PDA

View Full Version : wdasm and ollydb


Anonymous
March 16th, 2003, 06:20
any plugin for importing wdasm alf and wpj files, i got code section looks normally in wdasm but in olly it gets cut off in bytes, means

in wdasm looks following (ex):
6AFF
6808DE4100

in ollydb (ex):
6A
FF
68
08
DE
41
00

seems like olly break line after each byte , so breakpoints don't work!

anyone know solution for this? or have plugin that can fix it or load wdasm files (alf and wpj).

itsme
March 16th, 2003, 09:43
olly prob assumes what you are looking at is data, you can force it be assembler, but breakpoints will still work, just place "break on execute" on the address.

blabberer
March 18th, 2003, 05:52
place the cursor on 6a and press ctrl+e + ok (binary edit) (dont edit anything just press ok) olly then dissassembles it differently many garbaging code writers use such code it looks different and works dfferent because the eip points to somewhere in the middle of opcode

and placing bpt on starting of opcode dont work

i dont know if this info could help u but i have used ctrl+e + ok on many garbage structures and traced it successfully

Anonymous
March 19th, 2003, 05:00
thx for tip, i try it, i know i had same problem with asprotect, a jmp pointed to middle of instruction, and olly crash when reached it, hope this works!

Anonymous
March 20th, 2003, 03:04
to debug asprotected app, just set page protect bits, jump into middle of asprotect code, and then set page protect bits on oep page of app, ollydbg will break on entry point.

Anonymous
March 20th, 2003, 05:02
hmm not sure really what u mean, but nodoubt it works

Tacman
March 20th, 2003, 05:32
can you elaborate on what is meant by 'set page protect bits'. Better still a walk through on how to find oep of an asprotected file please?

itsme
March 20th, 2003, 15:58
There are multiple ways of obtaining OEP of AsProtect file in Ollydbg. Here's one:

1) Execute file as normal, counting the number of exceptions. Pass each exception to prog.

2) Restart program, count the number of exceptions - 1.

3) ALT-M, Right click memory address that is app code. Set "break on access".

4) Run prog. Ollydbg will break on OEP.

Note that this only for debugging AsProtect app. It is no use for dumping ASProtect app, as you will not have the stolen bytes needed for recreating the file.

Tacman
March 21st, 2003, 04:44
thanks thats very useful information