OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: March 1, 2008 05:09 CST by baccardi .

i'm using ollydbg, the program i'm trying to debug is packed with smth PEID doesn't find, i want to unpack it but i even can't start the program through debugger, the program crashes, some say it's because of security from debuggers, so i've downloaded hide debugger, olly advanced plug-ins, but they haven't solved my problem? how could i run that program with olly or maybe i can dump it without debugger somehow?

detlef		March 1, 2008 05:26.45 CST
As far as I know "hide debugger"-Plugin preveals the errors that occur if specific calls are made in debug mode. When does the program crash? Does it crash during loading or during first execution steps? If it crashes being loaded by ollydbg it looks like the PE header is broken or manipulated in a strange way. Otherwise, it's like olly's own data is corrupted. dumping it without debugger is not that difficult, just invoke objdump or dumpbin, that should work and should be sufficient to catch an insight on what the program is doing in detail.

baccardi		March 1, 2008 06:51.20 CST
during loading i guess, then i try to run the program with olly and i get the same

memo5		March 1, 2008 18:28.34 CST
can you share this program then maybe can help you. some times the PE code section marked as read protect.

detlef		March 2, 2008 04:43.14 CST
Sound like a good hint! I've never had this. I would also take a look at a shared version of it.

baccardi		March 2, 2008 04:52.34 CST
http://www.turboupload.com/download/tQRJ3a8G4U5c/ODM_Rocker.exe i hope it will help

baccardi		March 2, 2008 13:11.08 CST
ok, i've found out that it's packed with ExeCryptor, then i've found such tool Unpacker ExeCryptor, it unpacked that program but one program like peid still write that it's packed with ExeCryptor, is it possible to pack the program twice?

daniellewis		March 2, 2008 17:38.17 CST
Many packer schemes can be implemented alot more than twice. They could do it 23496123935 times, except their program would run a whole lot slower. Not that the guys who do this care about their customers. PS: I'm not sure about ExeCryptor.

morel		March 3, 2008 04:04.22 CST
baccardi: what you describe is an antidebug trick of execryptor. google "tls callback" to learn more. tls callbacks are executed before the entrypoint.

baccardi		March 3, 2008 08:35.31 CST
so it means that i must unpack as many times as it was packed?

nico		March 3, 2008 08:57.23 CST
does it run in a VM? I ran that file in my packer profiler, and it generated 801 exceptions :)

baccardi		March 3, 2008 09:59.23 CST
what do those exceptions mean? cause actually the program is working only olly can;t debug it

nico		March 3, 2008 10:17.52 CST
Those exceptions are used to thwart debuggers. Actually, the number of exceptions varies, it might have random path/exceptions. Did you run this app in a virtual machine ? I am not running this on my box, hence the question. Because the app never showed up in virtual pc. i didn't try in Vmware yet.

nico		March 3, 2008 10:56.40 CST
I tried it on a spare box, it doesn't run. I went to the publisher website tho, and download a file that runs on that box.. protected by the same thing.

baccardi		March 3, 2008 11:21.39 CST
well this is only an exe not a setup

morel		March 3, 2008 12:13.50 CST
> baccardi: so it means that i must unpack as many times as it was packed? if you dont have any exp. regarding executable protectors, then i suggest leaving this one alone. execryptor can present problems for beginners. a good place to learn about unpacking is www.tuts4you.com. maybe you will even find an olly script that can unpack your version.

nico		March 3, 2008 14:52.36 CST
> baccardi: well this is only an exe not a setup I know , still it doesn't run on my machine (not VM). The other ones i downloaded from the sites providing those apps, do tho. As morel said, Execryptor isn't really for beginners in unpacking.

baccardi		March 3, 2008 15:44.11 CST
hehe, but i did it, i unpacked, found one tutorial, managed it and i succeeded

nico		March 3, 2008 15:59.09 CST
at least it ran from you ;) using tutorials don't teach you much tho. Did they use Stolen bytes on this Delphi bloated app ?

baccardi		March 3, 2008 16:34.01 CST
i guess no

nico		March 3, 2008 18:17.33 CST
What tutorial did you use ? You should know if you reconstructed an entry point or not :)

memo5		March 3, 2008 19:11.34 CST
I have some problems dumping an excutable the last trik worked for me is: make a passthrow dll for one of the system dlls, and modify the behavior of one function that the appication will call, to dump the pe from the same process space.

baccardi		March 4, 2008 08:39.05 CST
nico, no i didin't reconstruct the entry point, it was enough to find it

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit