w32dasm cuts off part of the disassembly when working on some of the unpacked progies. Ollydebug, on the other hand, works successfully and I can get the missing parts together with the strings complete. I don't think I am doing sth wrong while unpacking because, the program runs fine after rebuilding (and setting the characteristics of the first section as executable).

Working with w32dasm is more comfortable for me because, I can follow calls, search for pushes and blocks of bytes, etc.

What may be the remedy for it?

Thx

May be you're running short on memory. Give your w32dasm some more memory. That may help.

Hi,

Unfortunately you didn't give quite enough information to be able to use to help answer the question. What do you mean exactly by - cuts off part of the disassembly? Does it cut off addresses that are within the executable .text section, or addresses in higher memory that are part of another section? Or do you mean that some strings are missing in Wdasm that Ollydebug picks up? An example of what you mean would help.

If this is a standard re-fried smoked and cured Asprotect Delphi app we're talking about, then Wdasm never gets all the Delphi strings anyway, but DeDe should if it can open up the rebuild.

Wdasm normally disassembles any section with the Code characteristics set to Executable, so you could in theory disassemble every section this way. But I'm not sure if that's what you mean. If the StringRefs from Wdasm are missing, there may be an error in a pointer to the resources in the rebuilt file, but Ollydebug recognizes the resources in a different way.

Wdasm has a known bug with Named resources as it is. "Named" resources are ones specified by the programmer, and differ from the pre-defined types such as Menus, Dialogs, Accelerators, Strings, Icons, ... Undefined resource types can be put in RCDATA, but can also be specified separately as well. You should check that the .rsrc section is intact after the rebuild, open it with a resource editor such as Exescope and see if all the names make sense and you can actually access all the resources.

Don't know if this answered your question.

Kayaker

Here is the detailed explanation:

w32dasm cuts off part of the disassembly (.text or .CODE) always towards the end (eg., I can't see the part after 00544afd to 551000).

However, this happens only after fixing the dump with ImpRec. I dump memory, replace "EBFE" with the original instruction, correct the OEP and disassemble with w32dasm. The disassembly is OK, strings are in place (if non Delphi), only imports are missing. Then I fix the imports with ImpRec and disassemble again. This time imports are there but the disassembly is incomplete (last 200 to 400 lines are missing). These symptoms are same for VB, Visual C and Delphi apps. And yes, they are all cured aspr apps and all work fine.

Kayaker, thanks for your descriptive reply and I'd like to thank every member of this board too. This place is a great informational resource.