Hello!
I recently used OllyDump 2.21b to unpack a program, and noticed the Import Rebuild feature contains a bug: When OllyDump calculates the new file size, it will not add the size of the import ordinals in the IID. In some cases (such as mine) the bug will cause the dumped executable to report errors such as "Cannot find <strange filename>.dll" That's because the IID is cut short! I guess the bug is rare enough that it was just never caught during development.


To fix the bug, insert the following into line 1261 of RebuildImport.c:

dwNewSectSize += sizeof(WORD);


Here's what the patched code should look like:

if(strlen(pApi->ApiName) != 0) {
dwNewSectSize += sizeof(WORD);
dwNewSectSize += (strlen(pApi->ApiName) + 1);
}


If you want to quickly patch OllyDump.dll without recompiling the source, you can make a few changes in a hex editor. Go to address 0x00005034, and REPLACE the data with the following:
90 90 90 90 90 90 05 03 00 00 00

Don't forget to backup your copy of OllyDump.dll before trying this.


There it is! Sorry if this has been mentioned before. But I figured I would point it out, in any case.

i always say new ollydmps have a problem but i donīt know waht the problem is, thanks.

Ricardo

i have the version 2.21.108 the fix is for this version?

Ricardo Narvaja

Yes, that appears to be correct. I downloaded it (OllyDump) from the "Stuph" link at the top of this page.

thanks

Ricardo Narvaja

@Parasyte

I do that you said and don't work.
Can you tell me please the exatly bytes that I must change ?
sorry my english.

@Ricardo Narvaja

Tell me please if you get fix the file and if is work well now

It has another bug.
When dumping Armadillo packed targets, it screws the header. Because it calculates "offset of PE Signature" wrongfully !
But Loadr PE's dump is perfect.

Thanks Parasyte! I had exactly this problem somethimes after dumping Delphi aps packed with PESpin. Gonna check it now.