lux
August 9th, 2004, 03:26
Absolutely newbie on this side
I'm trying to 'look inside' a program that uses a teLock packed dll.
I unpacked the dll, at least tried to, but it seems to work, as the packed dll did. Details below.
The problem is: every time I load and reload the prog in Olly, with my unpacked dll, Olly re-analyses the code. (gr8 chance to stop and use the brain rather than staring at the program
Looking at the log, I find:
File 'prog.exe'
New process with ID 0000007C created
00797042 Main thread with ID 00000724 created
00400000 Module prog.exe
Import Lookup Table outside .idata
CRC changed, discarding .udd data
10000000 Module dll.dll
10001000 Code size in header is 00000000, extending to size of section '.neolite'
Import Lookup Table outside .idata
...
(noticed 'CRC changed, discarding .udd data') This thing is rather annoying, because all breakpoints etc. are lost between one run and the other.
Needless to say, the prog and the dll do not change. I took md5 sums of them and they are always the same. If I use the original packed dll, the problem disappears.
Some hints and background info:
the prog is about 4,5MB, the packed dll 34KB, the unpacked one 72KB. If I run Olly on the prog with the packed dll, it produces .udd file of about 4,3MB; if I run with the unpacked dll, the .udd file produced is 8,5MB instead.
About the unpacked dll: (as I wrote, I'm completely new to not only Ollydbg, but assempbly too so please don't flame me!); I was not able to unpack the dll using Olly because it keeps terminating saying that it won't run with an active debugger, or that the CRC changed. So to unpack it I took a dump of the running dll with LordPE and rebuilt the AIT with ImpRec. So I was not able to recover the OEP, but as I said the unpacked dll works.
Anyone has some suggestion for me?
Thanks
Lux
I'm trying to 'look inside' a program that uses a teLock packed dll.
I unpacked the dll, at least tried to, but it seems to work, as the packed dll did. Details below.
The problem is: every time I load and reload the prog in Olly, with my unpacked dll, Olly re-analyses the code. (gr8 chance to stop and use the brain rather than staring at the program
Looking at the log, I find:
File 'prog.exe'
New process with ID 0000007C created
00797042 Main thread with ID 00000724 created
00400000 Module prog.exe
Import Lookup Table outside .idata
CRC changed, discarding .udd data
10000000 Module dll.dll
10001000 Code size in header is 00000000, extending to size of section '.neolite'
Import Lookup Table outside .idata
...
(noticed 'CRC changed, discarding .udd data') This thing is rather annoying, because all breakpoints etc. are lost between one run and the other.
Needless to say, the prog and the dll do not change. I took md5 sums of them and they are always the same. If I use the original packed dll, the problem disappears.
Some hints and background info:
the prog is about 4,5MB, the packed dll 34KB, the unpacked one 72KB. If I run Olly on the prog with the packed dll, it produces .udd file of about 4,3MB; if I run with the unpacked dll, the .udd file produced is 8,5MB instead.
About the unpacked dll: (as I wrote, I'm completely new to not only Ollydbg, but assempbly too so please don't flame me!); I was not able to unpack the dll using Olly because it keeps terminating saying that it won't run with an active debugger, or that the CRC changed. So to unpack it I took a dump of the running dll with LordPE and rebuilt the AIT with ImpRec. So I was not able to recover the OEP, but as I said the unpacked dll works.
Anyone has some suggestion for me?
Thanks
Lux