View Full Version : BAD OLLYDMP
Ricardo Narvaja
January 3rd, 2004, 06:44
I see Gigapede is not making more OLLYDMPS, but the new 5 or 6 versions of OLLYDMP only work well in ENGLISH XP, in other languajes (SPANISH XP is mine) the dump is a disaster, not dump a UPX, nothing.
We use old versions of ollydmp, this go well in ANY languaje.
If Gigapede read this, i suggest if he make a new OLLYDMP, he can test the possibility of work in all languages of S0.
Thanks
Ricardo Narvaja
Gigapede
January 3rd, 2004, 10:10
Hi Ricardo.
I do not think to quit development of OllyDump, but I'm too busy to get time.
and I'm sorry I don't know how to test all languages.
Could you recompile it in your environment ?
You can freely modify the source code and release it.
Or give me some advices.
Thanks
Gigapede
Ricardo Narvaja
January 3rd, 2004, 15:27
I made a UPX dump with OLLYDMP 1.11, 2.00 and 2.01 and work well, but with upper versions, do not recognice well the names of apis i think, and the dumped, not have all the dlls, in my example the dumped with 1.11 has 8 dll, and the dump with 2.21, has only two dumps, and when i load the dumped in olly only 2 dll apear and the message -Import Lookup Table outside .idata-
LOG OF UPX DUMPED WITH 1.11
File 'D:\Documents and Settings\Ricardo\Escritorio\katarfirstcrackme\jeje.exe'
New process with ID 000008A8 created
004011A8 Main thread with ID 00000934 created
00400000 Module D:\Documents and Settings\Ricardo\Escritorio\katarfirstcrackme\jeje.exe
733A0000 Module D:\WINDOWS\System32\MSVBVM60.DLL
770F0000 Module D:\WINDOWS\system32\OLEAUT32.dll
77180000 Module D:\WINDOWS\system32\ole32.dll
77BE0000 Module D:\WINDOWS\system32\MSVCRT.DLL
77C40000 Module D:\WINDOWS\system32\GDI32.dll
77D10000 Module D:\WINDOWS\system32\USER32.dll
77DA0000 Module D:\WINDOWS\system32\ADVAPI32.dll
77E40000 Module D:\WINDOWS\system32\kernel32.dll
77F40000 Module D:\WINDOWS\System32\ntdll.dll
78000000 Module D:\WINDOWS\system32\RPCRT4.dll
004011A8 Program entry point
LOG OF UPX DUMPED WITH 2.21
File 'D:\Documents and Settings\Ricardo\Escritorio\katarfirstcrackme\jeje2.exe'
New process with ID 00000D6C created
004011A8 Main thread with ID 0000070C created
00400000 Module D:\Documents and Settings\Ricardo\Escritorio\katarfirstcrackme\jeje2.exe
Import Lookup Table outside .idata
77E40000 Module D:\WINDOWS\system32\kernel32.dll
77F40000 Module D:\WINDOWS\System32\ntdll.dll
004011A8 Program entry point
View - MEMORY of dump with 1.10
Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00400000 00001000 jeje 0 PE header Imag R RWE
00401000 00006000 jeje 0 UPX0 Imag R RWE
00407000 00002000 jeje 0 UPX1 code Imag R RWE
00409000 00001000 jeje 0 .rsrc data,imports Imag R RWE
0040A000 00001000 jeje 0 .xur� Imag R RWE
00410000 00103000 0 Map R R
00520000 00175000 0 Map R E R E
00820000 00001000 0 Priv RW RW
00830000 00004000 0 Priv RW RW
00840000 00003000 0 Map R R \Device\HarddiskVolume2\WINDOWS\System32\ctype.nls
00850000 00003000 0 Priv RW RW
00860000 00010000 0 Priv RW RW
00C60000 00003000 0 Priv RW RW
733A0000 00001000 MSVBVM60 7 PE header Imag R RWE
733A1000 000FD000 MSVBVM60 7 .text code,imports Imag R RWE
7349E000 0000D000 MSVBVM60 7 ENGINE code Imag R RWE
734AB000 00007000 MSVBVM60 7 .data data Imag R RWE
734B2000 00031000 MSVBVM60 7 .rsrc resources Imag R RWE
734E3000 00010000 MSVBVM60 7 .reloc relocations Imag R RWE
770F0000 00001000 OLEAUT32 7 PE header Imag R RWE
770F1000 00081000 OLEAUT32 7 .text code,imports Imag R RWE
77172000 00002000 OLEAUT32 7 .data Imag R RWE
77174000 00001000 OLEAUT32 7 .rsrc resources Imag R RWE
77175000 00006000 OLEAUT32 7 .reloc relocations Imag R RWE
77180000 00001000 ole32 7 PE header Imag R RWE
77181000 000F9000 ole32 7 .text code,imports Imag R RWE
7727A000 00006000 ole32 7 .orpc code Imag R RWE
77280000 00007000 ole32 7 .data data Imag R RWE
77287000 00002000 ole32 7 .rsrc resources Imag R RWE
77289000 0000E000 ole32 7 .reloc relocations Imag R RWE
77BE0000 00001000 MSVCRT 7 PE header Imag R RWE
77BE1000 00047000 MSVCRT 7 .text code,imports Imag R RWE
77C28000 00007000 MSVCRT 7 .data data Imag R RWE
77C2F000 00001000 MSVCRT 7 .rsrc resources Imag R RWE
77C30000 00003000 MSVCRT 7 .reloc relocations Imag R RWE
77C40000 00001000 GDI32 7 PE header Imag R RWE
77C41000 0003B000 GDI32 7 .text code,imports Imag R RWE
77C7C000 00001000 GDI32 7 .data data Imag R RWE
77C7D000 00001000 GDI32 7 .rsrc resources Imag R RWE
77C7E000 00002000 GDI32 7 .reloc relocations Imag R RWE
77D10000 00001000 USER32 7 PE header Imag R RWE
77D11000 0005B000 USER32 7 .text code,imports Imag R RWE
77D6C000 00002000 USER32 7 .data data Imag R RWE
77D6E000 0002B000 USER32 7 .rsrc resources Imag R RWE
77D99000 00003000 USER32 7 .reloc relocations Imag R RWE
77DA0000 00001000 ADVAPI32 7 PE header Imag R RWE
77DA1000 00067000 ADVAPI32 7 .text code,imports Imag R RWE
77E08000 00005000 ADVAPI32 7 .data data Imag R RWE
77E0D000 0002C000 ADVAPI32 7 .rsrc resources Imag R RWE
77E39000 00005000 ADVAPI32 7 .reloc relocations Imag R RWE
77E40000 00001000 kernel32 7 PE header Imag R RWE
77E41000 00076000 kernel32 7 .text code,imports Imag R RWE
77EB7000 00003000 kernel32 7 .data data Imag R RWE
77EBA000 00073000 kernel32 7 .rsrc resources Imag R RWE
77F2D000 00006000 kernel32 7 .reloc relocations Imag R RWE
77F40000 00001000 ntdll 7 PE header Imag R RWE
77F41000 0006E000 ntdll 7 .text code,exports Imag R RWE
77FAF000 00004000 ntdll 7 ECODE code Imag R RWE
77FB3000 00005000 ntdll 7 .data data Imag R RWE
77FB8000 00032000 ntdll 7 .rsrc resources Imag R RWE
77FEA000 00003000 ntdll 7 .reloc relocations Imag R RWE
78000000 00001000 RPCRT4 7 PE header Imag R RWE
78001000 00070000 RPCRT4 7 .text code,imports Imag R RWE
78071000 00006000 RPCRT4 7 .orpc code Imag R RWE
78077000 00001000 RPCRT4 7 .data data Imag R RWE
78078000 00001000 RPCRT4 7 .rsrc resources Imag R RWE
78079000 00005000 RPCRT4 7 .reloc relocations Imag R RWE
7F6F0000 00007000 7 Map R E R E
7FFB0000 00024000 7 Map R R
7FFDE000 00001000 7 data block o Priv RWE RWE
7FFDF000 00001000 7 Priv RWE RWE
7FFE0000 00001000 7 Priv R R
Memory map of dump with 2.21
Address Size Owner Section Contains Type Access
00400000 0000C000 jeje2 PE header Imag R RWE
77E40000 00001000 kernel32 PE header Imag R RWE
77E41000 00076000 kernel32 .text code,imports Imag R RWE
77EB7000 00003000 kernel32 .data data Imag R RWE
77EBA000 00073000 kernel32 .rsrc resources Imag R RWE
77F2D000 00006000 kernel32 .reloc relocations Imag R RWE
77F40000 00001000 ntdll PE header Imag R RWE
77F41000 0006E000 ntdll .text code,exports Imag R RWE
77FAF000 00004000 ntdll ECODE code Imag R RWE
77FB3000 00005000 ntdll .data data Imag R RWE
77FB8000 00032000 ntdll .rsrc resources Imag R RWE
77FEA000 00003000 ntdll .reloc relocations Imag R RWE
7F6F0000 00007000 Map R E R E
7FFB0000 00024000 Map R R
7FFDE000 00001000 data block o Priv RWE RWE
7FFDF000 00001000 Priv RWE RWE
7FFE0000 00001000 Priv R R
VIEW-MEMORY DUMP WITH 2.21
Are very different, snif.
Is posible ollydmp has a posibility of read the system dlls of diferent carpet (not system 32), configurable, and in this carpet i can put the english dlls?
Ricardo Narvaja
focht
January 4th, 2004, 04:54
Greetings,
well the message 'Import Lookup Table outside .idata ' indicates there went something wrong.
The different module list and memory map is just the result of it.
On your target system (Windows XP) try to gather some info *before* you dump:
1)
Compare both (1.11 and 2.21) plugin main screens -> menu item "dump debugged process".
Does the sections view match?
What values differ?
2)
Did you select "Rebuild import" option? what method (1,2)?
Hint: rebuild was *not* implemented in 1.11.
Enable "Search Log" in ollydump options menu.
Copy all log output from the plugin (imports API search results.) and post it here.
That might show potential problems ...
I suspect the problem in the IAT rebuilding engine
Regards,
A. Focht
focht
January 4th, 2004, 04:59
Appendix:
After enabling "Search Log" in ollydump options menu, you actually have to dump the process to get all the IAT rebuild log messages.
Regards,
A. Focht
Gigapede
January 4th, 2004, 06:40
::Ricardo
2.21 is beta and experimental version, so it doesn't work well.
You'd got it by directory digging.
You should use 2.20.
I don't use 2.21.
OllyDump gets dll info from OllyDbg.
I don't think the Language is the problem.
::focht
Thanks.
You know a lot than me.
Gigapede
focht
January 4th, 2004, 07:32
Greetings,
AFAIK the main difference between 2.20 and 2.21 is the added VBOX recognition in GetRealApiAddress() of IAT rebuild engine.
The other ones are only cosmetic nature (i diff'd the source files).
V2.20 should same (dis)behavior, because ricardos target is UPX'd.
To track down the problem:
The IAT logging may produce a huge amount of data (due to different recognition algorithms), so enable "log to file" option in ollydbg's log window.
After dump, close the log file.
Now search the log file which packer signature gets recognized either "found [...] signature" or that last signature search "[...] search" line before any "found ... import".
Next, search for "OllyDump -- Import Table" line and scan through the following lines.
Look if any of the "missing" DLLs (msvcrt, ...) are referenced here.
Regards,
A. Focht
Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.