PDA

View Full Version : Trouble saving changes.

Skull
September 18th, 2008, 22:35
I debugged an executable with ollydbg and made some changes, but I can't save them. The standard option (rightclick --> save changes to executable) is missing in this case. I'am a newbie but could it be that the code is created at runtime? Is there any possibility to make my changes permanent? I used PEID and other programs to scan if it's packed or encrypted, but none of the detectors could find anything.

Thank you very much for help.
esther
September 19th, 2008, 10:27
Use proper tools,get a hexeditor
Skull
September 19th, 2008, 12:30
I tried w32dasm, but can't find the section there :/.
dELTA
September 19th, 2008, 17:47
The executable in question is most likely packed, and in that case you need to unpack it first, before being able to make any static changes to it at all.
Skull
September 19th, 2008, 18:30
Yep it looks like, but every detector says that it's not, and I need to know how it's packed to unpack it right?. I tried a loader but that does not work either.
squidge
September 20th, 2008, 05:59
In ollydbg, you can use View memory (ALT+M) to see exactly where the memory is, and whether it has been allocated, or part of the exe file. If it's been allocated, obviously ollydbg can't save the changes to the file.
dELTA
September 20th, 2008, 06:05
Don't use detectors, and don't use automatic patchers, simply search for the surrounding byte patterns in the static file. If they're there, the file is not packed/crypted, and you can then manually patch it. If they're not there, the file is packed/crypted, and you should proceed to analyze it.
Skull
September 20th, 2008, 09:41
@squidge: In the region I want to change code the columns Owner, section, contains and mapped as are empty. Type is: Priv 00021040, Access: RWE. I don't know how to interpret that, but because the option in ollydbg for saving changes in that area is missing it must be somehow protected.

@delta: When using w32dasm I can't find the section in the executable, (it's only there if I run the program). ollydbg 2.0 alpha says: Quick statistical test of module 'xxxx' reports that its code section is either compressed,encrypted or contains large amount of embedded data. So looks like it is somehow protected....how do I proceed now? Can you suggest me any tutorial?

Another thing I want to mention is, that ollydbg does not break when loading the program...I always have to hit pause to stop it from running and breakpoints are lost although I have set the UDD directory.


Thanks for help
blabberer
September 20th, 2008, 14:57
private means it was allocated virtually by the process using virtualalloc, vallocex etc

21040 =

0:000> !vprot @eax
BaseAddress: 00c40000
AllocationBase: 00c40000
AllocationProtect: 00000040 PAGE_EXECUTE_READWRITE
RegionSize: 00001000
State: 00001000 MEM_COMMIT <==========
Protect: 00000040 PAGE_EXECUTE_READWRITE <------------
Type: 00020000 MEM_PRIVATE <--------------------


since it is created in runtime you cannot save this as it doesnt exist in the file at all

you have to watch when this memory is created and from where in the exe the data is passed on to here

here attached is a simple exe that allocates virtual memory and does something all you have to find is what to patch where to make this eax do something visible
Skull
September 20th, 2008, 16:35
Because I am newbie I don't understand much of what you are talking about. How do I find out when the memory is created, and from where?
Skull
September 23rd, 2008, 15:19
I've found a possibility to make changes in the program behaviour by changing the msvcp80.dll in the WinSxS folder of windows. Does this change maybe affect other programs or is it okay to change it? If those changes affect other program, is it somehow possible to change it temporary everytime I run teh program? With a loader for example?!
Iwarez
September 23rd, 2008, 16:48
Blabberer,

why is the memory allocated with page_execute_readwrite in your sample? As far as I can see it's never used to execute code? Or is it just to show Skull how to locate and break on virtualalloc calls?
blabberer
September 24th, 2008, 14:46
oh thats copy paste cobbled code its just a sample to show how memory can be virtually allocated and used further

here is the c code

Code:


#include <stdio.h>

#include <windows.h>



int main (void)

{



	char *esthex;

	char letesthexit[] = {144,252,245,228,227,176,227,245,245,176,249,246,176,245,227,228,248,245,226,176,243,241,254,176,248 ,245,232,176,228,248,249,227,144,144,144};

	int i;

	

	esthex = (char *)VirtualAlloc(NULL,0x1000,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);

	memcpy(esthex,letesthexit,sizeof(letesthexit));

	for(i=0; i<sizeof(letesthexit); i++)

	{

		esthex[I] = esthex[I]^144;

	}

	printf("%s\n",esthex);

	VirtualFree(esthex,1000,MEM_RELEASE);

	return 0;

}
Iwarez
September 24th, 2008, 17:02
ooh, copy paste! evil! Thanks for clearing that up. I thought so, but I thought I maybe missed something. Afterall, I'am just an amateur. There is a bug in your code btw. VirtualFree with Mem_Release should be called with the size parameter set to 0. :P
blabberer
September 25th, 2008, 10:51
Quote:
[Originally Posted by Iwarez;77148]There is a bug in your code btw. VirtualFree with Mem_Release should be called with the size parameter set to 0. :P


ah thanks that might have been caused by find replace