Softpedia >Windows >Programming >Debuggers/Decompilers/Disassemblers >OllyDbg >  Changelog

OllyDbg Changelog

What's new in OllyDbg 2.01

Oct 1, 2013
  • Multi language GUI (experimental, as yet no translation files - please do it by yourself)
  • Support for AVS instuctions (as yet no AVS2 and high 16 bytes of YMM registers are not displayed)
  • Call stack window (similar to the version 1.10)
  • Handles window (similar to the version 1.10)
  • SEH and VEH chains. To decode addresses of VEH handlers, OllyDbg hacks NTDLL.RtlAddVectoredExceptionHandler(), therefore process must be started from the OllyDbg
  • Multibyte character dumps
  • udl image libraries, replace scan of object files from v1.10
  • Search for integers and floats in dump
  • Search for procedures (entry points)
  • Limited support for NTFS streams
  • Drive dump
  • Software breakpoints that use INT1, HLT, CLI, STI or INSB instead of INT3
  • Multiple watches in one line, support for repeat count
  • Dump of arrays of structures
  • Micro-analyzers
  • Accelerated search
  • Assembling of immediate data statements (DB xx etc.)
  • Highlighting in run trace
  • Up to 2 ordinals per address
  • Limited support for Win95 via Microsoft Layer for UNICODE
  • More tricky code sequences
  • Show free memory
  • Multiple bug fixes

New in OllyDbg 2.01 Beta 2 Update 4 (Nov 19, 2012)

  • This is a major update of the plugin interface. Now plugins can actively influence the debugging process. They may set temporary breakpoints (Plugintempbreakpoint()) and receive notifications if breakpoint is hit (ODBG2_Plugintempbreakpoint()). If they receive exception notification, ODBG2_Pluginexception() may request to pause application or step over this exception. ODBG2_Pluginnotify() is extended and can force different mode of execution than requested by user.
  • If necessary, plugin may create one or several options pages in a new Plugins options dialog, which is very similar to the Options. Pluginshowoptions() directly opens plugin-related options page.
  • There is a new sample plugin, traceapi.dll, that demonstrates new features. It uses one-time memory breakpoints to detect all calls from the user code to the Windows API and protocols the arguments and values returned by APIs. Sample code does not include the Visual Studio project for traceapi. This is despairing - to compile a plugin, I must change several options, like unsigned characters, byte alignment, DLL, UNICODE, import libraries (btw it looks like my VS accepts only absolute paths for implibs!) etc. - TWICE! - once for debug and second time for release configuration. As .vcproj includes GUIDs, I can't simply rename it. Instead, I must recreate new project FROM THE SCRATCH! (yes, all capitals text is a net equivalent of shouting). There is something called "property sheets", but I have found no possibility to save existing options to the property sheet. So if you have a solution to this problem MS feature, please let me know.
  • Plugin documentation is still far away from finished but is strongly updated.
  • OllyDbg itself got several bugfixes and minor improvements.

New in OllyDbg 2.01 Beta 2 Update 3 (Oct 8, 2012)

  • Many bugfixes and several improvements. Plugin interface is still under development.
  • Got rid of a very nasty crash. Maybe half of such crashes happened within the GlobalAlloc(), the remaining were almost unpredictable.
  • Debugging engine is now more stable, especially if one steps into the exception handlers. There is a new debugging option, "Set permanent breakpoints on system calls". When active, it requests OllyDbg to set breakpoints on KERNEL32.UnhandledExceptionFilter(), NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue() and NTDLL.NtQueryInformationProcess(). For example, if CPU is in the exception handler and you set hardware breakpoint, it won't hit!
  • NTDLL.ZwContinue() restores original contents of registers and modifications get lost. Therefore OllyDbg sets temporary INT3 break on ZwContinue() and applies changes to the copy of the context in memory. But sometimes it simply doesn't know that temporary breakpoint is necessary. If process is being debugged, Windows don't call the unhandled exception filter. Instead, it notifies debugger. To pass exception to the filter, OllyDbg intercepts NtQueryInformationProcess(). If handler asks OS whether process is debugged, OllyDbg reports "no". And so on. Well, if this new option is so advantageous, why not to make it default? Because some viruses check for INT3 breakpoints on these APIs.
  • Sometimes it's necessary to rename the OllyDbg, for example if you investigate a brainless virus that scans process names and hopes to avoid debugger. You rename OllyDbg to, say, notadebugger.exe and all plugins are missing?! They are statically linked to the DLL named ollydbg.exe. Of course, GetProcAddress() would help, but this makes programming to the nightmare. Therefore when OllyDbg loads plugins, it applies a dirty trick which lets Windows think that the main module is named ollydbg.exe and not notadebugger.exe. This trick works under Windows XP, but I am not sure whether Vista/Win7 use the same internal data structures. Please check.
  • Hit trace can be saved between the sessions. If code is self-modifiable, use this option with care. When OllyDbg restores hit trace, it sets INT3 breakpoint on every marked command. This may lead to crash of the debugged application.
  • Due to the invalid handling of prefixes 66, F2 and F3, command search was unable to find SSE commands. This bug is corrected.
  • Currently I am working on the plugin interface. Plugins will be allowed to set
  • temporary breakpoints and process exceptions. This requires significant changes in the debugging engine and may take another couple of weeks.

New in OllyDbg 2.01 Beta 2 (Aug 18, 2012)

  • Minor improvements (like correct reaction on MOV SS,anything; PUSHF or disassembling of JE vs. JZ etc. depending on the preceding comparison).
  • Removed the nasty crashes that happened on some computers while invoking menu, or pressing ALT, or on similar harmless actions.
  • Plugin interface is slightly extended. Plugin API includes more than 500 functions, structures and variables.

New in OllyDbg 2.01 Alpha 4 (Aug 4, 2011)

  • New plugin interface is similar to the old (v1.10) but is not backwards compatible. It includes more than 350 API functions, 60 or so variables and many enumerations and structures that all need to be documented. This will take a while, therefore I decided to make a preliminary release. It includes plugin header file (plugin.h) and commented bookmarks source code (bookmark.c). Writing your own plugins without the documentation is a pure masochism, but at least you will be able to analyse the structure of the interface and send me your comments, wishes and suggestions.
  • Patch manager, similar to 1.10
  • Shortcut editor, supports weird things like Ctrl+Win+$ etc. Now you can customize and share your shortcuts. I haven't tested it on Win7, please report any found bugs and incompatibilities!
  • Instant .udd file loading. In the previous versions I've postponed analysis, respectivcely reading of the .udd file till the moment when all external links are resolved. But sometimes it took plenty of time, module started execution and was unable to break on the breakpoints placed in the DLL initialization routine
  • Automatic search for the SFX entry point, very raw and works only with several packers. Should be significantly more reliable than 1.10. If you tried it on some SFX and OllyDbg was unable to find real entry, please send me, if possible, the link or executable for analysis!
  • "Go to" dialog lists of matching names in all modules
  • Logging breakpoints can protocol multiple expressions. Here is an example: I ask OllyDbg to protocol the contents of EAX, EBX and 4 memory doublewords starting at address ESP. Expressions must be separated by commas, repeat count has form SIZE*N, N=1..32.
  • Thread names (MS_VC_EXCEPTION)
  • UNICODE box characters clipboard mode
  • Multiline debugging strings (of large size)
  • On debug string, OllyDbg attempts to find call to OutputDebugString()
  • INT3 breakpoints set on the first byte of edited memory area are retained
  • Decoding of User Shared Data block
  • Addressing relative to module base
  • If plugin crashes, OllyDbg will report its name

New in OllyDbg 2.01 Alpha (Nov 26, 2010)

  • Ported to UNICODE. Multilanguage support for ASCII apps in modern Windows is practically non-existing, and I got tired bypassing all such incompatibilities. This step means that version 2 will not work on Windows 95 and 98.
  • Source debugging is here again, a bit incomplete. It supports only Microsoft compilers via dbghelp.dll. New is support for symbol server, stack walking using dbghelp and names of procedure parameters.
  • Debugging of standalone DLLs, in my opinion significantly better than before. It even measures call duration with sub-microsecond resolution (good for profiling) and saves contents of dumps between sessions!
  • Many small improvements, like pause only on selected module(s), breakpoints on all intermodular calls, automatical closing of dump windows on different process, bugfixes, and more.

New in OllyDbg 2.00 (Jun 18, 2010)

  • Full support for SSE instructions, including SSE3 and SSE4. SSE registers are accessed directly,
  • without code injection;
  • Execution of commands in the context of debugger, allowing run trace speed - with conditions and
  • protocolling! - of up to 1,000,000 commands per second;
  • Unlimited number of memory breakpoints;
  • Conditional memory and hardware breakpoints;
  • Reliable, analysis-independent hit trace;
  • Analyser that recognizes the number (and sometimes the meaning) of the arguments of unknown
  • functions;
  • Detaching from debugged process;
  • Debugging of child processes;
  • Built-in help for integer and FPU commands;
  • Option to pause on TLS callback;
  • Option to pass unprocessed exceptions to the unhandled exception filter.