Results 1 to 7 of 7

Thread: BAD OLLYDMP

  1. #1

    BAD OLLYDMP

    I see Gigapede is not making more OLLYDMPS, but the new 5 or 6 versions of OLLYDMP only work well in ENGLISH XP, in other languajes (SPANISH XP is mine) the dump is a disaster, not dump a UPX, nothing.

    We use old versions of ollydmp, this go well in ANY languaje.

    If Gigapede read this, i suggest if he make a new OLLYDMP, he can test the possibility of work in all languages of S0.

    Thanks
    Ricardo Narvaja

  2. #2
    Gigapede
    Guest

    BAD OLLYDMP

    Hi Ricardo.
    I do not think to quit development of OllyDump, but I'm too busy to get time.
    and I'm sorry I don't know how to test all languages.
    Could you recompile it in your environment ?
    You can freely modify the source code and release it.

    Or give me some advices.

    Thanks
    Gigapede
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3

    BAD OLLYDMP

    I made a UPX dump with OLLYDMP 1.11, 2.00 and 2.01 and work well, but with upper versions, do not recognice well the names of apis i think, and the dumped, not have all the dlls, in my example the dumped with 1.11 has 8 dll, and the dump with 2.21, has only two dumps, and when i load the dumped in olly only 2 dll apear and the message -Import Lookup Table outside .idata-

    LOG OF UPX DUMPED WITH 1.11

    File 'D:\Documents and Settings\Ricardo\Escritorio\katarfirstcrackme\jeje.exe'
    New process with ID 000008A8 created
    004011A8 Main thread with ID 00000934 created
    00400000 Module D:\Documents and Settings\Ricardo\Escritorio\katarfirstcrackme\jeje.exe
    733A0000 Module D:\WINDOWS\System32\MSVBVM60.DLL
    770F0000 Module D:\WINDOWS\system32\OLEAUT32.dll
    77180000 Module D:\WINDOWS\system32\ole32.dll
    77BE0000 Module D:\WINDOWS\system32\MSVCRT.DLL
    77C40000 Module D:\WINDOWS\system32\GDI32.dll
    77D10000 Module D:\WINDOWS\system32\USER32.dll
    77DA0000 Module D:\WINDOWS\system32\ADVAPI32.dll
    77E40000 Module D:\WINDOWS\system32\kernel32.dll
    77F40000 Module D:\WINDOWS\System32\ntdll.dll
    78000000 Module D:\WINDOWS\system32\RPCRT4.dll
    004011A8 Program entry point

    LOG OF UPX DUMPED WITH 2.21

    File 'D:\Documents and Settings\Ricardo\Escritorio\katarfirstcrackme\jeje2.exe'
    New process with ID 00000D6C created
    004011A8 Main thread with ID 0000070C created
    00400000 Module D:\Documents and Settings\Ricardo\Escritorio\katarfirstcrackme\jeje2.exe
    Import Lookup Table outside .idata
    77E40000 Module D:\WINDOWS\system32\kernel32.dll
    77F40000 Module D:\WINDOWS\System32\ntdll.dll
    004011A8 Program entry point

    View - MEMORY of dump with 1.10
    Memory map
    Address Size Owner Section Contains Type Access Initial Mapped as

    00400000 00001000 jeje 0 PE header Imag R RWE
    00401000 00006000 jeje 0 UPX0 Imag R RWE
    00407000 00002000 jeje 0 UPX1 code Imag R RWE
    00409000 00001000 jeje 0 .rsrc data,imports Imag R RWE
    0040A000 00001000 jeje 0 .xur Imag R RWE
    00410000 00103000 0 Map R R
    00520000 00175000 0 Map R E R E
    00820000 00001000 0 Priv RW RW
    00830000 00004000 0 Priv RW RW
    00840000 00003000 0 Map R R \Device\HarddiskVolume2\WINDOWS\System32\ctype.nls
    00850000 00003000 0 Priv RW RW
    00860000 00010000 0 Priv RW RW
    00C60000 00003000 0 Priv RW RW
    733A0000 00001000 MSVBVM60 7 PE header Imag R RWE
    733A1000 000FD000 MSVBVM60 7 .text code,imports Imag R RWE
    7349E000 0000D000 MSVBVM60 7 ENGINE code Imag R RWE
    734AB000 00007000 MSVBVM60 7 .data data Imag R RWE
    734B2000 00031000 MSVBVM60 7 .rsrc resources Imag R RWE
    734E3000 00010000 MSVBVM60 7 .reloc relocations Imag R RWE
    770F0000 00001000 OLEAUT32 7 PE header Imag R RWE
    770F1000 00081000 OLEAUT32 7 .text code,imports Imag R RWE
    77172000 00002000 OLEAUT32 7 .data Imag R RWE
    77174000 00001000 OLEAUT32 7 .rsrc resources Imag R RWE
    77175000 00006000 OLEAUT32 7 .reloc relocations Imag R RWE
    77180000 00001000 ole32 7 PE header Imag R RWE
    77181000 000F9000 ole32 7 .text code,imports Imag R RWE
    7727A000 00006000 ole32 7 .orpc code Imag R RWE
    77280000 00007000 ole32 7 .data data Imag R RWE
    77287000 00002000 ole32 7 .rsrc resources Imag R RWE
    77289000 0000E000 ole32 7 .reloc relocations Imag R RWE
    77BE0000 00001000 MSVCRT 7 PE header Imag R RWE
    77BE1000 00047000 MSVCRT 7 .text code,imports Imag R RWE
    77C28000 00007000 MSVCRT 7 .data data Imag R RWE
    77C2F000 00001000 MSVCRT 7 .rsrc resources Imag R RWE
    77C30000 00003000 MSVCRT 7 .reloc relocations Imag R RWE
    77C40000 00001000 GDI32 7 PE header Imag R RWE
    77C41000 0003B000 GDI32 7 .text code,imports Imag R RWE
    77C7C000 00001000 GDI32 7 .data data Imag R RWE
    77C7D000 00001000 GDI32 7 .rsrc resources Imag R RWE
    77C7E000 00002000 GDI32 7 .reloc relocations Imag R RWE
    77D10000 00001000 USER32 7 PE header Imag R RWE
    77D11000 0005B000 USER32 7 .text code,imports Imag R RWE
    77D6C000 00002000 USER32 7 .data data Imag R RWE
    77D6E000 0002B000 USER32 7 .rsrc resources Imag R RWE
    77D99000 00003000 USER32 7 .reloc relocations Imag R RWE
    77DA0000 00001000 ADVAPI32 7 PE header Imag R RWE
    77DA1000 00067000 ADVAPI32 7 .text code,imports Imag R RWE
    77E08000 00005000 ADVAPI32 7 .data data Imag R RWE
    77E0D000 0002C000 ADVAPI32 7 .rsrc resources Imag R RWE
    77E39000 00005000 ADVAPI32 7 .reloc relocations Imag R RWE
    77E40000 00001000 kernel32 7 PE header Imag R RWE
    77E41000 00076000 kernel32 7 .text code,imports Imag R RWE
    77EB7000 00003000 kernel32 7 .data data Imag R RWE
    77EBA000 00073000 kernel32 7 .rsrc resources Imag R RWE
    77F2D000 00006000 kernel32 7 .reloc relocations Imag R RWE
    77F40000 00001000 ntdll 7 PE header Imag R RWE
    77F41000 0006E000 ntdll 7 .text code,exports Imag R RWE
    77FAF000 00004000 ntdll 7 ECODE code Imag R RWE
    77FB3000 00005000 ntdll 7 .data data Imag R RWE
    77FB8000 00032000 ntdll 7 .rsrc resources Imag R RWE
    77FEA000 00003000 ntdll 7 .reloc relocations Imag R RWE
    78000000 00001000 RPCRT4 7 PE header Imag R RWE
    78001000 00070000 RPCRT4 7 .text code,imports Imag R RWE
    78071000 00006000 RPCRT4 7 .orpc code Imag R RWE
    78077000 00001000 RPCRT4 7 .data data Imag R RWE
    78078000 00001000 RPCRT4 7 .rsrc resources Imag R RWE
    78079000 00005000 RPCRT4 7 .reloc relocations Imag R RWE
    7F6F0000 00007000 7 Map R E R E
    7FFB0000 00024000 7 Map R R
    7FFDE000 00001000 7 data block o Priv RWE RWE
    7FFDF000 00001000 7 Priv RWE RWE
    7FFE0000 00001000 7 Priv R R



    Memory map of dump with 2.21

    Address Size Owner Section Contains Type Access
    00400000 0000C000 jeje2 PE header Imag R RWE
    77E40000 00001000 kernel32 PE header Imag R RWE
    77E41000 00076000 kernel32 .text code,imports Imag R RWE
    77EB7000 00003000 kernel32 .data data Imag R RWE
    77EBA000 00073000 kernel32 .rsrc resources Imag R RWE
    77F2D000 00006000 kernel32 .reloc relocations Imag R RWE
    77F40000 00001000 ntdll PE header Imag R RWE
    77F41000 0006E000 ntdll .text code,exports Imag R RWE
    77FAF000 00004000 ntdll ECODE code Imag R RWE
    77FB3000 00005000 ntdll .data data Imag R RWE
    77FB8000 00032000 ntdll .rsrc resources Imag R RWE
    77FEA000 00003000 ntdll .reloc relocations Imag R RWE
    7F6F0000 00007000 Map R E R E
    7FFB0000 00024000 Map R R
    7FFDE000 00001000 data block o Priv RWE RWE
    7FFDF000 00001000 Priv RWE RWE
    7FFE0000 00001000 Priv R R

    VIEW-MEMORY DUMP WITH 2.21

    Are very different, snif.
    Is posible ollydmp has a posibility of read the system dlls of diferent carpet (not system 32), configurable, and in this carpet i can put the english dlls?

    Ricardo Narvaja

  4. #4
    focht
    Guest

    BAD OLLYDMP

    Greetings,

    well the message 'Import Lookup Table outside .idata ' indicates there went something wrong.
    The different module list and memory map is just the result of it.

    On your target system (Windows XP) try to gather some info *before* you dump:

    1)

    Compare both (1.11 and 2.21) plugin main screens -> menu item "dump debugged process".
    Does the sections view match?
    What values differ?

    2)

    Did you select "Rebuild import" option? what method (1,2)?
    Hint: rebuild was *not* implemented in 1.11.

    Enable "Search Log" in ollydump options menu.
    Copy all log output from the plugin (imports API search results.) and post it here.
    That might show potential problems ...

    I suspect the problem in the IAT rebuilding engine

    Regards,

    A. Focht
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    focht
    Guest

    BAD OLLYDMP

    Appendix:

    After enabling "Search Log" in ollydump options menu, you actually have to dump the process to get all the IAT rebuild log messages.

    Regards,

    A. Focht
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Gigapede
    Guest

    BAD OLLYDMP

    ::Ricardo
    2.21 is beta and experimental version, so it doesn't work well.
    You'd got it by directory digging.
    You should use 2.20.
    I don't use 2.21.

    OllyDump gets dll info from OllyDbg.
    I don't think the Language is the problem.


    ::focht
    Thanks.
    You know a lot than me.


    Gigapede
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    focht
    Guest

    BAD OLLYDMP

    Greetings,

    AFAIK the main difference between 2.20 and 2.21 is the added VBOX recognition in GetRealApiAddress() of IAT rebuild engine.
    The other ones are only cosmetic nature (i diff'd the source files).

    V2.20 should same (dis)behavior, because ricardos target is UPX'd.

    To track down the problem:

    The IAT logging may produce a huge amount of data (due to different recognition algorithms), so enable "log to file" option in ollydbg's log window.
    After dump, close the log file.

    Now search the log file which packer signature gets recognized either "found [...] signature" or that last signature search "[...] search" line before any "found ... import".

    Next, search for "OllyDump -- Import Table" line and scan through the following lines.
    Look if any of the "missing" DLLs (msvcrt, ...) are referenced here.

    Regards,

    A. Focht
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. OLLYDMP 2.0
    By Ricardo Narvaja in forum Plugins (General)
    Replies: 8
    Last Post: March 8th, 2003, 15:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •