PDA

View Full Version : OLLYBONE


Ricardo Narvaja
July 28th, 2006, 06:29
i put the dll and the folder i386 in my plugin folder, and in the ollydbg folder, and when i try to put a memory breakpoint on execution a error appear.

OLLYBONE ABORT:Kernel driver load returned staus 2

and fail

Any have this problem?

Thanks
Ricardo Narvaja

jstorme
July 28th, 2006, 07:10
Hi Ricardo. It seems to work for me. I put the the dll and the sys file in my plugin directory and worked fine. Olly stopped at OEP.
To test it I removed all other plugins and only left the olybone plugin. I tested it with a UPX packed target. I used the original Olly.

jstorme
July 28th, 2006, 07:23
Sorry my mistake. I forgot to remove hardware breakpoint I set previously. I still had one set at oep. It did not work for me as well

Ricardo Narvaja
July 28th, 2006, 07:26
when you put the break on execute in a section , in M window you have the same error than i?

Ricardo

Ricardo Narvaja
July 28th, 2006, 07:28
it work for me now, i put the content of the i386 folder in the olly folder and works perfect

Thanks for teh author
Ricardo

jstorme
July 28th, 2006, 07:35
Ok. I will try this as well. Thanks for the tip

Ricardo Narvaja
July 28th, 2006, 07:50
yes the program stop in the oep perfect but i canīt continue running the program, i quit the break on execute and pres f9 and the program terminate, is possible continue executing?

Ricardo

idas37
July 28th, 2006, 08:40
@@Ricardo Narvaja
Quote:

Usage is straightforward

Load target EXE in OllyDbg
Locate potential final code segment
Toggle break-on-execute flag
Run
Program encounters INT1 (single-step break) when trying to execute protected page
Control is passed back to OllyDbg
We are at the OEP, unpacked (hopefully)



option ->Exception->single-step break (uncheck)

Ricardo Narvaja
July 28th, 2006, 12:16
but unchecked the program stop but when i press f9 or shift + f9 terminate and donīt run.

Ricardo

Ricardo Narvaja
July 28th, 2006, 12:35
yes, i try again and work perfect without this mark thanks

Ricardo

Ricardo Narvaja
August 1st, 2006, 10:29
will be useful if the break on execute can be removed from the right click menu of CPU window, and is not necesary enter to M window, the are program how asprotect execute a RETN in the first section is needed enter to M for remove, next trace enter again to M for put again, go till oep, and enter to M again for remove.

why canīt remove from the right click menu in cpu window.

Ricardo Narvaja

theMyth
September 10th, 2006, 01:51
Doesn't work for me, either i put them in plugin folder or in olly folder. It always shows an error "Kernel driver load returned staus 2 " or shutdown windows with blue screen. I am using windows XP home SP2

Ricardo Narvaja
September 10th, 2006, 08:23
look for the plugins installed put in a olly without plugins and try, if work, add the plugins one by one for look who is the incompatible plugin, some users tell me ollybone work only if you have ollydbg in C (i donīt know if this is true or not, try changing olly to C)

Ricardo

theMyth
September 10th, 2006, 10:51
thanks Ricardo for the information, however it still doesn't work with original olly, no plugins but ollybone, and path C:\1.

Regards.

Kayaker
September 11th, 2006, 17:29
Hi

I've had that problem too. There is something peculiar about the InstDriver routine that is used. This is the common driver installation routine the rootkit guys seem to like to use for POC code. I've also had problems running FU rootkit, which uses the same routine, it gives an ImagePath error as well. To use/test it I've had to port the code over to my own driver framework which uses a slightly different installation procedure.

Try this - DELETE the registry entry for

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ollybone]

You can also delete, if you want,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OLLYBONE]

THEN try running the ollybone plugin again, from wherever you have the default plugin path.

Afterwards, there probably WON'T be a registry entry for the driver (even though there normally *should* be). When you first install Ollybone it seems to generate an incorrect ImagePath to the driver, and you're stuck forever afterwards unless you delete the registry entry. Manually changing the ImagePath doesn't seem to help. It may work if you have the dll in a "plugin" directory and the sys driver in the main OllyDbg directory, the *first* time it's installed, but it shouldn't have to work that way, that's why I think there's a fault in the code. Either way, Ollybone should hopefully run OK after this.

Kayaker

double_dword
September 12th, 2006, 09:16
Quote:
[Originally Posted by theMyth]Doesn't work for me, either i put them in plugin folder or in olly folder. It always shows an error "Kernel driver load returned staus 2 " or shutdown windows with blue screen. I am using windows XP home SP2

I had such error with my limited user account. After run olly under administrator account( login to admin, not "run as" ) all runs fine.

Ricardo Narvaja
October 22nd, 2006, 08:40
OLLYBONE bug:

when you put a BPM ON EXECUTE in a program with dlls loaded in lower parts of memory than the exe, OLLYBONE confuse and tell the message he cannot put BPM ON EXECUTE out of the main module, and you are putting the BPM in the main module of the exe.

look the image the grayed is the main section of the exe, and have 2 dlls in lower part of the memory this confuse ollybone, the plugin read the dlls and look for the minimum address and supose is the exe in this address.

For this reason ollybone can be easily fooled only loading a dll in lower part of the memory than the exe.

Ricardo Narvaja

jstorme
October 24th, 2006, 14:41
For those that have problem with BSOD. I found this on authors site:

Quote:

If you have DEP enabled on XP SP2 you may get a BSOD when the target reaches
the BoE page - for now the only workaround is to disable DEP under

Control Panel->System->Advanced->Performance->Settings->Data Execution Prevention.

If that doesn't work, you may need to add

/noexecute=AlwaysOff

to your Windows partition in boot.ini. Special thanks to Tyler Hudak
and Danko Krajisnik for helping to debug the issues with DEP.