Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

olly doesn't jump into WINPROC

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
hfm
Junior Member
Posts: 19
Joined: Wed Jun 20, 2012 5:36 pm

Post by hfm »

The file is packed with UPX but has been modified to make automatic unpacking difficult.

The file can however still be manually unpacked with ollydbg & ollydump plugin using the same method as with standard UPX. This dump will then open without error in either DeDe or IDR, but IDR is probably a better choice if you want to view the forms for this application.
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

Post by techne »

Hi hfm,
can you try to explain me more in details how you have unpacked the target ?
how do you find OEP and dump the exe ?
hfm
Junior Member
Posts: 19
Joined: Wed Jun 20, 2012 5:36 pm

Post by hfm »

This should work for most UPX packed exe files and works for this application.

Assuming you are using a clean install of OllyDbg v1.10. Install the latest OllyDump plugin from http://www.woodmann.com/collaborative/t ... p/OllyDump

1. Open the app in ollydbg. EIP should be at a PUSHAD instruction.
2. Press Alt+F1 to bring up the command line plugin and enter "hr esp-4" then run the application.
3. When the application breaks go to Debug->Hardware breakpoints and delete the hardware breakpoint set in the step above.
4. A few lines bellow here there should be a JMP put a breakpoint here and run.
5. When it breaks press F7 to step into. you are now at the OEP.
6. Now you can dump the application with ollydump. Click on Plugins->OllyDump->Dump debugged process, leave all the settings as default and click Dump and save the file.
7. You have now successfully dumped the application.

Sorry this is a bit of a rushed explanation but should get you an unpacked exe to work with. If you need more info on this google for a tutorial on manually unpacking UPX.

hfm
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

Post by techne »

thank you very much hfm,
I have followed your instructions (they were really clear): I have created the dumped file and if I execute it everything goes fine (great!!).

But if I debug it with olly, after just few step I get an:
int 1
and I can't proceed.
I have also tried to decompile it with dude and idr but they did not work ...
maybe I have made something wrong or maybe the target defence is much more complex to disable
hfm
Junior Member
Posts: 19
Joined: Wed Jun 20, 2012 5:36 pm

Post by hfm »

Odd, I dump the application using the method above and it opened fine in idr afterwards. I couldn't get Dede to decompile the apps forms which is why I suggested using idr. What error do you get with idr? Are you using the latest version from http://kpnc.org/idr32/en/download.htm ? (Scroll to the bottom). And have you got all the knowledge base files installed properly?

hfm
Locked