Page 3 of 3 FirstFirst 123
Results 31 to 36 of 36

Thread: Unpacked app deletes itself

  1. #31
    In that case I'd consider it a bug, but nothing a little patching can't fix
    Code:
    0045DB3F 8B4E0C               mov       ecx,[esi][000C]
    0045DB42 3B4E28               cmp       ecx,[esi][0028] ; is above?
    0045DB45 770B                 ja       0045DB52 ; *** jump to message etc ***
    0045DB47 8B460C               mov       eax,[esi][000C]
    0045DB4A 034610               add       eax,[esi][0010]
    0045DB4D 3B4628               cmp       eax,[esi][0028] ; is above?
    0045DB50 7734                 ja       0045DB86   ; *** jump around it
    0045DB52 8D5648               lea       edx,[esi][0048]
    0045DB55 52                   push      edx
    0045DB56 6A08                 push      08
    0045DB58 68C3C04B00           push      004BC0C3 ;"Module '%s' has entry point" blah blah blah
    0045DB5D 8D8D78FDFFFF         lea       ecx,[ebp][-00000288]
    0045DB63 51                   push      ecx
    0045DB64 E8C3900400           call     004A6C2C   ; display the message
    OllyDbg 1.0.10.0, this fragment of code will only kill the messagebox and nothing else, you'll also need to patch the AppendMenu routine (search for "&Analyse") and the analyser routine itself (menucommand 142 (8E) in the message processing loop).

  2. #32
    Quote Originally Posted by blabberer View Post
    but load the thingy in ollydbg
    you will see an entry point out of code section (and obviously no analysis as well)
    you change the section flag to e00000e0 the msg box would still be there ??
    wtf
    I'd need to double check that.

    Quote Originally Posted by blabberer View Post
    the import table strings will get their proper names with 0x1000 as base of code while with 0x2000 the import table strings will be looking like gibberish
    I changed the base of code to 1000h as you suggest and sure enough I get the ep out of code warning message, clicking on ok and the analysis also begins. I also looked at another Delphi app and noticed that 1000h seems to be a be typical code base address. I can now used the MapConv plugin to correctly place labels on the code listing.

    Comments however don't appear to be added, presumably this has something to do with the data base address needing adjusted too.

    Quote Originally Posted by blabberer View Post
    as to base of data again it depends you have to deduce looking at it (this field will come into action where ollydbg will map the dump in its dump window (note pad has /link merge erw .text compiler switch so its data section is within code section)
    I didn't realise the dump window starts at the base of data address until you mentioned it. Again I'll look at other virgin Delphi binaries to look for a "pattern". I'll post back to report if this fixes the comments.

    UPDATE 2: I changed the base of data address to F2000h, Olly continues to dump data at the old address of 1C9000h for some reason. (I deleted the .udd file beforehand).

    UPDATE 2: Somethings not right, most likely to be down to the virtual sizes of the data and code sections being the wrong values in the PE header. A little more investigation is needed to fix this. I'll review the PE format spec too when I can get a spare moment.

    Quote Originally Posted by blabberer View Post
    hope that helps
    It certainly does thankyou. I'm surprised that this question hasn't been raised before.
    Last edited by 5aLIVE; October 6th, 2007 at 13:54.

  3. #33
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Quote Originally Posted by 5aLIVE View Post
    When loading the app Olly also warns that the code section is either compressed/encrypted/or contains a large amount of embedded data. It warns that results of code analysis code be unreliable or wrong. I select no as I don't want to continue analysis.

    I also get a suspicious breakpoint warning about placing breakpoints on data which further confirms that code is in the data section.
    I've been semi-following this thread for a while now and admittedly have not fully read all of the suggestions and advice, but I keep coming back to this - this is what I normally would expect to see if I "unpacked an app" and it was not fully unpacked - or if it was double packed - this used to plague me with old versions of arma.

    Here's a really SWAG that will allow you to put another checkmark next to my name in the nutcase file - is it possible that you are working with a packer that spawns a process on disk - similar to ExeShield, and you've managed to incorporate elements of both the father and child in your dump, when run it sees the dump as the spawned process and deletes it on exit? - could explain a lot of anomalies.

    Ok now you can flame me for not fully reading the thread

    SiGiNT
    Last edited by SiGiNT; October 9th, 2007 at 15:38. Reason: Just Plain nutz
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  4. #34
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    GEESH! I'm going to get a rep as a thread killer!!!

    S
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  5. #35
    @sigint33, sorry I haven't been on here in a while. No the app has only been packed once as I am able to view an intelligible disasembly in IDA. I appreciate your thoughts and input but I don't think its as complex as that. Having said that, I couldn't find the trigger that deletes the file, admittedely I got a little side tracked trying to work out why I couldn't apply a .MAP file. I'll try to post more of my findings when I get a chance.

    Regards,
    5aLIVE

  6. #36
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Just for kicks and giggles, run the packed app - either alone or in olly, open another instance of olly and look for something odd like a file being executed from your docs and settings directory, if I'm wrong there then I think your problem may be that the app is only partially unpacked - older versions of arma would execute partially unpacked - you would go thru the unpacking process dump and rebuild - the file size would double and it ran fine, but when analyzed is was still partially packed. The rebooting, I'm assuming your machine abruptly shuts off - could be from a severe kernel violation, ala "stripper".

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

Similar Threads

  1. Unpacked executable won't break
    By riptide in forum OllyDbg Support Forums
    Replies: 7
    Last Post: February 8th, 2004, 22:47
  2. Unpacked prog. does not run on different OS.
    By Harding in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: September 5th, 2003, 22:09
  3. CommView 3.3 Unpacked but have question
    By foxthree in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 17th, 2002, 09:31
  4. Unpacked exe and dll
    By KillingJoke in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 8th, 2002, 20:07
  5. loader32 deletes my .nms file after creating it?
    By latigo in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: August 3rd, 2001, 17:16

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •