tools v1.5 (NEOx, .Cryorb) Fell free to add your own
signatures and share it with us.

4. IDA signature loader - probably mostly wanted add on for Olly debugger -
now you can use IDA signature without IDA ;-) Just look to process info - find
your compiler and select and apply matching IDA signature. It's not problem if
you apply wrong one, you can apply another also. Only what you must do is to set
proper path to IDA signatures, and you need sigdump.exe file from IDA resource
kit.

5. Notepad - Simple but smart notepad which load your notes per process
automatically every time.

you can find file at: http://www.exetools.com/forum/showthread.php?t=4691
("http://www.exetools.com/forum/showthread.php?t=4691
")

godfather+

PS. Delphi plugin framework - comming soon

thanks godfather+!

[edit] Stuph page updated !

btw, we have on PDF for Delphi, by TQN. did you check it ?

Very nice and very useful plugin. Thanks for sharing

Great plugin.

nice job dude

@TBD

I check it today and only can say that TQN make good job

- super clean conversion and also some stuff which I din't know how to convert (thise union thing (i solve it like common same lenght sturcture) and some of exotic functions declaration)

- I will compile new version of GODUP with this TQN conversion


There is one error - but not from TQN - from Borland

C++ Builder have CONTEXT structure DIFFERENT than Delphi so please correct t_thread record like this:

t_thread = packed record // Information about active threads
threadid: ULONG; // Thread identifier
dummy: ULONG; // Always 1
ltype: ULONG; // Service information, TY_xxx
thread: THandle; // Thread handle
datablock: ULONG; // Per-thread data block
entry: ULONG; // Thread entry point
stacktop: ULONG; // Working variable of Listmemory()
stackbottom: ULONG; // Working variable of Listmemory()
context: CONTEXT; // Actual context of the thread
ExtendedRegisters: array[0..511] of byte; //Delphi context missing this 512 bytes!!!
reg: t_reg; // Actual contents of registers
regvalid: Integer; // Whether reg is valid
oldreg: t_reg; // Previous contents of registers
oldregvalid: Integer; // Whether oldreg is valid
suspendcount: Integer; // Suspension count (may be negative)
usertime: LongInt; // Time in user mode, 1/10th ms, or -1
systime: LongInt; // Time in system mode, 1/10th ms, or -1
reserved: array[0..15] of ULONG; // Reserved for future compatibility
end;

@mango, NecroPotenc3 - Thx

@ALL i hope that this will bring us a lot of nice plugins written in Delphi
gf+

xxxxx ! (Wow, a strange name)
You have done a excellent job. I only say: Thank you !
It is great with IDA Signature load. I will play with it.
And I will revise the PDK for Delphi with the CONTEXT problem.
Regards !
TQN

Hi xxxxx !
You are right. The CONTEXT record declared in Windows.pas (and .dcu) of Delphi 6, 7 is incorrect. It missed the ExtendedRegisters field.
I have some idea about GODUP plugin:
- All control in all forms of GODUP plugin will be placed and resized incorrectly when user resize form. You can correct it with Anchors property.
- The grid in Signature list did not have full row select property. I found that it is hard to view.
- When I view resource of a Delphi app packed with PECompack, Interger Overflow exception raised. You can turn off it with {$O-}.
- The default directory of path of text file name in Notepad could be the path of exe, not plugin directory.
Best regards !
TQN

@TQN

xxxxx is my 'forum' name which I use for forums access only ;-)
I repairing GODUP and applling your ideas. Hope I will finnish today.

I see also your signatures for D6 and D7 - work excelent with GODUP :-))))))

I need only one small correction - please when you build singature set PE flag so GODUP can load them automatically, by default I loading only PE file signatures.

godfather+

Thank godfather+ for trying my signature.
But I think we have some misidentical with PE flag here. Below is my result ouput when building and dumping D6/D7 signature:
----
IDA signature file dumper by Ilfak Guilfanov. Version 1.19
Signature : Delphi 7 RTL, 4455 modules
Features : compressed
Processor id : 0 Intel 80x86
OS types : 0002 WIN
App types : 017F CONSOLE GRAPHICS EXE DLL DRV SINGLE-THREADED MULTI-THREADED 32BIT
File types : 00010C00 COFF PE AR
-----

The output of sigmake.exe -hf is:
-----
00000004L Binary File
00000008L MS DOS Driver
00000010L New Executable (NE)
00000020L Intel Hex Object File
00000040L MOS Technology Hex Object File
00000080L LiExecutable (LX)
00000100L LiExecutable (LE)
00000200L Netware Loadable Module (NLM)
00000400L Common Object File Format (COFF)
00000800L Portable Executable (PE)
00001000L Object Module Format (OMF)
00002000L S-record format
00004000L ZIP archive
00008000L OMF library
00010000L ar library
00020000L User-written loader
00040000L Executable and Linkable Format (ELF)
00080000L Watcom DOS32 Extender (W32RUN)
00100000L Linux a.out (AOUT)
00200000L PalmPilot program file
00400000L MS DOS EXE File
00800000L MS DOS COM File
01000000L AIX ar library
------

And the sigmake.txt says about flags:
-f... file format types the signature may be applied to.
Combination of bits. When in doubt, set a bit.
(list of bits can be displayed by -hf switch)
00000001 MS DOS EXE File
00000002 MS DOS COM File
00000004 Binary File
00000008 MS DOS Driver
00000010 New Executable (NE)
00000020 Intel Hex Object File
00000040 MOS Technology Hex Object File
00000080 Linear Executable (LX)
00000100 Linear Executable (LE)
00000200 Netware Loadable Module (NLM)
00000400 Common Object File Format (COFF)
00000800 Portable Executable (PE)
00001000 Used-defined format
00002000 Object Module Format (OMF)
00004000 S-record format
00008000 ZIP archive

When I build D6,7 Signature, I have detected the misidentical between the sigmake.txt and sigmake.exe.

Regards
TQN

Sorry, sorry, sorry - my mistake

I forgot to mask bytes to find out if PE flag is set
(i just check if it is PE file.type = $800 and not
(file.type and $800)=$800

In new version of GODUP itīs fixed.

Thanx for pinpoint on error.
gf+

Hi, new version is out:

ver. 1.1 2004-08-01

add: Resource viewer can show DIB resources
add: Resoruces saving
add: Signature loader selector - selecting full row in grid for better visibility
add: Settings pannel
add: Possibility to decide where your notepad files will go
add: Notepad files have name builded from short process name + _dbg.txt

fix: Incorrect PE flag reading for signatrue files (thx TQN)
fix: Correct position of components on form after resize
fix: Support for executable packers which expand resources in memory out of
resource section defined in PE header (PeCompact)
fix: Some minor fixes


from this release I use TQN version of coverted plugin.h
(my is not so perfectly converted)

look on exetools for it. until tbd don't update it here.
godfather+

Hi,

has the olly plugin site been updated with the new version of GODUP yet? I cant download off exetools :/

ver. 1.2 2004-08-09

add: Resource viewer can show Delphi and Borland C builder forms
add: Resource viewer can show dialogs
add: Resource viewer can show version infos

fix: Problem with executing dumpsig.exe if full path have space in it
fix: Memory leak with showing bitmap resources

Experimental - Resource viewer - automatic breakpoint search on static
events from Delphi or BCB form - Works ONLY for DELPHI and BCB

@mango - sended to TBD, hope that he will put it soon here

Stuph page updated. thanks gf+ !

Wow, that was fast. ;-)

Hello,
thats really great plugin!

But I found small mistake in IDA sig. loader: When analyzing program which is using Miracl Library, some names are not decoded so as using the same signature in IDA. For example Miracl function named "_mirvar" is decoded as "_ecurve_add".

Do You know about this?

Plug-in in this version can recognize 85%-90% functions from IDA signature
files. I still missing logic, which guys from Datarescue use, when procedure or
function has same first 32 bytes.(Then you must use checksums for rest of
procedure etc… pretty complicated without proper documentation)

And now I use only first entry from patern file - so thats why you get wrong recognition.

Actually I need help with this pattern files. I try to make binary reader for .sig files - but at end it was to complicated to do that. I have spend some weeks until I didn't succed to read header (names) from sig files correctly.

Now I use dumpsig.exe and process textual file which he created.

You can examine this files if you execute:

dumpsig.exe signature.sig signature.txt

Any suggestions are welcome.

gf+

help
who know, where is delphi6 signature file find ?

can you create a local link? I've signed up at exetools almost 2 weeks ago and STILL don't have membership yet......

Chris

I have the following problems, please solve:

1. Can't get any resource of delphi prog, had tried analysis 1,2,3 and delphi version 5,6 and 7 but can't get any resources
2. Any delphi prog scanned for signature is showing delphi verions 3.0, please advise

The signs.txt was ripped from PEiD, that was on NeoX PE-Tools and now GodUp.. Delphi 3 comes up because it is before 6/7 in the list and PEiD uses internal checking to determine version.

As for no resources.. Have you tried any other res viewing programs ? PE-Explorer, Res-Hacker etc ? It's probably packed with something..

@wrecked
FIRST load and START program, than try to start analyses again. It should work. If not please send me link to program so I will try to fix problem.

gf+

Please anybody send me a version 1.2 of this plugin.
I don't have access to exetools/forum attachements.
fkma@mmtools.ru

@xxxxx
It looks like I am making mistake, i am doing following:

1. Loads application to be debugged (e.g. delphi 2.0 app)

@xxxxx
It looks like I am making mistake, i am doing following:

1. Loads application to be debugged (e.g. delphi 2.0 app)
Analysis is made by Olly itself
2. Step single instruction
3. Goto Plugins > GODUP Plugin > Process Analyse
result is as below
Analyses of program show possible match to: Borland Delphi v3.0
Additional possible match: Borland Delphi
4. Goto Plugins > GODUP Plugin > Resource Analyse
Founds no Resource (list/memoboxes are empty)


Please tell me where am I going wrong. I have tried with other delphi progs too but found no resources. (even my own complied progs in delphi 2.0,5.0, 6.0, 7.0)

@Alex Globa
go to stuph part of the forum

@wrecked
Please click on button read resources ;-)

so you can
- reread resources also after attaching on program
- if program is packed/protected - you can first start program than you can read resources after they are depacked/deprotected in memory

tip 1 - allways look which module is loaded in cpu window - resource analyse will be done on this module
tip 2 - If program is not protected/packed you can read resoruces immediately after load - you don't need to make analyse. For protected/packed you should first run program than try to read resources


(you can choose different module from which you want to read resources - from menu view-execuatble moduels or ALT+E)

gf+

@xxxxx

Ok

I tried to locate button read resources but where is it :-(
as i see no such button on the GODUP PLUGIN>Resource Analyse
however, GODUP PLUGIN>Process Analyse is having a button captioned "Get Process Info"

@wrecked

Hmmmm... strange.... it should be on small panel direct above status line in right down corner. On this panel should be save button too.

try to maximise window and than check again, and please check which version of GODUP you have.

It looks like some Delphi problem with pannels and anchors....

Do you have some settings in windows like large font for example, and which wersion of windows you use?


@all who use GODUP
any have similar or same problem?

thx gf+

With resolution 800x600 I have the same problem but setting to 1024x768 it dont appear....The plugin work fine...
I have definitively fixed the problem in this way:
1) unpacked plugin with "c:\upx.exe -d godup.dll"
2) replaced text "poDefault" with 0x00 at offset 000DC044 (TForm.Position: poDefault --> poDesigned)
Now the problem is resolved, the plugin work with any resolution

ViGaN

I will try as Vigan mentioned, yet the buttons were maximised using SPY and plugin is working nice

Request XXXXX to adjust in future release.

Thanks Vigan

Unfortunately, stuph page is not accessible, and I have problems to download from exetools.

Can anybody share latest plugin in alternative location?

Thanks

Anyone know an alternate link for this site? The one in stuph appears to be broken...