This post stems from a question that Ksbrace asked me in a different thread. I did not know the answer but I think it is an interesting proposition.

While tracing with olly (or SoftIce), we can change code instructions using the -assemble- feature, or data contents at will.

These changes are done in memory, not in disk.
Is it possible to have ollydbg to permanently record those changes to the file in the disk?

At face value it should not be possible: The file in question is open and loaded by the OS because its code is being run so file access should be denied, but the intended changes could be wiritten to a copy of the file in the disk.

I vaguely remember seeing some thing like that in a olly plugin, but alas, I do not remember its name and I cannot find it now.
Is there such a utility?

Sure it's possible.

Highlight the changes you want to save (in the disassembly or data window) and right-click, 'Copy to executable', 'Selection'. Of course, this only works if the VA you're at maps back to a part of the disk image via the PE Header (so modifying the section table in the virtual image will cause trouble with this feature).

Regards
Admiral

Oh well.
That was sweet and simple admiral.
I am still learning my way around Ollydbg.

You also have to be carefull if you are dealing with self-modifying code - I've worked on one that was written in RealBasic and it looped through the code several times - on every pass call and jump addresses would change - modifying and writing to the executable can be disasterous, but in it's infinite wisdom (and Oleg's), it will save a .bak of the original.

SiGiNT

Thanks for the info!

Highlight the code changed
right click-COPY TO EXECUTABLE
in the new window appear
right click - SAVE FILE

Ricardo Narvaja

Hello:

That is right Ricardo, but I cannot save with OllyDbg the code in a 'cave' done at the end of another section, that is, not in the .code section. Do you know why?

Thanks

Nacho_dj

Hi Nacho_dj.
Seems like Ollydbg saves modifications made in the cpu window only. If you want to save modifications made in other sections you have to dump (with a simpe Go-to command, ctrl-g) the code in the cpu window and then save.

why cant you copy modifications done in another section right from there it self ?

right click copy to executable thats all

the only problem is that if you have done modification in many sections then you use this right click thingy it will save all those that are in the section you have selected and not in other sections

you should either save them seperately


or

use alt+e (view executable --> right click --> view executable file --> right click -->save file)

see the atttached pic

oops the board doesnt accept big pictures (800*600 screeshot) it seems and my paint doesnt know how to resize the pic without fscking it up

i attached it as zip

You can see I'm definitly a non Olly-user...

Thx Blabberer

Olly show you the sections and you can write in a virtual part of a section in OLLY, but only you can save to the exe, if this part is not only virtual.

When a section is loaded if VIRTUAL SIZE is more big than RAW SIZE, the program fill with zeros the virtual part, and olly show you this part, if you write in this virtual only part, you canīt save in exe, this part donīt exist in the exe is only virtual.

If you need write, open the program in a hexeditor, increase the size of the section till RAW SIZE will be equal to VIRTUAL SIZE and in this case you can write in any part of the section without problem, all you see in OLLY is ipart of the exe.

Sorry for my bad english, i hope you understand.

Ricardo

the extreme case is a section with RAW SIZE =0 and for example VIRTUAL SIZE=1000

you see in OLLYDBG 1000 bytes but are all virtual, the size of teh section in the exe is 0 LONG, if you write in the 1000 virual bytes, in olly where will be stored when you save is the exe is 0 LONG, is imposiible, you need open the exe in HEXEDITOR and add 1000 bytes to the size of teh section

RAW SIZE will be 1000 and VIRTUAL SIZE = 1000

and when you write in any part of the section can be stored in the exe.

Ricardo

well i answered beliving he is talking about an existing real cave in other section
not some virtual only non existing caves

@ricardo
if he was not talking about real caves then what you are saying is absolutely correct but in the case ollydbg will warn saying unable to locate data


but making a virtaul only to physical is no big deal i think atleast
the old proc dump used to do it in a jiffy giving you
1400 zero padded bytes to iczelions tute-02 in code section when you asked it to rebuild pe
and used to hide a this exe was built by lorraine and etc string
which wasnt visible on loaded image but available only in pe header
physically

i think playing around with ollydump should yield a real image with file alignment = section alignment easily with all those inviisble 0000 physically present in the exe

Many thanks for your answers mates!

But when I was trying to do the patch in another sections, as I told you before, I opened the file in an hex editor simultaneously to Olly.

I did the test of patching the zeroes of another section than .code just behind an existing string in the file followed by zeroes, such as the hex editor showed me. So in this case no virtual allocation was involved. And OllyDbg didn't show the option "Copy to executable" enabled when rigth clicked.

Anyway, I will try your work-arounds when getting home...

Cheers

Nacho_dj

BTW: ĄRicardo no te preocupes, se te entiende perfectamente, saludos!

blabberer: very funny the picture, hehe

funny ? i thought i attached a wrong pron pic and downloaded to confirm if it was really funny

well it has two windows one is the regular where you see the isasm and dump
ad you could see the blah blah string as well as push referring that address one in
dump and another in code section

the window which has the save is done via alt+e save and to show the complete contents of the file the mode has been changed to text 64
if you notice some 4 bytes are highlighted in the right window which would show you a h==0x68 == push opcode and you can see the string down below in english

well they say pictures talk thousand words but it seems this pic is talking more confusion than words

anyway i just dumped iczelions tut with ollydump and i see it turns the
2.5 kb exe into 16 kb exe (4 sections each a page size) so its easy to ad zeroes without hexeditor

Nacho_dj,

Even if the cave you're using is present in the disk image, OllyDbg will refuse to patch over it unless the PE header tells your OS to load that part of the section. So if you see a load of zeros padding a section (in the disk image) up to the 0x1000 boundary (effectively using 0x1000 for FileAlignment) then you can make your caves patchable by rounding up VirtualSize and SizeOfRawData to the nearest 0x1000 in the IMAGE_SECTION_HEADER structure (this actually applies for any multiple of 0x200 up to and including 0x1000). Perhaps the easiest way to do this is to use a PE editor such as LordPE.

A word of warning, though. Although keeping your patches as close to the end of the real data as possible may seem like a good idea, be aware that you may actually be causing more trouble than good. It is altogether possible that the last few entries (particularly in the .data section) are initialised to zero, and so patching over what appears to be a cave could have disasterous consequences.

Regards
Admiral

blabberer, hehe you were confused about the funny pic.
Alrigth, I have found funny mi nick in the demo of use you were doing.

But the saving you are doing is in the code section, no problem doing that.
I cannot save modified code in another section different to that one. Have you tried saving in .rdata section, for instance?

Admiral: thanks for your advice. In my case, it is no data section, because I am trying to build the cave in a section added by a protection, and it seems it is not using those zeroes. No problem executing it when created the cave from an hexeditor. I was only suprised that Olly couldn't save the code inserted in another section than .code. Maybe there is a plug-in letting you doing that function, but I don't know about it.

Anyway, I follow my tests...

Cheers

Nacho_dj

well i had changed in two sections one in code and other in .data section in that pic i think you didnt notice

here i attach another picture where i have changed in three section
1)code section <-- new messagebox() code trampolined
2).data section <--contains title to new message box
3).rdata section <--contains text to new messagebox

the methodology

1)open iczelions tut-02 (messagebox.exe) in ollydbg
2)select sufficient bytes starting from 0x403050 in hexdump
3)press ctrl+e
4)write your string as ascii in the edit box and hit enter
5)right click copy to executable
6)return back to dump
7)press ctrl+g and enter 0x402000 (.rdata section)
8)select sufficient bytes starting from 0x4020b0
9)repeat step 3,4,5,6
10)select disasm 0x401013 and insert trampoline jump to 0x40102d
11)insert trampolining code (new message box code the destroyed instruction
and jump back toflow)
12) right click copy to executable (all modifications here)

13) if you now do alt+e -->view executable file
it will contain all your modification in all the sections
right click save file should save it with all modification in one go

hope it is clear and precise and not funny

a dud post cant attach two files to same post it seems

ok here it goes

i attach the exe that was saved in one go and one more
which had some relations to this question
this is a 16kb exe with 1000 bytes per section {thats lot of zeroes added in all sections for playing football :-) }
i got it by using ollydump plugin on tute-02
just dumped it as it is without asking it to rebuild import table
plugin --> ollydump--->dump debugged process-->uncheck rebuild import table check mark-->hit ok

if you do this before starting to play with any exe you can lots and lots of
caves provided the authour already didnt filll the exe to brim