Friday, March 30, 2012

OllyDbg v1.10 And Wow64

If you have ever used OllyDbg v1.10 on Window 7 64-bit version (Wow64), then you must have seen the annoying single-step breaks that frequently interrupt your debug session. I spent a couple of hours to find the reason behind this and finally came out with this small plugin, "OllyWow64", to fix this bug.

You can find OllyWow64 here.
Version 0.2 can be found here.

The fix is as easy as what you see in the image below.
 Here you can find the source code.
Here you can find the source code of version 0.2.

Update:
Version 0.2 of OllyWow64 has been released.

You can follow me on Twitter @waleedassar 

3 comments:

  1. I'm curious, I see the fix consists in filling 0x42ea04 to 0x42ea0e with NOPs, but why? Is it an OllyDbg specific thing? And why is it not affected by ASLR?

    ReplyDelete
  2. The original instruction "OR DWORD PTR[EBX+0xC0],0x100" sets the trap flag (EBX points at the CONTEXT structure and at offset 0xC0 is the EFLAGS). The asm code block in the first image above is related to activating Debug Registers. I can't find any good reason why Olly sets the trap flag when activating Debug Registers.

    OllyDbg v1.10 and Immunity Debugger v1.85 share the same bug, while OllyDbg v2.0 is not affected.

    OllyDbg is not subject to ASLR as it does not have the "IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE" flag set in the "Dll Characteristics" field of its PE header.

    ReplyDelete
  3. In 0.2, you patch a jump. How does the fix work? It seems completely different from 0.1. The trap flag stays now, doesn't it?

    ReplyDelete