Hopefully I will have more time now for version 2.0. Currently I'm working on analyzer. Global prediction of the contents of registers and stack is practically finished. This was a very hard piece, and initially veeery slow, but today I've found the way to accelerate it by the factor 100+. Next I plan to implement known functions. Debugging engine will follow.
Of course, OllyDbg 2.0 will work on all existing versions of 32-bit Windows: 95, 98, ME, NT4, 2000 and XP. I don't know whether it will make sense to play with Server 2003 at all, and Longhorn is not yet ready.
Several weeks ago I've asked for help in the form of different Windows versions that I'm going to use for debugging purposes. Honestly, I haven't hoped for so many offers:
- Windows 98 and/or 98 SE
- Windows ME (Tony, this was a nice gift!)
- Windows 2000 home and/or professional (thank you, Rudy! No such thing as a home edition?)
- Windows XP home
- Windows Server 2003
(many thanks, Casey!)
Modified PDK from Alex Clarke. He wrote:
Thank you, Clarke! And here is the ZIP file. Note, however, that I haven't checked it - as always, use at your own risk!
Version 1.10 - final
Some errors reported for v1.10, but they all seem to originate in
plugins. So now I declare it final release. Project OllyDbg 1.xx is closed. Now
I will be able to continue my work on v2.0. When will it be ready?
Honestly, I don't know. Currently I'm working on a couple of not so
ambitious private projects (not related to debugging), so progress will
be not too fast. Hopefully I'll finish it before 80x86 architecture in
general and Windows in particular get obsolete :))
I have also updated the Plugin Development Kit. You may download the
actual version here.
From time to time, but not too
frequently, I will inform you here on the progress. My first
major goal is strongly improved analysis with much better prediction of
registers. Next I will try to accelerate run trace, which seems to be a
very powerful method of debugging, by executing or emulating simple
commands in the context of Debugger. Also I have some vague plans for a
built-in compileable scripting language... So don't feel you sad, the
future will be bright anyway!..
Oleh Yuschuk, a.k.a.
June 11, 2004
Version 1.10 - preliminary release
corrected nasty crash on right click. File odbg110.zip
includes also updated help and version 1.10 of command line plugin. If
you report no critical errors, this version will be declared final in a
plugin now allows you to modify memory and registers, like:
issue commands from conditional logging breakpoint, precede them with a
point: .EAX=0. Plugin's
source, together with the new plugin API, will be uploaded in a week,
Version 1.10c - third (final) beta
This is the last beta. There will be no more new features. For about
two weeks I will update the documentation and wait for your bug
reports. If nothing unforeseen will happen, I will make final release,
close this project and renew my work on v2.0.
- Now you can set analysis hints to force decoding of some byte sequences. To set hint, select piece of code or data and from the pop-up menu choose Analysis|Treat selection as, then your selection. Selections in singular form set hint only on the first byte, in plural - repeatedly on the whole selection. Proposed by Eric Simmons and others. First I answered that this feature would be too significant for v1.10; now, after considering all possibilities, I've found more or less safe way to do this. Please check!
- If debugged DLL has entry point, OllyDbg makes first pause on this entry point, then in LOADDLL.EXE. Proposed by Richard Ginzburg.
- Disassembler will display, on your request, RET instead of RETN. Proposed by Ib Larsen.
- Run Trace window now supports syntax highlighting. Proposed by X Shadow.
- If command uses immediate constant that points to valid command in code, Disassembler adds menu item "Follow immediate constant". Proposed by KolAn and Paul Guerra.
- New copy-to-clipboard options: whole Information pane, line of Run trace window. Proposed by sett07.
- Option to mark DLL as system or non-system. Important for Run trace where you may request to trace over calls to system DLLs.
- If doubleword in Stack points to stack, press Enter to follow it. Proposed by CoDe_Inject.
- Maximal length of argument string is changed from 1024 to 4096 characters. Requested by BlackArT.
- New CPU option: now you can specify the number of lines visible after current command during stepping and tracing. Proposed by Phong Tran and others.
- ODBG_Pausedex(reasonex,extmode,registers,debugevent) extends functionality of ODBG_Paused(reason,registers). Many requests. Extended flags in reasonex proposed by Richard.
- Listmemory() is now exported. Requested by lixg00.
There are many more requests in my list, but, unfortunately, they
will not appear in the final release. Usually this is due to
their complexity that may aversely influence the reliability of v1.10.
I have transferred all such requests to the list of wishes for version
- Registers menu option "Copy all registers to clipboard" now copies EAX, too. Reported by many contributors.
- In code with non-standard alignment of sections, analysis and displayed code were desynchronized, so click on some line selected different line. Reported by comrade.
- Menu "Follow in Dump" now displays more intuitive items if one of operands is implicit stack location (like in PUSH). Reported by Jacob Benoit.
- OllyDbg now correctly disassembles VxDCall and VxDJump used by Win95 drivers. However, it assembles them to the same code. In almost improbable case that anybody will use this pseudocommand, user must correctly set bit 0x00008000 to distinguish between call and jump. Reported by Jacob Benoit.
- OllyDbg compiled REP STOS FWORD [EDI] and similar nonsense to REP STOS DWORD [EDI]. Reported by Paul Guerra.
- OllyDbg now adds "Open with OllyDbg" to Explorer's menu in DLLs. Reported by Truong Quoc Ngan.
- Names window sometimes lost its contents after new modules were loaded. Reported by William Whistler.
If your bug is not here, this means that I was unable to reproduce
it. In this case, please send me the detailed, step-by-step, sequence
of actions. Don't forget to mention the version of your OS!
Vesrion 1.10b - second beta
There is a big useful new feature: OllyDbg now can debug standalone DLLs. Just drop DLL
into OllyDbg and see what happens. A brief walkthrough is
available here. Also new is a SEH chain window. Other changes:
- A very useful option to remove analysis from selection (shortcut: Backspace);
- Attach window is resizeable (and even maximizable);
- New stack commands: push doubleword and pop doubleword;
- Option to copy all registers to clipboard.
- Assembler supports simplified form of IMUL: IMUL reg,const. This command is disassembled as IMUL reg,reg,const. One cannot search for IMUL using imprecise register (IMUL R32,CONST - use IMUL R32,R32,CONST instead). Reported by Alexandr Yakubtchik.
- Disassembler used address size instead of operand size to decode
size of immediate offset (JMP
FAR ssss:oooooooo). Reported by Karel;
- Tabs in source text in Disassembler comments and info pane were
displayed as small rectangles. Now they are extended to at most 8
spaces. Reported by Karel;
- ARPL was decoded with 32-bit size of operands (correct decoding is ARPL r/m16,r16). Reported by Karel;
- OllyDbg now should correctly work in multi-monitor configurations, but I am unable to verify this. Please check! Reported by Roel Verdult;
- 2-byte INT 3 (CD 03) was processed incorrectly. Reported by roticv.
The list of improvements and corrected bugs is already long,
significantly longer than I've expected. I haven't finished yet with
old wishes and bug reports, and every day become several new. So I
decided to post preliminary, raw beta in the hope that your feedback
will help to improve the quality of final code. Remember, v1.10 is the last planned - afterwards I'll
concentrate on OllyDbg 2!
Version 1.10 - first beta
What's new here:
- On break, conditional logging breakpoints can pass several text commands to plugins, see description of ODBG_Plugincmd() below.
- New Security option: "Save user data outside any module to main .udd file". Allows to keep breakpoints and comments that belong to no particular module. CAVEAT: data is saved relative to main program and will be corrupted if external code or main executable are reallocated (this is possible, at least in theory). Proposed by Francis Crick;
- Trace condition (Ctrl+T) includes option to pause trace after specified number of commands is executed (more exactly, added to run trace).Counter restarts automatically. Proposed by Marcus Matten;
- Conditional logging breakpoints support pass counter. For example, if you set pass counter to 100, OllyDbg will skip first 100 occurences of breakpoint and pause on 101st. Note that pass counter is not restartable and is not saved to .udd file. Proposed by many contributors. CAVEAT: I have extended structure t_bpoint to fit counter, any plugin that accesses it directly will fail! (AFAIK, there are as yet no plugins that directly access t_bpoint).
- Possibility to reswitch to different module directly from Disasembler (View|Module 'xxx'). Proposed by Christian Martin;
- New shortcut: Ctrl+gray * (asterisk) for "set new origin here";
- Run Trace window optionally displays and logs to file modified flags (C, P, A, Z, S, T, D, O only), controlled by Trace option "Show flags". Proposed by Marcus Matten;
- Small improvement: if there is no break selected in conditional breakpoint window, button "OK" remains disabled until any selection is made;
New plugin functions:
- Callback function ODBG_Paused(int reason,t_reg *registers). Called each time when debugged application is paused;
- Callback function ODBG_Plugincmd(int reason,t_reg *registers,char *cmd). Called when application is paused on conditional breakpoint and this breakpoint contains commands to be passed to plugins, separately for each command. I've modified command-line plugin so that it accepts all commands that begin with point (.), for example: .BP 410024; .G
- If parameter mode in call to Browsefilename() is ORed with 0x80, it opens Save File dialog instead of Open File;
- Function Settracecount(ulong count), called after Settracecondition(), sets number of commands to execute before run trace is paused;
- Function Settracepauseoncommands(char *cmdset), called after Settracecondition(), specifies set of commands to pause at;
- Functions Getbreakpointtypecount(ulong addr,ulong *passcount) and Setbreakpointext(ulong addr,ulong type,char cmd,ulong passcount) support pass count in conditional breakpoints.
And, of course, removed (hopefully)
- Column "Handle" is removed from Threads window. This column falsely displayed handle assigned to thread in OllyDbg. Such handles are meaningless in the contents of debugged application;
- Analysis crashed on large modules due to overflow of jump-tracing table. Reported by sonkite;
- Non-standard modules (with size not aligned on 4096 bytes) lost all user-supplied information, like breakpoints or comments;
- On attempt to step over call to ExitThread()
or ExitProcess(), OllyDbg
attempted to set INT3
breakpoint on next command which in some cases was data. Reported by
- Request to flush gathered run trace data to file wrote invalid commands. Additional tests necessary. Reported by Shinichy Yousho and later by homunculus;
- OllyDbg haven't checked that .udd directory specified in .ini file really exists. Reported by Phong Tran;
- After binary edit, Disassembler haven't updated selection, so that it was possible that some command is only partially selected. Reported by shanytc;
- OllyDbg crashed when it received command line in form "a.exe
%.622496x" or similar. First reported by Shimnobiton, later by wire;
Dump windows underlined fuxups outside the dumped memory area. Reported by Jacob Benoit;
- Hex edit window behaved unpredictably when user moved from one presentation to another and some characers were incomplete. Reported by Jacob Benoit;
- FSAVE/FRSTOR and FLDENV/FSTENV displayed invalid operand size when used with prefix 66. Reported by Alexandr Yakubtchik;
- Analyser hanged (forever or for several minutes) if function with insufficient number of arguments was placed close to the beginning of the memory block. Reported by Jacob Benoit;
- Cosmetical: "Save file" window called GetOpenFileName() instead of GetSaveFileName(). In case of OllyDbg both calls give identical results, except that first marks confirmation button as "Open" and second - "Save". Reported by Hunter;
- ESP was not logged to file opened in Run trace, even if corresponding option was set. Reported by Chromix;
- Given (invalid) command MOV QWORD ,0 (or many others between memory location and constant), Assembler bravely compiled it to code with 8-byte immediate constant! Bug reported by Eric Simmons;
- When opening executable with quoted argument line (a.exe "ab" "cd") for the second time, OllyDbg removed outer quotes (a.exe ab" "cd). This was not my fault, honestly, but a misfeature of GetPrivateProfileString()! Reported by Rudy Penteado.
Version 1.09d removes very annoying bug: crash while copying data to clipboard. I have recived more than a dozen bug reports! To everybody who pointed me to this problem: thank you very much again!
- ModRM register operand in SSE instructions like ADDSS XMM0,XMM1 was falsely marked as memory at zero address. Analyzer treated such commands as invalid and interpreted valid SSE code as data. Bug reported by Jussi Kivilinna.
- Patch window now updates on each modification of memory. Problem reported by Maurizio Scarano.
- OllyDbg improperly decoded size of pseudooperand CX/ECX in commands like JCXZ/JECXZ, REP MOVSB or LOOPW/LOOPD. Bug reported by Karel.
Version 2.0 slowly moves forward - too slowly because I'm still very
busy on my work and sometimes fall asleep before midnight! As you see,
I have really no time :) Speaking seriously, OllyDbg2 code is
900 K large and large parts of it, like GUI, disassembler, dump and
manager are functional.
OllyDbg 1.09c is a bugfix that removes most of bugs reported since version 1.09b was released. Other modifications are limited to the few listed below. As always, you are invited to send your opinions, comments and found bugs to [email protected]:
- When stepping or animating, Disassembler window attempts to leave 1 or 2 completely visible strings below current command;
- Run trace saves 16 high-order bits of flag register;
- New global shortcut Ctrl+P opens Patches window;
- OllyDbg exports two new functions: int Attachtoactiveprocess(int newprocessid) and HWND Createpatchwindow(void).
- PEXTRW swapped MMX and general-purpose registers. Bug reported by Valery CLAUDEPIERRE;
- Some error messages were covered by main window when this was set always-on-top. Reported by Phong Tran;
- OllyDbg recognized some absolutely correct PE files as bad due to unhappy section placement. Reported by Phong Tran;
- LOCK was allowed with commands that didn't write to memory. Reported by Alexandr Yakubtchik;
- Assembler reported invalid mnemonics on IN command, because scanner mixed mnemonics with operator IN. Reported by Alexandr Yakubtchik;
- Added support for non-standard short PE Optional Header. Bug reported by masquer;
- When paused on hardware breakpoint, OllyDbg was unable to step over some commands if automatical hardware breakpoints were allowed. Reported by Phong Tran;
- Too long program arguments (longer than 256 bytes) caused OllyDbg to crash due to buffer overflow. First reported by mmmmmKay, confirmed by Isaac and wire;
- Command LEA with 16-bit addressing was reporting 'Superfluous prefix' because it was marked as not accessing memory. Reported by Karel;
- NEAR/FAR modifiers were highlighted with random colours. Reported by Jacob Benoit;
- Problems converting Japanese UNICODE text to multibyte (not checked because I don’t know Japanese). Reported by DokoDon;
- Commands SETZ, SETO... with unused Reg field of ModRegRM byte not equal to 0 were not recognized. Now OllyDbg warns if option "Non-standard command forms" is not active. Reported by Alexandr Yakubtchik;
- OllyDbg assembled and disassembled invalid command MOV CS,R16 without warnings. Reported by Alexandr Yakubtchik;
- If you pressed Alt+F2 (or X on toolbar) but then decided not to close debugged process, OllyDbg nevertheless removed all process data, making debugging impossible. Reported by bundy;
- If size of executable code was shorter than size of section or size of module shorter than 1 memory block, analysis disappeared when scrolling code. Reported by TBD.
Usually I upload intermediate releases without help. This time help file is partially updated.
Quick bugfixes in 1.09b:
- Due to invalid processing of WM_WINDOWPOSCHANGED in support for "always on top" option, OllyDbg 1.09a was unable to restore maximized MDI windows;
- OllyDbg 1.09a was unable to load plugins from different directory.
- Patch manager is perharps the most important new feature. OllyDbg remembers all patches applied to debugged application in previous debugging sessions. From the Patch window, you can quickly apply patches or restore original code;
- With one command, you can copy all patches in a module to executable file;
- One MDI window may be declared as "always on top". Attention, in order to support this feature, plugins must pass WM_WINDOWPOSCHANGED to Tablefunction();
- You can specify directories where OllyDbg saves .udd files and searches for plugins;
- If selected command is a jump destination, OllyDbg can display "jump from" path;
- On NT-based systems, Handles window displays list of handles owned by debugged application;
- If command that you type in Assembler dialog contains comment, it will be automatically added to the command;
- You can reswitch between debugging options and appearance without closing options dialog;
- "Search for all intermodular calls" includes predicted calls;
- Option to trace registers in the whole procedure. Previous analyzer predicted registers only within linear pieces of code (without jumps from outside);
- Option that tells Analyzer that unknown functions preserve registersEBX, ESI and EDI. If this is not true, contents of registers may be predicted incorrectly, so use this option with care.
- In call tree, OllyDbg temporarily forgot calls predicted in previous debugging session with register tracing;
- Sometimes OllyDbg created new .udd file (xxx_1, xxx_2 etc.) after each debugging session;
What was new in version 1.09:
- Additionally to MASM and IDEAL disassembling modes, version 1.09 supports also HLA syntax (High Level Assembly, developed by Randall Hyde). HLA is public domain software, you can download it together with documentation and sources from http://webster.cs.ucr.edu;
- Analyzer knows that there is no return from calls to kernel32.ExitThread() and kernel32.ExitProcess() and interpretes them as end of procedure;
- If several executable modules have same short 8-byte name, OllyDbg renames them to xxx_1, xxx_2 etc;
- To avoid mixing of .udd files in cases when main file and DLL have same name, or if program uses DLLs with same name that reside in different directories, OllyDbg adds _1, _2 etc. to names of .udd files. This feature is active if option "Security|Ignore path and extention" is unchecked;
- Option to synchronize CPU with source;
- OllyDbg supports relative pathes to source files in Borland's debugging information generated by BCC5.5;
- Debugging engine now can step into unknown commands, like SSE2 (new Security option);
- Option to lock stack (i.e. stack window doesn't scroll when stepping);
- Register window displays debug registers DR0..3,6,7. Debug registers are not saved to run trace and you can't modify them. Caveat plugin writers: size of structure t_reg is changed!
- From the dump of executable file, you can jump to it's memory image in Disassembler or CPU Dump;
- OllyDbg recognizes "real" (undocumented) SAL instruction but, in accordance to Intel's documentation, assembles it to SHL. Both instructions have same effect;
- New undocumented opcode: ICEBP (INT1);
- Search for address and binary string in stack;
- Option to save width of columns to .ini file;
- Additionally to jumps, CPU info pane, list of known jumps and corresponding menus display local (intramodular) calls to selected instruction;
- If you browse cases, jumps or calls to location in dialog, Disassembler jumps to corresponding commands as you change selection. On Cancel, old selection is restored.
- If you close debugged program (Alt+F2), OllyDbg now correctly closes all associated handles. Open handles made recompilation of executable file impossible;
- When file name contained spaces, under some circumstances symbols after space were interpreted as parameters in command line. This explains, for example, the great mystery of disappearing patches;
- OllyDbg correctly attaches to active process from Task Manager. Caveat: format of JIT record in registry is changed (added quotes arond file name), so new version will not recognize old JIT declaration;
- Short (no-operand) forms of INS and OUTS now recognized as I/O commands;
- Corrected invalid decoding and assembling of SSE instructions MOVHLPS and MOVLPS. Intel made it hard: MOVHLPS is a register-register and MOVLPS is a register-memory form of the same command, and they behave differently...
- Sometimes OllyDbg crashed on "Execute till return". Heer I forgot to check for a possible NULL pointer;
- Even when main module resides in system directory, it is considered now user code;
- Several cosmetical improvements.
Having my Christmas vacations, I decided to add one more feature to OllyDbg. One hour later, I understood that elegant solution is not possible without global modifications of existing data structures... and suddenly I found myself creating new project and writing first lines of new debugger, OllyDbg 2.
So now it is clear: there will be the second version. At a first glance, it will look very familiar: same windows, similar commands, no colourful butons or nerving assistents... Internally, however, I will change almost everything.
Debugging engine and disassembler will be redesigned from scratch. New OllyDbg will support SSE2. Analyzer will recognize inlined functions (like strcpy) and predict contents of registers in the whole procedure, decode standard structures and log return values of API functions, recognize loop variables and SE handlers. Run trace will be significantly accelerated, I plan to reach tracing speed up to 250000 commands per second. Source debugging will be improved. Bad news: existing plugins will be not compatible. New OllyDbg will be even more memory-hungry than its predecessor.
I will continue development of old OllyDbg till version 1.10. Apart from bugfixes, there will be only two significant new features: HLA support and option to read map files. If necessary, I will release bugfixes even after version 2.00 will be released. (However, don't expect it before summer).
Two days after I have uploaded 1.08, a nasty new bug was reported: Assembler was unable to compile PUSH const. This error was a result of another last-minute bugfix. Version 1.08a corrected this frequently used command.
Next day, another red alert came: run trace
invalid values of registers EAX
and ECX. Due
to importance of run trace in program analysis, I was forced to replace
1.08a with 1.08b. Another small correction removes possible GPF in heap
What's new since 1.06
Since the last "stable" release 1.06, I've added lots of new features and corrected many errors. Full list of all changes is too long to place it here, I'll briefly describe only the most important of them.
Perharps the most important new feature in OllyDbg 1.08 is its ability to read debugging information in numerous Microsoft formats, including CodeView, COFF, PDB and SYM, as implemented in dbghelp.dll. This redistributable file is included into .zip archive.
Command-line plugin implements command line in OllyDbg. Its source code is available under GPL.
Analysis was strogly improved. It recognizes loops and switches, attemts to suggest the meaning of separate switch cases, recognizes SE handlers and automatically extends functions with variable number of arguments. Sequences similar to ADD ESP,-4; FSTP [DWORD SS:EBP] are recognized as floating point pushes. With some restrictions, analysis recognizes RETs misused as JMPs. Using analysis data, information pane in CPU window (placed directly under Disassembler) shows list of all jumps to the current location. From the pop-up menu, you can quickly locate each jump. And, as a useful extra, you can analyze all modules at once.
New command "Search for|All intermodular calls" walks through the code and locates all calls with the final destination outside the current module, for example, all API calls, even loaded with GetProcAddress(). I was frequently asked questions like "How could I set breakpoint on all calls to MessageBoxA?" Now it is very easy, just a few mouse clicks...
Call stack backtraces the chain of calls and displays arguments of known or suggested functions on the stack, even if functions use non-standard prologs and epilogs. For every analyzed procedure, call tree shows which functions call it and which functions it calls.
List of windows displays basic window information (class and window function, parent, styles) and allows to set breakpoints on class, single window or on selected messages or message groups.
Heap list displays all memory blocks allocated by debugged application on the heap. Unfortunately, this feature is not available on NT-based systems (NT, 2000, XP).
CPU Dump supports history of previous displayed locations. You may walk this history using same shortcuts as in Disassembler ('-' and '+').
Syntax highlighting facilitates the readability of Assembler code. You can highlight different types of commands, such as FPU/MMX/SSE, jumps and conditional jumps, pushes and pops, calls, returns, privileged, bad and filling commands. Optional highlighting of operands recognizes general, FPU/SSE and segment/system registers, memory operands on the stack (i.e. accessed via ESP or EBP) and in ordinary memory, or constants that are valid memory addresses and all other constants.
Execution till user code (shortcut: Alt+F9) allows to return back to debugged application from the system code. DLL is considered system if it resides in system directory.
Assembler supports AMD-specific instructions SYSCALL and SYSRET, undocumented command FFREEP STn and alias mnemonics JNAE, JAE and SAL.
Expressions allow for several thousands symbolic constants, like WM_PAINT or O_RDONLY. New arithmetical operation 'IN' in expressions allows for easy specification of ranges.
And, of course, multiple bugfixes.
Bugs found during beta tests
This debugging session was the most successfull in the history of OllyDbg. I was literally overflooded with your bug reports. To emphasize the high quality of bug hunting, I'll just mention that almost half of found bugs existed already in version 1.06:
FoRrEsT GuMp: OllyDbg is unable to locate and/or process
information generated by MASM 7 - clarified,
dbghelp.dll supplied with WinXP is not 100% backward-compatible (?)
Jacob Benoit: Shift+BkSpc pressed several times in hex editor puts it into locked state - corrected
Jacob Benoit: "Warn if not an adminstrator" - corrected
Alexandr Yakubtchik: Message "Process xxxx is active... Do you really want to terminate..?" is very annoying - corrected, new security option allows to close process without confirmation
Olly: When copying contents of the whole log window to clipboard, lines appeared in the inverse order - corrected
Udi Shitrit: OllyDbg is unable to find debug info for loaded DLLs - corrected (I hope)
Killy: If OllyDbg stops at entry to SFX extractor, there is no way to restore breakpoints and analysis later - postponed to 1.09
savage: On startup, CPU columns have invalid width when non-default fonts are restored from .ini file - corrected
savage: Color of border around CPU windows is not restored fom .ini - corrected
Ben: Removing OllyDbg from Explorer menu doesn't work - corrected
M.A.Estro: OllyDbg crashes when one attempts to customize highlighting - oh no, yet another buffer overrun! corrected
Olly: Stack allows for "Go to" even if there is no program to debug - corrected
Olly: Button "Restore defaults" in Code highlighting was placed outside the visible area - corrected
Udi Shitrit: Problems with analysis when using CODEVIEW debug info - corrected... i hope
Ricardo Narvaja: "Find references to|Selected command" and "Search for|All referenced text strings" don't show results - clarified
Che Ming: OllyDbg is unable to read .sym files - corrected
Greg Hoglund: during startup OllyDbg should enable the debug privileges - done
Julien de Sainte Marie: if the main window is set as "Always on Top", error msgbox is displayed under the window - processing
Olly: When program is running, source window displays EIP marker in random position - corrected
Olly: Names window displays number of arguments for all labels within the function - corrected
Jeffrey Riaboy: Pressing Alt key doesn't move focus to the main OllyDbg menu - corrected
Alexandr Yakubtchik: Program linked with /ALIGN:0x200 crashes OllyDbg - corrected!
X05: Problems with DebugBreak on Win2000 SP3 - corrected, but there are problems with Win95: I can't distinguish between system breakpoint and call to DebugBreak
Udi Shitrit: Problems locating debugging information - corrected
Robin Keir: Invalid decoding of arguments for function socket() - corrected
Ben: Any dropdown combobox under XP suspends corresponding dialog until user clicks several times around - unable to reproduce
Rudy Penteado: OllyDbg irreproducibly looses track for the code analysis (possibly because it uses old analysis data) - clarified
DiamondCS: When new application is loaded, Name windows disappear but corresponding menu items remain in Windows menu - corrected
DiamondCS: Some newly opened windows don't appear in Windows menu - I think, this errror was induced by a previous one
Alex Koegel: Short and long hex dumps should not truncate leading zeros because many utilities expect them while cut'n'pasting - I agree, corrected
Ben: When clicking on analyzed self-modifying code, OllyDbg selects wrong line(s) - OllyDbg silently assumes that executable code doesn't change. The only reliable solution would be to keep the copy of executable code at the moment of analysis. As a workaround, repeat or remove analysis. Sorry...
Ricardo Narvaja: OllyDbg is unable to step over F2:3410 (REPNE XOR AL,10) - Although this command is in theory invalid, most (if not all) processors ignore REP/REPNE, corrected
Olly: When CPU window is minimized and OllyDbg terminates, in the next session CPU pane limits are messed up - corrected
Sungazer: When highlighted disassembly is copied to clipboard or file, text is unreadable - corrected
Ricardo Narvaja: Memory breakpoint on stack doesn't work - Uh-oh, two bugs at once. First, OllyDbg didn't checked implicit memory operands of PUSH/POPs; second, Win95 removes memory breakpoint set in the stack - corrected
tOXIKO: When command is a jump destination but not a jump itself, "Find references to" proposes to search for references to a jump destination - corrected
DiamondCS: OllyDbg doesn't redraw Modules window when application gets closed from the main menu (Debug|Close) - corrected