what's new in OllyDump v2.11.108
-- new import rebuild engine can rebuild asprotect,petite (not perfect)
-- tElock's imported API search(cannot rebuild but logging)

Please try various packers or protectors and report it.

download
http://dd.x-eye.net/file/ollydump211.zip ("http://dd.x-eye.net/file/ollydump211.zip")

There is a bug yesterday i make a tut dumping a simple exe32pack archive with OLLYDMP old version and works fine, and with the new y reach the same OEP dump, and not RUN, this message appear

NO SE ENCUENTRA EL PUNTO DE ENTRADA DEL PROCEDIMIENTO RtlDeleteCriticalSection en la bibioteca de vinculos dinamicos Kernel32.dll

Don't found de entry point of procedure RtlDeleteCriticalSection in Kernel32.dll

And dont RUN and with the old OLLYDMP runs very well maybe OLLYDMP if you try more complex for hard packers maybe a option for simple rebuild for old packers
can be useful,if not i switc in old ollydmp and new ollydmp for every packer

Ricardo Narvaja

UPX 1.24 the same error, yesterday i dump a upx 1.24 in old version and go weel, in the new ollydmp the message of error say

NO SE ENCUENTRA EL PUNTO DE ENTRADA DEL PROCEDIMIENTO RtlDeleteCriticalSection en la bibioteca de vinculos dinamicos Kernel32.dll

Don't found de entry point of procedure RtlDeleteCriticalSection in Kernel32.dll

And dont RUN

Ricardo Narvaja

try to rename this function in something what exists in kernel32

If in old ollydmp function well in the new has a bug, then i report for correct the bug in the next release.

Ricardo

Thanks Ricardo.

I know it but I have no idea to solve it.
It may be relative with SEH and ntdll.dll's function get into kernel32.dll's thunk block.

Could you give me the both bad and good dumped files?

i dont know your mail my mail is ricnar22@millic.com.ar if you mail i send to you the files with the old OLLYDMP and with the new OLLYDMP.

Ricardo

Sorry.

My mail is gigapede@btmo.cjb.net

I may solve this problem.
Please try new one.
http://dd.x-eye.net/file/ollydump212.zip ("http://dd.x-eye.net/file/ollydump212.zip")

It seems to be working good now. I've only tested on Upx and Fsg, both succesful

Now is the same error but with RtlGetLastWinError not found entry point in other API.

Ricardo Narvaja

I can't guess the reason any more.
Please send the files.

I send the files yesterday to your mail.

Ricardo

The version 2.13 RUNS WELL thanks GIGAPEDE you are great.

Ricardo Narvaja

a newbie question please???

how can i make the dumped exe run-able? Do i need to fix anything?

Now i discover a Bug again in version 2.13, in other api, this bug i guess only in W98 and XP spanish versions, in english go well.

Ricardo Narvaja

I got an error in the unpacked file:
the procedure entry point timeGetTime could not be located in the dynamic link library comctl32.dll

Well is the same error i have, in different api.

Ricardo Narvaja

aspack 212
windows xp
Don't found de entry point of procedure RtlGetLastWin23Error in Kernel32.dll

well in 2.13 version any of this bugs are repared, and others not, i think in the next release will be all repared.

Ricardo

odbg109d
ollydump212

Aspack 2.12
windows XP PRO

Error:

"NO SE ENCUENTRA EL PUNTO DE ENTRADA DEL PROCEDIMIENTO en la bibioteca de vinculos dinamicos WS2_32.dll"

The last ollydmps are not full compatible with windows spanish versions, try change the mark tu the METHOD 2 of unpacking in the window of ollydmp and try again.

Si tenes el ollydmp en espaņol calculo que lo hablaras, los vijos ollydmps funcionaban en XP en espaņol, pero los ultimos los cambios de el engine determinaron que no reconstruya bien la tabla, y de siempre errores como esos sobre todo si usas en la ventana del ollydmp el metodo 1.
Proba con el metodo 2 si no bajate de mi FTP las versiones viejas de ollydmp con lo cual por lo menos podras dumpear sin error los packers mas sencillos (aspack, upx, petite, etc)

Ricardo

Hy Ricardo, I speak Portugues(Brasil), you could send me an old version of ollydmp?

which the address of its ftp?

Thanks

The portuguese version of XP has the same problems of the spanish version.

mi ftp es



ftp://curso:curso@ricnar456.no-ip.org/
("ftp://curso:curso@ricnar456.no-ip.org/
")


user:curso
pass:curso


en HERRAMIENTAS-PLUGINS PARA OLLY esta el ollydmp y los viejos ollydmp

en ellos puedes desempacar muchos packers sencillos (no piensen en armadillo, asprotect, etc)

Cuando llegas a oep desempacas directo y si te da un error C0000005 vas al LORDPE DELUXE y le haces un REBUILD y queda funcional.

Ricardo

Hy Ricardo,

I Have a problem, I analyzed an archive with the PEiD, the result was EXEStealth 2,5/2,6 - > WebToolMaster.

I analyzed the sections of it and appears the UPX.

How I must proceed first? With ExeStealth or UPX?

Thanks

Well i think if peid say exestealth i think is more possible, the names of sections can be changed.

The unpacking of the two packers are very similar (manually found OEP, DUMP, REBUILD IAT) , the diferences are few.

Ricardo