Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: unable to save changes in exe file by Ollydbg

  1. #1
    blondakke
    Guest

    unable to save changes in exe file by Ollydbg

    Hi,

    I opened 32-bit exe file in Ollydbg, made some corrections in code window in exe file, like this:

    00837889 -> JNZ 00837C2F -> changed to NOP
    0076719E -> JE SHORT 007671B2 -> changed to JMP SHORT 007671B2
    00767129 -> JE 007671CB -> changed to NOP
    007670CC -> JE 007671DB -> changed to NOP

    But I can't find the way to save my changes to this exe file. Can you help me with my problem. It would be very helpful for me. Thank you.


    blondakke
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Did you try using the mothod explained in our faq? Are you still unable to save your changes?

  3. #3
    Just use a hex editor. OllyDbg is a debugger, and nothing more. As a program's code and data may be modified during its execution, it is not recommended to save to disk except for special purposes such as unpacking process.

    Use the right tool for the job.

  4. #4
    blondakke
    Guest
    Quote Originally Posted by ZaiRoN
    Did you try using the mothod explained in our faq? Are you still unable to save your changes?
    Yes, I tried it.

    # right click over the code ... done

    # "Copy to executable" - "All modifications" (or "Selection", as you desire) ... I have only "Selection", not "All mod..." .... done

    # right click over the new window ... done

    # "Save file" ... it shows me "Dump of file xxx is not modified. Do you really want to save unchanged dump to disk?" I modified exe file in code window, I don't understand ... :-(
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    blondakke
    Guest
    Quote Originally Posted by blondakke
    Yes, I tried it.
    # "Copy to executable" - "All modifications" (or "Selection", as you desire) ... I have only "Selection", not "All mod..." .... done
    When I tried on the second attemp "Copy to Selection" it showed me "Error - Unable to locate data in executable file"

    I'm confused...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Yes, because OllyDbg only saves data changed in the section declared as code section.

    You should use an hexa editor, as suggested LLXX before...

    Cheers

    Nacho_dj

  7. #7
    anorganix
    Guest
    In fact, Olly needs to "see" that the code is in a section... if you add a section to a file with real size 0x20 bytes and then change it's size with LordPe to 0x10, you will be able to save changes made in that section only for the 0x10 bytes (length of the section)... If you change the 0x10 bytes from the end, Olly will warn you that it can't save...

    Did that make sense? Hope so...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    00837889, 0076719E, 00767129, 007670CC
    Maybe you are trying to patch code allocated at runtime. Which is the address space of the exe file?

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,529
    Blog Entries
    15
    Yes, because OllyDbg only saves data changed in the section declared as code section.
    nacho_dj dont post misinformation
    infact you had asked the same question earlier and i remember fairly well
    replying to you in gory details along with screen shots and what not

    and i had clearly showed you it is possible to save modifications in any sections

    still you answer that it isnt possible to save blah blah

    http://www.woodmann.com/forum/showthread.php?t=7711&highlight=copy+executable

    @blondakke

    answer Zairons question
    whether whatever you are modifying belongs to the exe you are modifying
    or whether it was allocated during runtime ?
    i dont believe ollys context menu will show copy to executable on virtuall allocated memory so i did not ask earlier
    but if it showed up then proabably there is something else going on the exe might be checking itself and changing modifications on fly
    or it might be decryptin another portion to this place so all your modifications get overwritten every time etc etc

  10. #10
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Another Question:

    Can you find the code you are trying to patch in inside the executable on disk?

    Try using HIEW, or HexWorkshop. Seracrch for the byte pattern around the code you are trying to modify.
    If you cannot find your code in the original exe, probably this code segment you wanted to patch is made, unpacked or decrypted at run time.

    In that case, you have to rethink your strategy. (An Unpacking job, or a loader/memory patcher).

  11. #11
    Yes, you're right blabberer, there was a thread about this, so forget what I post...

    I normally use an hexa editor from that moment to save data...

    Cheers

    Nacho_dj

  12. #12
    Olly can save changes in any section of the exe or dll with the descripted method, not only in code section but...

    if you have a section for example, with raw size 1000 and virtual size 2000, only you can save in the first 1000 bytes, this bytes are located in the executable, the other 1000 bytes are only virtual and if you try save in the file, OLLY say UNABLE .., nobody can save in a inexistent place.
    Remember in the sections you see in OLLY, only you can save in the first part of the section, when start the virtual only part is not possible, right click in the exe and press VIEW-EXECUTABLE FILE and you can see the part of the section where you can save.


    Ricardo Narvaja

  13. #13
    blondakke
    Guest
    Quote Originally Posted by naides
    Another Question:
    If you cannot find your code in the original exe, probably this code segment you wanted to patch is made, unpacked or decrypted at run time.
    I checked it and I guess you're right. I can't see my code after I opened exe file. I need to run debug to make correction.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    blondakke
    Guest
    Quote Originally Posted by ZaiRoN
    Maybe you are trying to patch code allocated at runtime. Which is the address space of the exe file?
    How can I detect it? I see the first column of address in the main window but how I know where is the end of address space?

    P.S. Sorry for my stupid questions but I'm working with debugger for the first time.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    You are doing fine, Blondakke.
    Your questions are not stupid, you are only unexperienced.

    While your app is open in Olly, click on the "view" drop down menu, then choose "memory", the shortcut is Alt-M

    Look at the information, carefully. You will see the base address, the size, the name of your app module(s) (Owner), the name of each one of its sections as they are mapped, loaded in memory. You will also see the other modules, dlls system dlls etc with their addresses.

    Figure out the address of the code you are interested in on in this scheme of things. 007670CC belongs to which module?, which segment? What is the distance form its base address?

    Now look at the same file with a PE viewer. Like PE-tools, CFF Explorer etc.

    You will see the way those segments are organized in the file on disk.

    Look carefully. Tha names of the sections are the same but the addresses are different. Those are RAW values, instead of Virtual values.


    This should help you locate your code in the Disk file, if it is there at all...

    There is a virtual address calculator in CFF Explorer, that may help you locate what you are looking for in the disk file, if it is there, or to figure out the space it should be.

    Play around with those tools, come back with questions
    Last edited by naides; August 28th, 2006 at 12:51.

Similar Threads

  1. Replies: 21
    Last Post: August 17th, 2011, 00:33
  2. Debugged program unable to process exception
    By _InSaNe_ in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: September 27th, 2007, 22:02
  3. OllyDbg unable to proceed
    By alan in forum OllyDbg Support Forums
    Replies: 3
    Last Post: May 22nd, 2005, 21:26
  4. How does Ollydbg determine if a file might be pack
    By 1bitshort in forum OllyDbg Support Forums
    Replies: 3
    Last Post: July 8th, 2004, 02:24
  5. ollydbg unable to load the program!
    By Anonymous in forum Bugs
    Replies: 13
    Last Post: January 30th, 2003, 15:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •