PDA

View Full Version : File successfully patched in Olly, runs... in Olly. When saved, errors as corrupt?


Kero13
March 24th, 2013, 19:56
Hi all,

Title pretty much says it all. I've been working my way through tutorials and doing pretty well until this.

I have a target that I can load and run in Olly (strangely, only R4ndom's "version" of Olly... stock Olly 1.1 will load and run it but throws exceptions, and Olly 2 never will load it, hangs on analysis. Might have something to do with one of R4ndom's plugins?). Anyhow, I've got a working patch for it... it's incomplete and inelegant, but it's a start.

Once I make the patch and run the target WITHIN Olly, it works fine. The target will run perfectly. When I right-click into the context menu and mouse over "copy to executable", the only option is "selection". The typical "all modifications" is not shown. I select all of my modifications, then right-click in the new window and "save file". Same thing I've done with other files and it works fine. This target will save with no errors, but when run on its own, outside of Olly, it errors as corrupt.

Examining this target in ExeInfoPE shows that it's not packed, but was created with Borland Delphi 2.0.

I know I'm making a really stupid newb mistake here.. I'm obviously missing something important about this target. I've been fighting with it for 2 days now. Pretty frustrating to maybe figure out a patch, only to not be able to save it! ;-) Could anyone offer any suggestions? I'm not asking for spoon feeding, I enjoy learning on my own... I just need a push in the right direction. What should I be looking at?

Thanks for ANY suggestions...

disavowed
March 25th, 2013, 08:22
OllyDbg is unreliable with regards to patching. You're better off using a standalone hex editor to do patching.

Kero13
March 26th, 2013, 01:03
Hey, thanks for the reply. As it turns out, I AM an idiot (as expected). The patched file isn't actually corrupt, the error is being thrown not by Windows but by the target program when I run the patched version. If I load the patched version into Olly, I get the same "file is corrupt" error. I've found that string in a data section of the binary, but it's not easily traceable (for this newb). I'm stepping through the program from the beginning and I've found a block of code that can be bypassed by a jump, but if not bypassed goes into a loop that eventually throws the error. Just patching to take the jump doesn't work either though; the target hangs and terminates a little later on. So I'll have to dig into the functions inside this block instead of just jumping it. Anyone have any good reading on how to deal with something like this?

Thanks...

Kero13
March 29th, 2013, 12:18
Yup, turns out it was just an integrity check. There are probably more efficient ways, but I just stepped through the code until I found it, buried like 10 calls deep. Works fine now. That was fun!