The SFX options in OllyDbg seem excellent - I just loaded an ASPack'd file and it took me to the original (unpacked) entry point. However, what I'd like to do is breakpoint just before the program makes the call to the unpacked original entry point. Is there any way to do this?

Wayne: i dont think this is possible

Actually, I did find one trick to use
With the SFX options turned on (i used the "Trace real entry bytewise" option), when Olly shows you the unpacked code, just right-click on the first line of code and select "Find references for | Selected command". Then, low and behold I saw "push address" - double-clicking on that took me straight to that line, and immediately after the push instruction was a ret, so that did the trick nicely (and I dont think you can do that with any other debuggers! )

I don't see why you need to do this? For dumping, just pause/suspend the proc from Olly and dump.

I don't need to dump the process (otherwise yes I'd just dump it when Olly's smart SFX handler stopped at the unpacked OEP) - I needed it for analysis reasons and to see the code going on before the call to the OEP. Not worth explaining why, but it was necessary. But yes if I just needed to dump it, then OllyDbg's 'Trace real entry bytewise' works perfectly, as soon as it shows the unpacked code, just dump the process, and voila

Wayne: i was thinking the same, but i understood your question as "automatically breakpoint before jmp OEP call" - so that is not possible

I didnt think it would be possible either, but was just guessing that maybe somebody had a trick up their sleeves I didnt know about. Maybe its possible for Oleh to add such an option to the Options | SFX window:
- Break on Original Entry Point (default)
- Break on call to Original Entry Point
I for one would find that very handy

Either way, Im extremely impressed with the SFX options and capabilities, OllyDbg seems to be the only debugger/disassembler that takes 'packed' executables into account, which I find somewhat strange considering how prevalant packers are these days - thumbs up to Oleh for that!

Maybe somebody with good OllyDbg experience (and a bit of spare time!) should write some sort of tutorial on OllyDbg's SFX capabilities, as I don't think many people are aware of it (like most of OllyDbg's capabilities, they're hidden away behind a menu or options dialog!). So Im sure there's a lot of people who aren't even aware of this powerful capability of OllyDbg. People often talk about SoftICE having advantages over OllyDbg simply because it's a system-level debugger, but as I only do application-level debugging, I find OllyDbg much more useful/helpful/easier to use/more informative, and unlike SoftICE, OllyDbg gives me smart analysis and SFX options, neither of which SoftICE have. In other words, I can't praise Oleh enough, so I'll stop trying to find words to express my gratitude.

Thanks anyway, and enjoy your weekend!

and when you pause in entry point if you go to call stack (k) dont look the call?

Ricardo

No, call stack is empty ... ?

The only form is with trace into, in set condution put stops in EIP>XXX y EIP > YYY

XXX start of first section (code)
yyy end of first section (code)

when olly stops in entry point go to RUN TRCE window and look, you will see the lines befores the entry point, and if you press the key - (minus) you go back to this line.
If olly stops before of the entry point, for ecxception SHIFT +F7 and trace into again.

Try this is slow but the best form

Ricardo

Sorry eip >xxxx and eip <yyyy
In set condition
Ricardo

Thanks! I've never used that feature before, its nearly 1am here so Im about to hit the sack but Ill have a play around with that tomorrow