Log in

View Full Version : OllyDbg Crashes Running exe


kenny782
October 25th, 2009, 00:33
Okay, pretty new to this. It's my first attempt to do this myself.

The app itself runs fine when executed in OllyDbg 2.00

I found a plugin I need to use for 1.10 so I downloaded OlyDbg 1.10
Even before I installed the plugin I tried running the app within Ollydbg and it just crashed Ollydbg.

I'm not really sure what other information I can give you to help since it's a basic function.
But anything else I can provide just ask.

Thanks,

Kenny

OS: Windows XP SP3

esther
October 25th, 2009, 01:48
DO NOT POST THE NAME OF THE SOFTWARE COMPANY THAT MAKES THE PROGRAM.DO NOT POST TARGET SPECIFIC CODE THAT INCLUDES THE NAME OF THE TARGET: this means do not post code that shows where and how to patch/keygen blah blah blah on a specific target. Keep your code snippets as generic as possible while explaining your problem. DO NOT POST THE NAME OF THE SOFTWARE COMPANY AND THE NAME OF THE TARGET. DO NOT POST THE NAME OF THE SOFTWARE COMPANY AND THE NAME OF THE PROTECTION. DO NOT POST THE NAME OF THE SOFTWARE COMPANY, THE NAME OF THE TARGET AND THE NAME OF THE PROTECTION. DO NOT POST ANY VARIATION OF THE AFORMENTIONED RULES.

kenny782
October 25th, 2009, 02:41
sorry

edited the above post
I did run a search but I admit I hadn't read the FAQ yet...well until now lol

Kenny

naides
October 25th, 2009, 07:13
Hi Kenny.
This is something i would explore: There are some anti-olly tricks that your program may be using. At least 2 that I know of. The implementation of your program may be effective in Olly 1.10 but may have been patched/solved in Olly 2.0. Search for anti-olly tricks, there are plug-ins and countermeaures designed for Olly 1.10.

Silkut
October 25th, 2009, 07:13
Well it may be an olly (1.x specific) antidebugging trick, is the exe packed/crypted somehow ?
Some deadlisting to identify nasty API?

EDIT: well despite the same posting time, naides been faster

FrankRizzo
October 25th, 2009, 14:26
Also, you could run one of the protection identifiers, and see if it tells you what the protection is. That'll help US, help YOU.

kenny782
October 25th, 2009, 15:00
Looks like this one has the info you want

Thanks again,

Kenny



I'll see if I can find that Armegeddon, hopefully it's pretty simple to run

kenny782
October 25th, 2009, 15:23
okay I found armageddon 1.6.

1) I run the app with no options it comes up.

2) I run the with debug blocker selected.
Quote:
Debug Blocker Detected
child Process ID: 1F4
child Process ID: 778
===================
Entry Point: 06A3B72
Original Bytes: E8933E00
Process 1F4 Detached


While I can see the processes are running, the application never shows up on the screen.
I'm able to attach to the process in Olly but since I can't use the app it doesn't really do anything.

Any ideas?

Thanks,

Kenny

kenny782
October 25th, 2009, 18:56
I tried the analyze nanomite option and it said none were found.

BanMe
October 26th, 2009, 20:55
hmm I have had this problem to on my laptop..but it isnt happening with any module that has any protections..its happening on ntdll...which is strang cause it worked before..my issue happens during analysis and it crashes and olly 2.0 pops up..ive yet to find a suitable fix for this..if any has any pointers or ideas to fix this id like to here them..

naides
October 26th, 2009, 23:17
@BanMe:
One thing that I would try: Open Olly either 2.0 or 1.10 within Olly (2.0??) Now within the "inner" olly open the program in question. You may be able to isolate the piece of code inside your program or within Olly that is fucking things up.

kenny782
October 27th, 2009, 18:49
I found a modified version of Olly 1.10 called "shadow edition", it had the no debug plug in.
Opened up the exe no problem and the no bebug plug-in worked perfectly.

I need to read over the rules again but just to be safe I'll PM you the link instead of posting it.

-Kenny

kenny782
October 27th, 2009, 18:53
Now my only problem is armadillo RDG says 3.75C PEiD says 5.4.

But anyway, I've found a bunch of walkthroughs to do it manually, or for ArmaGeddon 1.0

Does anyone have a walkthrough for Armageddon 1.7 But I've been trying to use ArmaGeddon 1.7 to remove it.
I think I've almost got it but I seem to be missing a few steps.

Thanks,

Kenny

SiGiNT
October 31st, 2009, 21:32
Armageddon wont dump Arma that spawns a child process, it will detach it for you and tell you what bytes to restore, admittedly, I've not used this excellent tool that much, (too busy trying to keep my head above water), so I may be incorrect, if I am then I would love to know about it! - Arma also frequently masks the version it is, so most packer detectors wont agree - there are custom versions floating around out there and that complicates the version detection process even more.

SiGiNT