PDA

View Full Version : PE Header Issue


Tom_Smith
August 2nd, 2007, 20:26
I am attempting to open an .exe file with Ollydbg.

When I open the .exe, I get the message

"Module '...exe' has entry point outside the code (as specified in the PE header).
Maybe this file is self-extracting or self-modifying.
Please keep it in mind when setting breakpoints!"

I hit OK, chose my .exe from the Executable Modules, and all that shows up in the code are blank data bytes, i.e.
DB 00
DB 00
etc., in each line where there should be code.

What is going on and how do I get Ollydgb to show me the actual code?

I have been doing searches on this subject in these forums,
and know there are PE header tools,
but having used Ollydbg for several years, have not encountered this problem where no code shows up,
would like to know if anyone can give me a way to approach this in detail
(step by step, for dummies).

-Tom.

naides
August 2nd, 2007, 21:07
Chances are it is a packed-self/unpacking file.
use PEID or similar util and see if you're dealing with a known packer

Then search the forum and the web re: unpacking. . . sigh . . .

Tom_Smith
August 3rd, 2007, 18:01
I ran PEID on the .exe.

PEID tells me I am dealing with Crpkey 6.x as my packer.

And in fact there are Crypkey related dlls and such all over the folder/directory my .exe is in.

If I try to directly load those dlls, the file Load.dll appears, and apparently the code for the dll does not appear.

There are a lot of posts regarding "Crapkey", so I'll take a week to cull thru them and "ed-u-ma-cate" myself about this bugger, see if I can come up with a formula to overcome it.

I am NOT a newbie as far as Ollydbg goes, but this is a new issue for me.

Kayaker
August 3rd, 2007, 18:06
You might try AnalyzeThis! by Joe Stewart on it, available at OllyStuph..

Harding
August 3rd, 2007, 21:10
I have not taken a look at this packer but one thing that it can be
(if it's not, this is always good to know in case something like this
pops up again in another packer.) is that it's a TLS Callback.

Fire up the file in e.g. LordPE and you can see if the TLS Table is 0, if it's not
then you have a nice TLS Callback before WinMain.

Two things to do:
1. In OllyDBGs option you can (on the debug-tab) set "Make first pause at" to
"system breakpoint", this will break before the TLS.

2. Download OllyAdvanced (just google for it or search here on the forum)
and in the antidebug check the box "break on TLS Callback"

If you solve it, please tell us how so we can learn from it.

Tom_Smith
August 4th, 2007, 17:50
Thanks for the suggestions.

I have tried both separately and together,
reset the first pause to System Breakpoint, and installed the OllyAdvanced plugin, and checked "break on TLS Callback",
all this had no effect.

I don't believe in reinventing the wheel, so I am going to take the time to read the many posts about CrapKey, and see if they can point me in the right direction.