What's new in OllyDbg

Version 2.0

Hopefully I will have more time now for version 2.0. Currently I'm working on analyzer. Global prediction of the contents of registers and stack is practically finished. This was a very hard piece, and initially veeery slow, but today I've found the way to accelerate it by the factor 100+. Next I plan to implement known functions. Debugging engine will follow.

Of course, OllyDbg 2.0 will work on all existing versions of 32-bit Windows: 95, 98, ME, NT4, 2000 and XP. I don't know whether it will make sense to play with Server 2003 at all, and Longhorn is not yet ready.

Several weeks ago I've asked for help in the form of different Windows versions that I'm going to use for debugging purposes. Honestly, I haven't hoped for so many offers:
  • Windows 98 and/or 98 SE
  • Windows ME (Tony, this was a nice gift!)
  • Windows 2000 home and/or professional (thank you, Rudy! No such thing as a home edition?)
  • Windows XP home and/or professional (thank you, Peter!)
  • Windows Server 2003 (many thanks, Casey!)
And my very special thanks to Reinhard - his post completed my collection! So please send me no more Windows, now I have them all :)


Modified PDK from Alex Clarke. He wrote:

Oleh,
 
Firstly congratulations and thanks for OllyDbg - it's incredibly good. I've been playing with the SDK using C++ for a plugin. I've made a few modifications that make the SDK header work better when using it in C++ code in (at least) a couple of newer C++ compilers (namely Borland C++ builder v1 and Visual Studio.net). They also remove various errors/warnings and the need for unsigned characters (when compiling .cpp's) or forcing byte packing (any source file). Finally I've got intellisense working with the SDK (the code hints in VisC).
 
Here's how the edits work:
 
Firstly, forcing compilation with 'chars unsigned as default' (when used from a .cpp file) is not as much of a problem when using the SDK from genuine C++ (i.e. when compiling a file with a .cpp extension). The ANSI standard prohibits implicit casting between signed char *, unsigned char * and char *. Since you've explicitly declared all the necessarily unsigned char params/returns, Visual C++.net causes an error if this is attempted regardless of the compiler switch setting. Borland C++ builder (v1 - using the older ANSI rules) warns about mixing types, but I'm pretty sure later versions will kick them out. I appreciate that there is a problem with sign extension when using the implied conversions, but this doesn't appear as if it will be a problem in your API.
 
You don't need to compile with 'byte packing' anymore (when using plugin.h from either a .c or .cpp) - pushing/popping the packing for definitions for the necessary structures and 'envelopes' should be sufficient (the bookmark plugin is fine from both compilers).
 
I've noticed that you return an enum in the Getstatus API. I've had a number of problems with sending enums out of C++Builder, the reason being that they are treated as bytes rather than longs if only small values are defined for the type. I don't think that returning them will be any problem, but you may get problems with builder if they are passed into the routines. As a cautionary measure I have added the #pragmas to declare your enums as longs (i'm guessing borland C++ compiler supports this but don't know for sure). It should allow safe enumeration of several of the sets of defines if desired.
 
Intellisense didn't work. This is because it makes globally declared type info available, but not global function prototypes unless they are in a namespace or the code body is declared in the project somewhere. I've put a namepace 'ODBG' around (just) the function declarations, and a 'using namespace ODBG' command to make it behave exactly as before when the functions are not called in the global scope, but if you stick ODBG:: in front of a function call you'll get a hint. Also I've tidied up the extern "C"'s (should make older versions of intelisense / newer versions of builder give more readable hints).
 
Afterthought: Thrown in a header #ifdef block to stop cyclic includes too.
 
Find attached the modified header, the import lib produced for builder and the def file/import lib for vc7. The libs may work in different versions of the respective compilers. VS.net didn't like the VC50 one, but builder seemed to be fine with the borland one (sending mine for the sake of completion).
 
Hope that's useful.
 
AL :)
 
Alex Clarke

Thank you, Clarke! And here is the ZIP file. Note, however, that I haven't checked it - as always, use at your own risk!

Version 1.10 - final

Some errors reported for v1.10, but they all seem to originate in plugins. So now I declare it final release. Project OllyDbg 1.xx is closed. Now I will be able to continue my work on v2.0. When will it be ready? Honestly, I don't know. Currently I'm working on a couple of not so ambitious private projects (not related to debugging), so progress will be not too fast. Hopefully I'll finish it before 80x86 architecture in general and Windows in particular get obsolete :))

I have also updated the Plugin Development Kit. You may download the actual version here.

From time to time, but not too frequently, I will inform you here on the progress. My first major goal is strongly improved analysis with much better prediction of registers. Next I will try to accelerate run trace, which seems to be a very powerful method of debugging, by executing or emulating simple commands in the context of Debugger. Also I have some vague plans for a built-in compileable scripting language... So don't feel you sad, the future will be bright anyway!..

Oleh Yuschuk, a.k.a. Olly
June 11, 2004


Version 1.10 - preliminary release

I have corrected nasty crash on right click. File odbg110.zip includes also updated help and version 1.10 of command line plugin. If you report no critical errors, this version will be declared final in a week.

Command-line plugin now allows you to modify memory and registers, like:

SET EAX=0
CL=[BYTE 410000]
SET [461234]=ESI+1

To issue commands from conditional logging breakpoint, precede them with a point: .EAX=0. Plugin's source, together with the new plugin API, will be uploaded in a week, too.


Version 1.10c - third (final) beta

This is the last beta. There will be no more new features. For about two weeks I will update the documentation and wait for your bug reports. If nothing unforeseen will happen, I will make final release, close this project and renew my work on v2.0.

New features:

  • Now you can set analysis hints to force decoding of some byte sequences. To set hint, select piece of code or data and from the pop-up menu choose Analysis|Treat selection as, then your selection. Selections in singular form set hint only on the first byte, in plural - repeatedly on the whole selection. Proposed by Eric Simmons and others. First I answered that this feature would be too significant for v1.10; now, after considering all possibilities, I've found more or less safe way to do this. Please check!
  • If debugged DLL has entry point, OllyDbg makes first pause on this entry point, then in LOADDLL.EXE. Proposed by Richard Ginzburg.
  • Disassembler will display, on your request, RET instead of RETN. Proposed by Ib Larsen.
  • Run Trace window now supports syntax highlighting. Proposed by X Shadow.
  • If command uses immediate constant that points to valid command in code, Disassembler adds menu item "Follow immediate constant". Proposed by KolAn and Paul Guerra.
  • New copy-to-clipboard options: whole Information pane, line of Run trace window. Proposed by sett07.
  • Option to mark DLL as system or non-system. Important for Run trace where you may request to trace over calls to system DLLs.
  • If doubleword in Stack points to stack, press Enter to follow it. Proposed by CoDe_Inject.
  • Maximal length of argument string is changed from 1024 to 4096 characters. Requested by BlackArT.
  • New CPU option: now you can specify the number of lines visible after current command during stepping and tracing. Proposed by Phong Tran and others.
  • ODBG_Pausedex(reasonex,extmode,registers,debugevent) extends functionality of ODBG_Paused(reason,registers). Many requests. Extended flags in reasonex proposed by Richard.
  • Listmemory() is now exported. Requested by lixg00.

There are many more requests in my list, but, unfortunately, they will not appear in the final release. Usually this is due to their complexity that may aversely influence the reliability of v1.10. I have transferred all such requests to the list of wishes for version 2.0. Sorry.

Removed bugs:

  • Registers menu option "Copy all registers to clipboard" now copies EAX, too. Reported by many contributors.
  • In code with non-standard alignment of sections, analysis and displayed code were desynchronized, so click on some line selected different line. Reported by comrade.
  • Menu "Follow in Dump" now displays more intuitive items if one of operands is implicit stack location (like in PUSH). Reported by Jacob Benoit.
  • OllyDbg now correctly disassembles VxDCall and VxDJump used by Win95 drivers. However, it assembles them to the same code. In almost improbable case that anybody will use this pseudocommand, user must correctly set bit 0x00008000 to distinguish between call and jump. Reported by Jacob Benoit.
  • OllyDbg compiled REP STOS FWORD [EDI] and similar nonsense to REP STOS DWORD [EDI]. Reported by Paul Guerra.
  • OllyDbg now adds "Open with OllyDbg" to Explorer's menu in DLLs. Reported by Truong Quoc Ngan.
  • Names window sometimes lost its contents after new modules were loaded. Reported by William Whistler.

If your bug is not here, this means that I was unable to reproduce it. In this case, please send me the detailed, step-by-step, sequence of actions. Don't forget to mention the version of your OS!


Vesrion 1.10b - second beta

There is a big useful new feature: OllyDbg now can debug standalone DLLs. Just drop DLL into OllyDbg and see what happens. A brief  walkthrough is available here. Also new is a SEH chain window. Other changes:

  • A very useful option to remove analysis from selection (shortcut: Backspace);
  • Attach window is resizeable (and even maximizable);
  • New stack commands: push doubleword and pop doubleword;
  • Option to copy all registers to clipboard.

Removed bugs:

  • Assembler supports simplified form of IMUL: IMUL reg,const. This command is disassembled as IMUL reg,reg,const. One cannot search for IMUL using imprecise register (IMUL R32,CONST - use IMUL R32,R32,CONST instead). Reported by Alexandr Yakubtchik.
  • Disassembler used address size instead of operand size to decode size of immediate offset (JMP FAR ssss:oooooooo). Reported by Karel;
  • Tabs in source text in Disassembler comments and info pane were displayed as small rectangles. Now they are extended to at most 8 spaces. Reported by Karel;
  • ARPL was decoded with 32-bit size of operands (correct decoding is ARPL r/m16,r16). Reported by Karel;
  • OllyDbg now should correctly work in multi-monitor configurations, but I am unable to verify this. Please check! Reported by Roel Verdult;
  • 2-byte INT 3 (CD 03) was processed incorrectly. Reported by roticv.
That's all, enjoy and don't forget to report bugs! Unfortunately I'm very busy now and cannot answer to you emails instantly, sorry. But, earlier or later, I'll read then all :)



Version 1.10 - first beta

The list of improvements and corrected bugs is already long, significantly longer than I've expected. I haven't finished yet with old wishes and bug reports, and every day become several new. So I decided to post preliminary, raw beta in the hope that your feedback will help to improve the quality of final code. Remember, v1.10 is the last planned - afterwards I'll concentrate on OllyDbg 2!

What's new here:

  • On break, conditional logging breakpoints can pass several text commands to plugins, see description of ODBG_Plugincmd() below.
  • New Security option: "Save user data outside any module to main .udd file". Allows to keep breakpoints and comments that belong to no particular module. CAVEAT: data is saved relative to main program and will be corrupted if external code or main executable are reallocated (this is possible, at least in theory). Proposed by Francis Crick;
  • Trace condition (Ctrl+T) includes option to pause trace after specified number of commands is executed (more exactly, added to run trace).Counter restarts automatically. Proposed by Marcus Matten;
  • Conditional logging breakpoints support pass counter. For example, if you set pass counter to 100, OllyDbg will skip first 100 occurences of breakpoint and pause on 101st. Note that pass counter is not restartable and is not saved to .udd file. Proposed by many contributors. CAVEAT: I have extended structure t_bpoint to fit counter, any plugin that accesses it directly will fail! (AFAIK, there are as yet no plugins that directly access t_bpoint).
  • Possibility to reswitch to different module directly from Disasembler (View|Module 'xxx'). Proposed by Christian Martin;
  • New shortcut: Ctrl+gray * (asterisk) for "set new origin here";
  • Run Trace window optionally displays and logs to file modified flags (C, P, A, Z, S, T, D, O only), controlled by Trace option "Show flags". Proposed by Marcus Matten;
  • Small improvement: if there is no break selected in conditional breakpoint window, button "OK" remains disabled until any selection is made;

New plugin functions:

  • Callback function ODBG_Paused(int reason,t_reg *registers). Called each time when debugged application is paused;
  • Callback function ODBG_Plugincmd(int reason,t_reg *registers,char *cmd). Called when application is paused on conditional breakpoint and this breakpoint contains commands to be passed to plugins, separately for each command. I've modified command-line plugin so that it accepts all commands that begin with point (.), for example: .BP 410024; .G
  • If parameter mode in call to Browsefilename() is ORed with 0x80, it opens Save File dialog instead of Open File;
  • Function Settracecount(ulong count), called after Settracecondition(), sets number of commands to execute before run trace is paused;
  • Function Settracepauseoncommands(char *cmdset), called after Settracecondition(), specifies set of commands to pause at;
  • Functions Getbreakpointtypecount(ulong addr,ulong *passcount) and Setbreakpointext(ulong addr,ulong type,char cmd,ulong passcount) support pass count in conditional breakpoints.

And, of course, removed (hopefully) bugs:

  • Column "Handle" is removed from Threads window. This column falsely displayed handle assigned to thread in OllyDbg. Such handles are meaningless in the contents of debugged application;
  • Analysis crashed on large modules due to overflow of jump-tracing table. Reported by sonkite;
  • Non-standard modules (with size not aligned on 4096 bytes) lost all user-supplied information, like breakpoints or comments;
  • On attempt to step over call to ExitThread() or ExitProcess(), OllyDbg attempted to set INT3 breakpoint on next command which in some cases was data. Reported by Udi Shitrit;
  • Request to flush gathered run trace data to file wrote invalid commands. Additional tests necessary. Reported by Shinichy Yousho and later by homunculus;
  • OllyDbg haven't checked that .udd directory specified in .ini file really exists. Reported by Phong Tran;
  • After binary edit, Disassembler haven't updated selection, so that it was possible that some command is only partially selected. Reported by shanytc;
  • OllyDbg crashed when it received command line in form "a.exe %.622496x" or similar. First reported by Shimnobiton, later by wire;
    Dump windows underlined fuxups outside the dumped memory area. Reported by Jacob Benoit;
  • Hex edit window behaved unpredictably when user moved from one presentation to another and some characers were incomplete. Reported by Jacob Benoit;
  • FSAVE/FRSTOR and FLDENV/FSTENV displayed invalid operand size when used with prefix 66. Reported by Alexandr Yakubtchik;
  • Analyser hanged (forever or for several minutes) if function with insufficient number of arguments was placed close to the beginning of the memory block. Reported by Jacob Benoit;
  • Cosmetical: "Save file" window called GetOpenFileName() instead of GetSaveFileName(). In case of OllyDbg both calls give identical results, except that first marks confirmation button as "Open" and second - "Save". Reported by Hunter;
  • ESP was not logged to file opened in Run trace, even if corresponding option was set. Reported by Chromix;
  • Given (invalid) command MOV QWORD [1234],0 (or many others between memory location and constant), Assembler bravely compiled it to code with 8-byte immediate constant! Bug reported by Eric Simmons;
  • When opening executable with quoted argument line (a.exe "ab" "cd") for the second time, OllyDbg removed outer quotes (a.exe ab" "cd). This was not my fault, honestly, but a misfeature of GetPrivateProfileString()! Reported by Rudy Penteado.

OllyDbg 1.09d

Download v1.09d now

Version 1.09d removes very annoying bug: crash while copying data to clipboard. I have recived more than a dozen bug reports! To everybody who pointed me to this problem: thank you very much again!

Other bugfixes:

  • ModRM register operand in SSE instructions like ADDSS XMM0,XMM1 was falsely marked as memory at zero address. Analyzer treated such commands as invalid and interpreted valid SSE code as data. Bug reported by Jussi Kivilinna.
  • Patch window now updates on each modification of memory. Problem reported by Maurizio Scarano.
  • OllyDbg improperly decoded size of pseudooperand CX/ECX in commands like JCXZ/JECXZ, REP MOVSB or LOOPW/LOOPD. Bug reported by Karel.
Hey, what about v2.0?..

Version 2.0 slowly moves forward - too slowly because I'm still very busy on my work and sometimes fall asleep before midnight! As you see, I have really no time :) Speaking seriously, OllyDbg2 code is already 900 K large and large parts of it, like GUI, disassembler, dump and thread manager are functional.
 


OllyDbg 1.09c

OllyDbg 1.09c is a bugfix that removes most of bugs reported since version 1.09b was released. Other modifications are limited to the few listed below. As always, you are invited to send your opinions, comments and found bugs to [email protected]:

  • When stepping or animating, Disassembler window attempts to leave 1 or 2 completely visible strings below current command;
  • Run trace saves 16 high-order bits of flag register;
  • New global shortcut Ctrl+P opens Patches window;
  • OllyDbg exports two new functions: int Attachtoactiveprocess(int newprocessid) and HWND Createpatchwindow(void).
Bugfixes:
  • PEXTRW swapped MMX and general-purpose registers. Bug reported by Valery CLAUDEPIERRE;
  • Some error messages were covered by main window when this was set always-on-top. Reported by Phong Tran;
  • OllyDbg recognized some absolutely correct PE files as bad due to unhappy section placement. Reported by Phong Tran;
  • LOCK was allowed with commands that didn't write to memory. Reported by Alexandr Yakubtchik;
  • Assembler reported invalid mnemonics on IN command, because scanner mixed mnemonics with operator IN. Reported by Alexandr Yakubtchik;
  • Added support for non-standard short PE Optional Header. Bug reported by masquer;
  • When paused on hardware breakpoint, OllyDbg was unable to step over some commands if automatical hardware breakpoints were allowed. Reported by Phong Tran;
  • Too long program arguments (longer than 256 bytes) caused OllyDbg to crash due to buffer overflow. First reported by mmmmmKay, confirmed by Isaac and wire;
  • Command LEA with 16-bit addressing was reporting 'Superfluous prefix' because it was marked as not accessing memory. Reported by Karel;
  • NEAR/FAR modifiers were highlighted with random colours. Reported by Jacob Benoit;
  • Problems converting Japanese UNICODE text to multibyte (not checked because I don’t know Japanese). Reported by DokoDon;
  • Commands SETZ, SETO... with unused Reg field of ModRegRM byte not equal to 0 were not recognized. Now OllyDbg warns if option "Non-standard command forms" is not active. Reported by Alexandr Yakubtchik;
  • OllyDbg assembled and disassembled invalid command MOV CS,R16 without warnings. Reported by Alexandr Yakubtchik;
  • If you pressed Alt+F2 (or X on toolbar) but then decided not to close debugged process, OllyDbg nevertheless removed all process data, making debugging impossible. Reported by bundy;
  • If size of executable code was shorter than size of section or size of module shorter than 1 memory block, analysis disappeared when scrolling code. Reported by TBD.



OllyDbg 1.09b

Usually I upload intermediate releases without help. This time help file is partially updated.

Quick bugfixes in 1.09b:

  • Due to invalid processing of WM_WINDOWPOSCHANGED in support for "always on top" option, OllyDbg 1.09a was unable to restore maximized MDI windows;
  • OllyDbg 1.09a was unable to load plugins from different directory.
New features:
  • Patch manager is perharps the most important new feature. OllyDbg remembers all patches applied to debugged application in previous debugging sessions. From the Patch window, you can quickly apply patches or restore original code;
  • With one command, you can copy all patches in a module to executable file;
  • One MDI window may be declared as "always on top". Attention, in order to support this feature, plugins must pass WM_WINDOWPOSCHANGED to Tablefunction();
  • You can specify directories where OllyDbg saves .udd files and searches for plugins;
  • If selected command is a jump destination, OllyDbg can display "jump from" path;
  • On NT-based systems, Handles window displays list of handles owned by debugged application;
  • If command that you type in Assembler dialog contains comment, it will be automatically added to the command;
  • You can reswitch between debugging options and appearance without closing options dialog;
Improved analysis:
  • "Search for all intermodular calls" includes predicted calls;
  • Option to trace registers in the whole procedure. Previous analyzer predicted registers only within linear pieces of code (without jumps from outside);
  • Option that tells Analyzer that unknown functions preserve registersEBX, ESI and EDI. If this is not true, contents of registers may be predicted incorrectly, so use this option with care.
Bugfixes:
  • In call tree, OllyDbg temporarily forgot calls predicted in previous debugging session with register tracing;
  • Sometimes OllyDbg created new .udd file (xxx_1, xxx_2 etc.) after each debugging session;


What was new in version 1.09:
  • Additionally to MASM and IDEAL disassembling modes, version 1.09 supports also HLA syntax (High Level Assembly, developed by Randall Hyde). HLA is public domain software, you can download it together with documentation and sources from http://webster.cs.ucr.edu;
  • Analyzer knows that there is no return from calls to kernel32.ExitThread() and kernel32.ExitProcess() and interpretes them as end of procedure;
  • If several executable modules have same short 8-byte name, OllyDbg renames them to xxx_1, xxx_2 etc;
  • To avoid mixing of .udd files in cases when main file and DLL have same name, or if program uses DLLs with same name that reside in different directories, OllyDbg adds _1, _2 etc. to names of .udd files. This feature is active if option "Security|Ignore path and extention" is unchecked;
  • Option to synchronize CPU with source;
  • OllyDbg supports relative pathes to source files in Borland's debugging information generated by BCC5.5;
  • Debugging engine now can step into unknown commands, like SSE2 (new Security option);
  • Option to lock stack (i.e. stack window doesn't scroll when stepping);
  • Register window displays debug registers DR0..3,6,7. Debug registers are not saved to run trace and you can't modify them. Caveat plugin writers: size of structure t_reg is changed!
  • From the dump of executable file, you can jump to it's memory image in Disassembler or CPU Dump;
  • OllyDbg recognizes "real" (undocumented) SAL instruction but, in accordance to Intel's documentation, assembles it to SHL. Both instructions have same effect;
  • New undocumented opcode: ICEBP (INT1);
  • Search for address and binary string in stack;
  • Option to save width of columns to .ini file;
  • Additionally to jumps, CPU info pane, list of known jumps and corresponding menus display local (intramodular) calls to selected instruction;
  • If you browse cases, jumps or calls to location in dialog, Disassembler jumps to corresponding commands as you change selection. On Cancel, old selection is restored.
Bugfixes:
  • If you close debugged program (Alt+F2), OllyDbg now correctly closes all associated handles. Open handles made recompilation of executable file impossible;
  • When file name contained spaces, under some circumstances symbols after space were interpreted as parameters in command line. This explains, for example, the great mystery of disappearing patches;
  • OllyDbg correctly attaches to active process from Task Manager. Caveat: format of JIT record in registry is changed (added quotes arond file name), so new version will not recognize old JIT declaration;
  • Short (no-operand) forms of INS and OUTS now recognized as I/O commands;
  • Corrected invalid decoding and assembling of SSE instructions MOVHLPS and MOVLPS. Intel made it hard: MOVHLPS is a register-register and MOVLPS is a register-memory form of the same command, and they behave differently...
  • Sometimes OllyDbg crashed on "Execute till return". Heer I forgot to check for a possible NULL pointer;
  • Even when main module resides in system directory, it is considered now user code;
  • Several cosmetical improvements.




OllyDbg 2

Having my Christmas vacations, I decided to add one more feature to OllyDbg. One hour later, I understood that elegant solution is not possible without global modifications of existing data structures... and suddenly I found myself creating new project and writing first lines of new debugger, OllyDbg 2.

So now it is clear: there will be the second version. At a first glance, it will look very familiar: same windows, similar commands, no colourful butons or nerving assistents... Internally, however, I will change almost everything.

Debugging engine and disassembler will be redesigned from scratch. New OllyDbg will support SSE2. Analyzer will recognize inlined functions (like strcpy) and predict contents of registers in the whole procedure, decode standard structures and log return values of API functions, recognize loop variables and SE handlers. Run trace will be significantly accelerated, I plan to reach tracing speed up to 250000 commands per second. Source debugging will be improved. Bad news: existing plugins will be not compatible. New OllyDbg will be even more memory-hungry than its predecessor.

I will continue development of old OllyDbg till version 1.10. Apart from bugfixes, there will be only two significant new features: HLA support and option to read map files. If necessary, I will release bugfixes even after version 2.00 will be released. (However, don't expect it before summer).



Why 1.08b

Two days after I have uploaded 1.08, a nasty new bug was reported: Assembler was unable to compile PUSH const. This error was a result of another last-minute bugfix. Version 1.08a corrected this frequently used command.

Next day, another red alert came: run trace saved invalid values of registers EAX and ECX. Due to importance of run trace in program analysis, I was forced to replace 1.08a with 1.08b. Another small correction removes possible GPF in heap window. Sorry...
 

What's new since 1.06

Since the last "stable" release 1.06, I've added lots of new features and corrected many errors. Full list of all changes is too long to place it here, I'll briefly describe only the most important of them.

Perharps the most important new feature in OllyDbg 1.08 is its ability to read debugging information in numerous Microsoft formats, including CodeView, COFF, PDB and SYM, as implemented in dbghelp.dll. This redistributable file is included into .zip archive.

Command-line plugin implements command line in OllyDbg. Its source code is available under GPL.

Analysis was strogly improved. It recognizes loops and switches, attemts to suggest the meaning of separate switch cases, recognizes SE handlers and automatically extends functions with variable number of arguments. Sequences similar to ADD ESP,-4; FSTP [DWORD SS:EBP] are recognized as floating point pushes. With some restrictions, analysis recognizes RETs misused as JMPs. Using analysis data, information pane in CPU window (placed directly under Disassembler) shows list of all jumps to the current location. From the pop-up menu, you can quickly locate each jump. And, as a useful extra, you can analyze all modules at once.

New command "Search for|All intermodular calls" walks through the code and locates all calls with the final destination outside the current module, for example, all API calls, even loaded with GetProcAddress(). I was frequently asked questions like "How could I set breakpoint on all calls to MessageBoxA?" Now it is very easy, just a few mouse clicks...

Call stack backtraces the chain of calls and displays arguments of known or suggested functions on the stack, even if functions use non-standard prologs and epilogs. For every analyzed procedure, call tree shows which functions call it and which functions it calls.

List of windows displays basic window information (class and window function, parent, styles) and allows to set breakpoints on class, single window or on selected messages or message groups.

Heap list displays all memory blocks allocated by debugged application on the heap. Unfortunately, this feature is not available on NT-based systems (NT, 2000, XP).

CPU Dump supports history of previous displayed locations. You may walk this history using same shortcuts as in Disassembler ('-' and '+').

Syntax highlighting facilitates the readability of Assembler code. You can highlight different types of commands, such as FPU/MMX/SSE, jumps and conditional jumps, pushes and pops, calls, returns, privileged, bad and filling commands. Optional highlighting of operands recognizes general, FPU/SSE and segment/system registers, memory operands on the stack (i.e. accessed via ESP or EBP) and in ordinary memory, or constants that are valid memory addresses and all other constants.

Execution till user code (shortcut: Alt+F9) allows to return back to debugged application from the system code. DLL is considered system if it resides in system directory.

Assembler supports AMD-specific instructions SYSCALL and SYSRET, undocumented command FFREEP STn and alias mnemonics JNAE, JAE and SAL.

Expressions allow for several thousands symbolic constants, like WM_PAINT or O_RDONLY. New arithmetical operation 'IN' in expressions allows for easy specification of ranges.

And, of course, multiple bugfixes.



Bugs found during beta tests

This debugging session was the most successfull in the history of OllyDbg. I was literally overflooded with your bug reports. To emphasize the high quality of bug hunting, I'll just mention that almost half of found bugs existed already in version 1.06:

FoRrEsT GuMp: OllyDbg is unable to locate and/or process debugging information generated by MASM 7 - clarified, dbghelp.dll supplied with WinXP is not 100% backward-compatible (?)
Jacob Benoit: Shift+BkSpc pressed several times in hex editor puts it into locked state - corrected
Jacob Benoit: "Warn if not an adminstrator" - corrected
Alexandr Yakubtchik: Message "Process xxxx is active... Do you really want to terminate..?" is very annoying - corrected, new security option allows to close process without confirmation
Olly: When copying contents of the whole log window to clipboard, lines appeared in the inverse order - corrected
Udi Shitrit: OllyDbg is unable to find debug info for loaded DLLs - corrected (I hope)
Killy: If OllyDbg stops at entry to SFX extractor, there is no way to restore breakpoints and analysis later - postponed to 1.09
savage: On startup, CPU columns have invalid width when non-default fonts are restored from .ini file - corrected
savage: Color of border around CPU windows is not restored fom .ini - corrected
Ben: Removing OllyDbg from Explorer menu doesn't work - corrected
M.A.Estro: OllyDbg crashes when one attempts to customize highlighting - oh no, yet another buffer overrun! corrected
Olly: Stack allows for "Go to" even if there is no program to debug - corrected
Olly: Button "Restore defaults" in Code highlighting was placed outside the visible area - corrected
Udi Shitrit: Problems with analysis when using CODEVIEW debug info - corrected... i hope
Ricardo Narvaja: "Find references to|Selected command" and "Search for|All referenced text strings" don't show results - clarified
Che Ming: OllyDbg is unable to read .sym files - corrected
Greg Hoglund: during startup OllyDbg should enable the debug privileges - done
Julien de Sainte Marie: if the main window is set as "Always on Top", error msgbox is displayed under the window - processing
Olly: When program is running, source window displays EIP marker in random position - corrected
Olly: Names window displays number of arguments for all labels within the function - corrected
Jeffrey Riaboy: Pressing Alt key doesn't move focus to the main OllyDbg menu - corrected
Alexandr Yakubtchik: Program linked with /ALIGN:0x200 crashes OllyDbg - corrected!
X05: Problems with DebugBreak on Win2000 SP3 - corrected, but there are problems with Win95: I can't distinguish between system breakpoint and call to DebugBreak
Udi Shitrit: Problems locating debugging information - corrected
Robin Keir: Invalid decoding of arguments for function socket() - corrected
Ben: Any dropdown combobox under XP suspends corresponding dialog until user clicks several times around - unable to reproduce
Rudy Penteado: OllyDbg irreproducibly looses track for the code analysis (possibly because it uses old analysis data) - clarified
DiamondCS: When new application is loaded, Name windows disappear but corresponding menu items remain in Windows menu - corrected
DiamondCS: Some newly opened windows don't appear in Windows menu - I think, this errror was induced by a previous one
Alex Koegel: Short and long hex dumps should not truncate leading zeros because many utilities expect them while cut'n'pasting - I agree, corrected
Ben: When clicking on analyzed self-modifying code, OllyDbg selects wrong line(s) - OllyDbg silently assumes that executable code doesn't change. The only reliable solution would be to keep the copy of executable code at the moment of analysis. As a workaround, repeat or remove analysis. Sorry...
Ricardo Narvaja: OllyDbg is unable to step over F2:3410 (REPNE XOR AL,10) - Although this command is in theory invalid, most (if not all) processors ignore REP/REPNE, corrected
Olly: When CPU window is minimized and OllyDbg terminates, in the next session CPU pane limits are messed up - corrected
Sungazer: When highlighted disassembly is copied to clipboard or file, text is unreadable - corrected
Ricardo Narvaja: Memory breakpoint on stack doesn't work - Uh-oh, two bugs at once. First, OllyDbg didn't checked implicit memory operands of PUSH/POPs; second, Win95 removes memory breakpoint set in the stack - corrected
tOXIKO: When command is a jump destination but not a jump itself, "Find references to" proposes to search for references to a jump destination - corrected
DiamondCS: OllyDbg doesn't redraw Modules window when application gets closed from the main menu (Debug|Close) - corrected