Log in

View Full Version : Target Automatically Runs When Loaded Into Olly


GNIREENIGNE
January 30th, 2011, 12:06
I have a target that automatically runs after I load it in to Olly. It loads all of the modules and stops on dciman32.dll. The Olly screen is blank and remains that way until I close the target. When I hit cancel/close on the target application, I can, then, see information in Olly. Of course, I can see that it's running from the main thread, but has stopped on module ntdll (which is not included with the target; i.e. it's a system file).

I have checked PEID, and there appears to be no protection.

Any ideas?

I am running Vista 32bit Home Premium Service Pack 2 on this current machine (with OllyDRX). I have also tried on Windows 7 Professional 64bit (with Olly 2.01 Alpha). The target application is a 32bit application with a 15-day trial. Opening the application as a standalone and/or with Olly attached, presents the application's main GUI with a nag screen in front. The nag screen gives the option for inputting a serial, selecting 'try' (for 15 days) and/or hitting cancel. The program closes out if you cancel, and does not function unless you select 'try'. The registration/serial function does state that the serial must be 16 characters long (minus dashes).

Thank you.

Ricardo Narvaja
February 2nd, 2011, 04:37
.NET apps run in this form, don't stop in EP, and cannot be reversed or is very difficult with ollydbg.

ricnar

Quote:
[Originally Posted by GNIREENIGNE;89302]I have a target that automatically runs after I load it in to Olly. It loads all of the modules and stops on dciman32.dll. The Olly screen is blank and remains that way until I close the target. When I hit cancel/close on the target application, I can, then, see information in Olly. Of course, I can see that it's running from the main thread, but has stopped on module ntdll (which is not included with the target; i.e. it's a system file).

I have checked PEID, and there appears to be no protection.

Any ideas?

I am running Vista 32bit Home Premium Service Pack 2 on this current machine (with OllyDRX). I have also tried on Windows 7 Professional 64bit (with Olly 2.01 Alpha). The target application is a 32bit application with a 15-day trial. Opening the application as a standalone and/or with Olly attached, presents the application's main GUI with a nag screen in front. The nag screen gives the option for inputting a serial, selecting 'try' (for 15 days) and/or hitting cancel. The program closes out if you cancel, and does not function unless you select 'try'. The registration/serial function does state that the serial must be 16 characters long (minus dashes).

Thank you.

owl
February 24th, 2011, 16:42
Quote:
[Originally Posted by Ricardo Narvaja;89339].NET apps run in this form, don't stop in EP, and cannot be reversed or is very difficult with ollydbg.

ricnar


If that is the case, why not try doing a dynamic analysis to try to gather as much info as possible, afterwards, download the free version of IDA Pro to do the static analysis instead of using ollyDbg.

v01d
February 26th, 2011, 06:16
The application could a TLS(thread-local-storage) section and it runs some code before the entry point. You can try to download some plugin for olly to stop execution in the TLS. StrongOD has this option.

pHi1t3r
February 26th, 2011, 13:57
You don't even need to go that far when dealing with TLS Callbacks. You can set Olly to load at the system breakpoint. Look in the PE header and see if there are any callback routines. From there you can breakpoint them.