PDA

View Full Version : OllyICE doesn't create .udd file for an unpacked executable


jayoce
December 4th, 2008, 04:13
Hi
I'm trying to debug an executable that I unpacked using UPX.
But everytime I restart the .exe from OllyICE, it analysis the executable again, and doesn't save any .udd file in UDD folder, so all the breakpoints disappear. Can anyone help me please?



---
All truths are easy once they are discovered, the point is to discover them
Galileo Galilei
---

rooky2000
December 4th, 2008, 08:51
option----->security

jayoce
December 4th, 2008, 08:56
I don't have this problem with other executables.
I mean that the option has already been checked but .udd file isn't saved.

TempoMat
December 8th, 2008, 17:22
Looks as if your file is not fully unpacked.
I have had similar problems with some files which after unpacking still had some traces of packed data in them.
Did you unpacked the target manually or used automated unpackers or upx with the -d switch?

Greetz

jayoce
December 9th, 2008, 13:29
I unpacked the file using upx with the -d switch...

TempoMat
December 17th, 2008, 04:19
Quote:
[Originally Posted by jayoce;78145]I unpacked the file using upx with the -d switch...


Just like I thought.
You might have to check the unpacked file, there might still be some traces of compressed sections or data in the presumed unpacked file.

Another aspect you might consider is that the progi might also be loading a dll for instance always with different names at run time. In this case Olly will not show your previously saved comments and remarks, because of the new name of the now loaded dll or whatever extension the file might have.
I have seen a few programs that did that. This can make debugging a pain, especially if something goes wrong during the tracing and and the session has to be restarted.

BP on CreateFileA und LoadLibraryA for instance on at least 2 separate runs in Olly and figure out if this is the case.

If so than you may Bp on CreateFileA and alter the name of the file(s) to be created to the one your first debugged and olly should be able to load the previously saved comments and remarks.

Regards