Page 2 of 2 FirstFirst 12
Results 16 to 20 of 20

Thread: olly doesn't jump into WINPROC

  1. #16
    The file is packed with UPX but has been modified to make automatic unpacking difficult.

    The file can however still be manually unpacked with ollydbg & ollydump plugin using the same method as with standard UPX. This dump will then open without error in either DeDe or IDR, but IDR is probably a better choice if you want to view the forms for this application.

  2. #17
    Hi hfm,
    can you try to explain me more in details how you have unpacked the target ?
    how do you find OEP and dump the exe ?
    Last edited by techne; July 11th, 2013 at 15:27.

  3. #18
    This should work for most UPX packed exe files and works for this application.

    Assuming you are using a clean install of OllyDbg v1.10. Install the latest OllyDump plugin from http://www.woodmann.com/collaborative/tools/index.php/OllyDump

    1. Open the app in ollydbg. EIP should be at a PUSHAD instruction.
    2. Press Alt+F1 to bring up the command line plugin and enter "hr esp-4" then run the application.
    3. When the application breaks go to Debug->Hardware breakpoints and delete the hardware breakpoint set in the step above.
    4. A few lines bellow here there should be a JMP put a breakpoint here and run.
    5. When it breaks press F7 to step into. you are now at the OEP.
    6. Now you can dump the application with ollydump. Click on Plugins->OllyDump->Dump debugged process, leave all the settings as default and click Dump and save the file.
    7. You have now successfully dumped the application.

    Sorry this is a bit of a rushed explanation but should get you an unpacked exe to work with. If you need more info on this google for a tutorial on manually unpacking UPX.

    hfm

  4. #19
    thank you very much hfm,
    I have followed your instructions (they were really clear): I have created the dumped file and if I execute it everything goes fine (great!!).

    But if I debug it with olly, after just few step I get an:
    int 1
    and I can't proceed.
    I have also tried to decompile it with dude and idr but they did not work ...
    maybe I have made something wrong or maybe the target defence is much more complex to disable

  5. #20
    Odd, I dump the application using the method above and it opened fine in idr afterwards. I couldn't get Dede to decompile the apps forms which is why I suggested using idr. What error do you get with idr? Are you using the latest version from http://kpnc.org/idr32/en/download.htm ? (Scroll to the bottom). And have you got all the knowledge base files installed properly?

    hfm

Similar Threads

  1. About jump over the crc check
    By Ollyxyz in forum OllyDbg Support Forums
    Replies: 10
    Last Post: July 13th, 2007, 00:15
  2. How to find the jump???
    By homunculus in forum OllyDbg Support Forums
    Replies: 5
    Last Post: February 17th, 2003, 05:09
  3. newbie Q: far jump?
    By chitech in forum The Newbie Forum
    Replies: 5
    Last Post: September 5th, 2002, 20:24
  4. How to calculate which jump I want to use...
    By Six Black Roses in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 12th, 2002, 19:28
  5. jump generator
    By amois in forum Malware Analysis and Unpacking Forum
    Replies: 12
    Last Post: October 18th, 2001, 09:42

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •