This is new PE Dumper plugin for best user mode debugger OlluDbg.
The PE Dumper is similar to OllyDump by Gigapede but fully rewritten and have
some features:

- you can dump any *.exe and *.dll from debugged process address space;
- you can add/remove sections to/from resulting dump. If you are add new section,
you specify VA and size of memory region to add as section, attributes, File Offset,
RAW size and section name. So, now you can add to dump any memory regions created
by protectors during debug session;
- antidump antiprotection and most correct save dump technics: during dumping,
against other dumpers, PE Dumper save only present memory pages (basing on VA & Virtual size).
So, if between memory regions present non-allocated space, most other dumpers
(and OllyDump too) will not save dump correctly, but PE Dumper will save all
correctly.
- fix raw sizes correct only RAW size of image according to Virtual Sizes;
- paste header from disk - use header from disk, it's clear;


This plugin not fully tested yet. If you find bug, please e-mail me.

http://mmtools.nm.ru/OllyDbgPEDumper.rar
("http://mmtools.nm.ru/OllyDbgPEDumper.rar
")

e-mail:
fkma@mmtools.ru

the link donīt work

When i can download?

Ricardo Narvaja

i can download now sorry
thanks
Ricardo

i can download now sorry
thanks
Ricardo

Nice Work
Thank you

you good!

this job is very nice.

Please test it. I can't have many time in this time for trying to deep test
of this plugin. It may contain some bugs.
Thanks.

fkma@mmtools.ru

Hi.

Version 3.01 released.

changes:
+ Added autoselect main exe module in pick module list
* some GUI minor changes
- remove some unused code

http://mmtools.nm.ru/ollydbgpedumper301.zip ("http://mmtools.nm.ru/ollydbgpedumper301.zip")

FKMA: there are some problems in downloading your plugin. please send it to me via mail so I can add it to the stuph page. thanks

I agree, took many retries. Thank you for the work you put into this, anything to make life easier is great!

Great tool, wish you could make it perfect!

i identify olly crash on startup with "many plugins" and pedumper.dll (v3.01)

OS: win2k

Application popup : OLLYDBG.EXE

The Instruction at "0x0010db9b" referenced memory at "0x0010db9b"
The memory could not be read.


please FIX

thanks

cubituz
I also have many plugins that Olly loaded (about 29 ) but don't
face with such problem.
At this point can't say anything about reason.
Say version of W2K, what module belongs address 0x0010db9b, base address of owner module and enum plugins that you use.

see later.
sorry for my english.

Well, I donīt know if itīs for the SP2 but I canīt add any section to the dumped file, even if I mark the option to make sections writable.

The Import Reconstructor jump me with "Can't add any section to this file".

Have you test it on SP2 or may be just a problem on my machine

Hi FKMA !

Very very good plugins!

Can you help me for find OEP for dump?

Is there a solutions for find this value for some program?

When I can use GET EIP as OEP?

THANKS!

Hi FKMA,

I send email with my olly config for you.

thankx for your help.

Good luck

cubituz
Hi !
I have received yours e-mail.
It not glitch PEDumper-a.
It has turned out here that: at deleting ANY plug-in (you have them 34), olly it is started normal. Similar, it is bug Olly. Somewhere there is a stack overflow.
It is necessary to reduce amount of loaded plug-ins.
Success.

kaos_xlro
Hi.
I shall deal with this problem in the near future.

Thanks to all.

smarco
Hi smarco!
How to find OEP write in crackers manual.
Look, it is a lot of them in INET.

Get EIP as OEP means, that in header of PE file as an entry point current value EIP will register.

Success!

Hi FKMA,

thanks for all.

sorry for the trouble.

thanks again,

kaos_xlro

Hi !
About problem you are say earlyer.
At attempt to add a new section in dump at restoring IAT by ImpRec, made from a file protected by some protectors, for example ASProtect, we receive the message that it is impossible to add a section.
If to look on Header of such file it is possible to see that measures against addition new sections are taken.
For example, ASProtect 2.0 beta:

RAW offset of first section is 0x400
IMAGE_DOS_HEADER.e_lfanew is 0x100 (general 0xf0)
12 (0x0c (!)) sections in PE.
so, we have:

offset
0x0000 IMAGE_DOS_HEADER
0x0100 IMAGE_NT_HEADERS
0x01F8 (0x100+4+sizeof (IMAGE_FILE_HEADER) +
sizeof (IMAGE_OPTIONAL_HEADER) -
begin of array of IMAGE_SECTION_HEADER
0x03D4 IMAGE_SECTION_HEADER.Characteristics of last structure
0x03D8 sizeof (IMAGE_SECTION_HEADER) bytes of 0x00 -
(the indicator of the end of array IMAGE_SECTION_HEADER)
0x3D8 + 0x28 = 0x400
0x0400 begin of image of first section
...

so, we see, that there is no place for add new section.
To solve the problem it is possible or to delete the unused sections which have remained after a protector before resolving import, or having made re-structuring PE of a file and to shift the beginning of the first section from 0x400 to 0x1000, for example.
The second method and some checks and bugfixes will be realized in next version of pedumer. cooming soon...
Thanks to all, and, please, send me a bugreport, if any.

Hi all !
version 3.02 released.
changes:
+ Now you can add section by selecting it from Memory Map window.
Simple push "Get MAP" button in main window.
+ added check for needed free space in header when adding new section.
- fixed bug of setting raw size to zero for newly added sections when
check/uncheck "Fix RAW sizes"

http://rapidshare.de/files/1393348/olly.pe.dumper.3.02.rar.html
("http://rapidshare.de/files/1393348/olly.pe.dumper.3.02.rar.html
")

as usual, please test.

Hi.
version 3.03
changelog:
3.03 27.04.2005
----
- display "Saved with ERRORs" message when Raw Size of section == 0 - fixed
- fixed bug with setting OEP

thanks MaRKuS-DJM for testing.
hxxp://rapidshare.de/files/1454959/peDumper303.rar.html

I can't download peDumper303 from rapidshare because I use download managers. Is there another site from which I can download. Removing the download managers from my pc seems to cause a lot of grief!

Thanks

just disable ur download manager........u dont have to uninstall it or use firefox

its just 85kb file!!!

Hi FKMA again me testing at your plugin:

1.Good option the one of reading the header from disk, because there could be diferences, but particullary Im looking the thinstall (packer) that change the header on memory... well what Im try to tell you is about unchecking this option of the plugin if I amnt wrong the plugin then copy the header from memory.

I got a problem when unchecking this option, it doesnt dump the other sections just the header.

2.It had some problems on reading correctly the sections on header. If I try to add a new section (the GETMAP option) the plugin overwrite some of the others sections and had some problem reading some bytes.

dont know if its a problem of the packer but I compare the dump of your plugin and the one of the Ollydump and had no diferences on other sections but in the header.

I tested 3.03 version
Sorry Im telling you this but I really apreciate your job and I want looking it working fine (could be a better tool that Ollydump in my opinion) (If you want to send me a betta version Ill be glad to help you kaos_xlro""@yahoo.com (whitout cuotes))

OK aunlead point taken

Hi kaos_xlro !
Thanks for you testing !

I was very busy last time and don't visit this forum.

About first problem: i download thinstall and look for this in near time. But, can you send me the app that you try dump and small tutorial to get point in that you dump the app ? It may help to solve bug. My mail: fkma[at]mmtools[dot]ru

Second problem: are you get this on thinstall packed program or in some else cases ? Some words about GetMap: it's dont retrieve any data from memory of debugging process. It simple fill with data additional rows in section table in main plugin window. If sections crosslinked in this table, it will be write on dump incorrectly. Plugin dont check the areas and bounds of sections that fill in table. After you press Dump, its simple dump sections row by row according it order in table and take the parameters of sections from table too. If, for example, third section begin sooner than second ends, the second section will be partially overwritten. I add some checks about crosslinked entries in table and offsets auto-recalculation option in v 3.04. (it lied on my HDD about month already with some bug fixed (i already dont remember about what fixes ) and small help about how dumper works.)
Thanks a lot for testing. I send you 3.04 and publish 3.05 after bugs will be fixed.