Does anyone know the trick to make OllyDbg display the "Bad or unknown format of 32-bit executable" error message? It is really annoying, because when I load a crackme that displays this message, Olly will just forget all the previous breakpoints I made. I have tried tweaking a couple settings in the PE using StudPE but I really have no clue what is the problem and I can't find anything using google. This really makes me curious and I am considering reversing Olly just to find what causes this error. I would ask this on the ollydbg forum but it seems to be down right now.

OK. Now that I've moved your Thread where it belongs (as you noticed) I'm going to remind you what

YOU SHOULD HAVE DONE YOURSELF BEFORE YOU POSTED YOUR QUESTION!

Had you put ollydbg and "Bad or unknown format of 32-bit executable" in your favorite search engine, you would have discovered this link (which no longer works because the location of the OllyDBG Forum has moved, but if your were clever you would still have looked at the "cached" version and seen:http://ollydbg.win32asmcommunity.net/?action=vthread&forum=1&topic=175

What causes error:
Bad or unknown format of 32-bit executable file "C:\foobar.exe" ?

TBD
Admin

Posted: 17 Feb 2003 22:19:38
Quote

mong: a lot of things ... but usually if it is a DOS or NE file, and sometimes a too customized PE header(i know coz' i bugged Olly a lot of time for this)
mong

Posted: 18 Feb 2003 00:26:35
Quote

Yep, it's a packed target. But how do I get over this problem, or do I just use softice?

Norb
Posted: 18 Feb 2003 02:35:36
Quote

Try a pe rebuilder and if the file still works afterwards, you can load it into Ollydbg. Else, you need softice.

mong
Posted: 18 Feb 2003 16:30:09
Quote
I solved the problem by updating to 1.09 and setting some ignore exception checkboxes. Now the target runs without any problems.

AND

You might have checked the SEARCH button here as I believed there is a discussion of anti OLLY issues in more than one thread here. But, hey, I'm just a lazy Moderator and I have nothing better to do that do the research for those who don't bother to search or, at the very least, fail to mention that they even tried to seach for their own answers.

Regards,

Thank you for moving my post here.

Yes, I have already checked that exact same cached page. Yes I have already searched this forum, not to mention other forums as well. No none of these answered my question. I am sorry I did not know I needed to mention that. Hopefully I can be clearer in my question:

The problem is not that the program doesn't run as these people seem to have experienced. I was able to enter the program, although not to the entrypoint... I just want to know why it causes an error message in the first place. I don't expect to find all the possible causes. But like someone said in the cached page "(i know coz' i bugged Olly a lot of time for this)" so I was hoping someone here would know intentional methods to cause this error. The crackme is packed with some packer unrecognizable to PEid that causes this error for OllyDbg so it is obviously intentional. I have unpacked (dumped) it successfully but it still causes this annoying error.

I was hoping that since there seems to be more experience reversers here they might know the answer.

0040012C 10000000 DD 00000010 ; NumberOfRvaAndSizes = 10 (16.)

can be in other adress but if are other value than 10 OLLY display this error and when you correct, there are packers than use the value to decrypt the file and donīt RUN.

Change the value to 10, and put a BPM ON ACCESS for see if the value is readed when the program is unpacked and change manually to the wrong value for unpack.

Ricardo Narvaja

Wow thank you! I can't believe it's just one value. I noticed that it was FFFF when hex editing. I didn't bother changing it because my doc about PEs (luevels meyer) said it was unreliable anyways. Doh! Thanks again! Works great now.

While writing a small exe scanner, I ran across this and many other small tricks being a real pain in the a**. The best recommendation I can give you is not to expect anything in the exe header to be just random or unimportant And don't expect everything to be the way your docs say. I've spent several days with "hardening" my scanner because every time I fixed it, someone came up with another, even more weird target.
BTW, changing the number of sections to something else than 0x10 is a common trick, because many, many tools interpret this value (just in contrast what your PE header doc says and what Windows does) and crash or fail to work in other ways

And as I suggested in my first Post, this is a recognized method of crashing OllyDBG and some other debuggers. Which is WHY a seach of "anti-debug" and "anti-debug and ollydbg" (both without the quotes) should have led you to the correct information.

Which, again, is why one is supposed to search AND indicate that they have done so. That's why is says what it does in the BIG RED LETTERS at the ForumHome page.

Regards,

Hi hadicol
This is tricks on PE Header in order to crash Olly. Read the article at CodeBreaker for more detail:
http://www.codebreakers-journal.com//viewarticle.php?id=57&layout=abstract

Not so long ago i coded a small utility to recover "all" PE header problems that can make Olly crash or not see sections. Download link is: http://ap0x.headcoders.net/xPELister.rar

ap0x: Your tool has all that is needed to check a PE header. Very good!

However, when tested in a Delphi executable, it shows several kernel.dll in the
Import Table Viewer. It has to be so?

I attach a picture of it.

Cheers

Nacho_dj

If you look at the LordPE you will see the same output because that is the way compiler created IAT. Magic rule of +4 disallows you to connect APIs from the same .dll if they are stored on location other than +4. That is how Microsoft designed PE format.