Hi, I've read around trying to find out and the most I can see is the normal "Copy to exacutable" etc. How ever, when dealing with a .DLL I do not see that option. Here is a screen shot:

http://img511.imageshack.us/img511/8245/38386681dd0.th.jpg (http://img511.imageshack.us/my.php?image=38386681dd0.jpg)

EDIT: I know it may seem that I did no research, but I googled for a couple hours while searching forums and other things no luck. All I was able to find was the "Copy to executable" method which is not aviable when working with .DLL's. As you can see in the screen shot.

It works for me. Are you sure that the patches you have made correspond to real locations within the disk image? Which PE section are you trying to modify?

Admiral

Yes I am - update: It seems to only not work with this DLL, but this DLL is not packed or anything of the sort I can find.

Make sure you have write privileges. If the DLL is in use by any other program then Olly won't be able to save the changes. In the case where it's a shared DLL used by critical applications or services then you could create a local copy in the target program's directory and restart the process, forcing it to use that.

I'm almost positive I have write privileges, as well as it's not in use by anything else. It's actually a form of a "Trojand" if you will of a friends program that was modified by some one.

If there is a trojan involved, this may be much more complicated than simply making some changes with Olly. Malware often (I am not positive this is exactly the case here) has guard processes that block deletion/modification or killing of critical files. My first instinct is to figure out which processes "own" that .dll and suspend them all using process explorer. Now perhaps you can modify your .dll.
Another approach is to start the computer with a disk based OS, UBCD for instance, find the .dll in disk and use a hex editor (HIEW) to do your modifications, expecting that the trojan does not catch your modifications.

Admiral and Oo:

Unless you actually need to Quote the previous post, or a portion of it for clarity, please use the Button on the far right, which looks like a page with a down arrow on it, to do a Quick Reply without quoting the previous Post.

This will help us save some room in the database when a portion of the previous post is not really necessary to repeat.

Regards,

The Trojan is no way shape or form active on my computer, actualy what it is is a "sniffer" in the .DLL that when injected it will sniff the password to the related account, I'm simply wanting to patch the part "sending off" the passwords. There just simpy isn't a option in olly with it to "Copy to executable" etc as you can see in the screen shot.

EDIT: Apparently I linked the screen shot wrong, but there is just NO "Copy to executable" option when working with this DLL.

I give up.
I just made some modifications to a system .dll (in fact kernel32.dll) in my active computer OS, while olly was running some app, open another olly with another app and saw my modifications in memory as well as in disk ( I did not mess with the kernel32 code, I changed some of the nops that align kernel32 functions) and I had no problem. Olly can modify at will even system dlls while they are in use by every process. Something is haywire with Oo_ or (s)he is playing some sort of game.

I'm positive I could save the changes if it gave me some option to,

but there is not that option when working with this .DLL, as you can see look here:

http://img204.imageshack.us/img204/7071/37051184sc0.jpg

1) Make sure the changes you want to make are not in a section that isn't present in the RAW file. For instance, if I opened a Delphi app, and tried to save a cave at an address at the end of CODE section, Olly will bitch at me that it can't save the code there, because the section doesn't physically exist in the app (it's mapped after running app)..

2) Open your DLL in HexWorkshop or what ever hex editor you use. Look for the hex array corresponding to those opcodes. If you find 0 results, then there's your answer. Code is probably packed and unpacked later on or just allocated..