Hello,

I'm new to this forum and OllyDbg (great stuff btw.),

I've got a program that calls CreateProcessA function to spawn it's child process, now, how do I find this spawned child process' entry point with OllyDbg, so that I can set breakpoints there ?

I've just come across this thread:

http://ollydbg.win32asmcommunity.net/?action=vthread&forum=1& topic=570&page=0#2
("http://ollydbg.win32asmcommunity.net/?action=vthread&forum=1&topic=570&page=0#2
")

Which seems to fairly explain what I'm intending to do, but... it may actually sound very stupid to you, OllyDbg gurus, but I don't know what did Ricardo mean by saying "open PUPE", what is "PUPE" ?

Any help will be greatly appreciated.Thanks in advance.

Please, help me, if you know what is "PUPE", tell, this is very important for me

Hello,

its a process patcher tool (spain originated?)...
Last version is PUPE2002 i think.
You can find it here: http://www.terra.es/personal/guillet/pupe.htm
("http://www.terra.es/personal/guillet/pupe.htm
")

Anyway you can find entry point of "child process" by loading the child itself into ollydbg.
Olly will probably break on entry itself.

If you really need to break at child entry, create endless loop at entry (opcode: EB FE), do "attach to process" and restore previous bytes.

Regards,

A. Focht

Thanks for reply focht, is there an english version of this tool as well ?

You told me I can find out entry point of child process by loading the child itself into ollydbg, well, It's not clear for me what you mean... maybe you mean about attaching OllyDbg to a child process spawned by the master process before ? Well, if so, then unfortunately I've tried it already, and been not successful to attach OllyDbg to a child process, OllyDbg says:

Unable to attach to process "ChildTest"

Maybe it's because there is no endless loop ?

I don't understand Spanish, only Polish and English and learning German...

Hi again,

Thanks for reply focht, is there an english version of this tool as well ?

Not that i know ... this tool and tutorials come in their native language. No localization ;(

I had same problems and used some online translators (google it)...
Its a pity that ppl write tutorials and tools - which might be in public interest - using their (non-english) mother tongue .
My native language is german but i would never write tuts nor tools exclusively for it.
Sharing all the knowledge/stuff using the "universal" english language (even its bad spelling hehe) is much more fruitful ... just my opinion... but well.

Unable to attach to process "ChildTest"

Might be due to some protection mechanism like armadillo, which basically sets up a debug server/client pair.
In fact you can't attach to an already debugged process at all.
There are some methods (forcing debugger to detach from child...) which are described in some tutorials.

Just try to identify the protector method (if any) using PeID: http://peid.has.it/ ("http://peid.has.it/") and then google for tutorials

Regards,

A. Focht

Hi again focht

I've put it through PeID and it detected no compression algorithm being used in this file, it is plain msvc++ 6.0 linker output...

I think I misunderstood you before, now it's clear for me what I'm supposed to do Thanks a lot.

Set BP on CreateProcessA then Use Hexeditor replace child process 's oep with 0xEBFE (maybe store in temp dir) and F9 run again .
And in Tark Manager right click select -> Debug on target child,yeah and replace with original byte one.

Regards,
Teerayoot

the child is the same file of the father (there are equals) for this reason the EP of the child is the same of the EP of the father, reopen the father in olly and when stop in Entry Point, copy the value of the EP, and is the same of the child.

Ricardo

And when stop in WriteProcessMemory for copy the two bytes in the parameters of this api in the stack you can view the value of the ep (the father is copying the EB FE infinite loop in the ep of the child)

Ricardo

And is not possible put a bp in the child with olly, till the father is debugging, there are saome process in the tuts depending the version of armadillo to make and next kill the father and let the child looping.
And in my ftp are versions translated to english and not by a machine, look

69-ARMADILLO FOR DUMMIES GETRIGHT 5 vol I ENGLISH.rar
70-ARMADILLO FOR DUMMIES GETRIGHT 5 vol 2 ENGLISH.rar
74-ARMADILLO & NANOMITES part 1ENGLISH.rar
77-armadillo & nanomites 2 part english.rar
78-ARMADILLO MAS NANOMITES ANEXO .rar

this are all translated to english by a human not a machine, if you are making a tut in spanish, download the english version.

Ricardo