Hi,

I opened 32-bit exe file in Ollydbg, made some corrections in code window in exe file, like this:

00837889 -> JNZ 00837C2F -> changed to NOP
0076719E -> JE SHORT 007671B2 -> changed to JMP SHORT 007671B2
00767129 -> JE 007671CB -> changed to NOP
007670CC -> JE 007671DB -> changed to NOP

But I can't find the way to save my changes to this exe file. Can you help me with my problem. It would be very helpful for me. Thank you.


blondakke

Did you try using the mothod explained in our faq? Are you still unable to save your changes?

Just use a hex editor. OllyDbg is a debugger, and nothing more. As a program's code and data may be modified during its execution, it is not recommended to save to disk except for special purposes such as unpacking process.

Use the right tool for the job.

Yes, I tried it.

# right click over the code ... done

# "Copy to executable" - "All modifications" (or "Selection", as you desire) ... I have only "Selection", not "All mod..." .... done

# right click over the new window ... done

# "Save file" ... it shows me "Dump of file xxx is not modified. Do you really want to save unchanged dump to disk?" I modified exe file in code window, I don't understand ... :-(

When I tried on the second attemp "Copy to Selection" it showed me "Error - Unable to locate data in executable file"

I'm confused...

Yes, because OllyDbg only saves data changed in the section declared as code section.

You should use an hexa editor, as suggested LLXX before...

Cheers

Nacho_dj

In fact, Olly needs to "see" that the code is in a section... if you add a section to a file with real size 0x20 bytes and then change it's size with LordPe to 0x10, you will be able to save changes made in that section only for the 0x10 bytes (length of the section)... If you change the 0x10 bytes from the end, Olly will warn you that it can't save...

Did that make sense? Hope so...

Maybe you are trying to patch code allocated at runtime. Which is the address space of the exe file?

nacho_dj dont post misinformation
infact you had asked the same question earlier and i remember fairly well
replying to you in gory details along with screen shots and what not

and i had clearly showed you it is possible to save modifications in any sections

still you answer that it isnt possible to save blah blah

http://www.woodmann.com/forum/showthread.php?t=7711&highlight=copy+executable

@blondakke

answer Zairons question
whether whatever you are modifying belongs to the exe you are modifying
or whether it was allocated during runtime ?
i dont believe ollys context menu will show copy to executable on virtuall allocated memory so i did not ask earlier
but if it showed up then proabably there is something else going on the exe might be checking itself and changing modifications on fly
or it might be decryptin another portion to this place so all your modifications get overwritten every time etc etc

Another Question:

Can you find the code you are trying to patch in inside the executable on disk?

Try using HIEW, or HexWorkshop. Seracrch for the byte pattern around the code you are trying to modify.
If you cannot find your code in the original exe, probably this code segment you wanted to patch is made, unpacked or decrypted at run time.

In that case, you have to rethink your strategy. (An Unpacking job, or a loader/memory patcher).

Yes, you're right blabberer, there was a thread about this, so forget what I post...

I normally use an hexa editor from that moment to save data...

Cheers

Nacho_dj

Olly can save changes in any section of the exe or dll with the descripted method, not only in code section but...

if you have a section for example, with raw size 1000 and virtual size 2000, only you can save in the first 1000 bytes, this bytes are located in the executable, the other 1000 bytes are only virtual and if you try save in the file, OLLY say UNABLE .., nobody can save in a inexistent place.
Remember in the sections you see in OLLY, only you can save in the first part of the section, when start the virtual only part is not possible, right click in the exe and press VIEW-EXECUTABLE FILE and you can see the part of the section where you can save.


Ricardo Narvaja

I checked it and I guess you're right. I can't see my code after I opened exe file. I need to run debug to make correction.

How can I detect it? I see the first column of address in the main window but how I know where is the end of address space?

P.S. Sorry for my stupid questions but I'm working with debugger for the first time.

You are doing fine, Blondakke.
Your questions are not stupid, you are only unexperienced.

While your app is open in Olly, click on the "view" drop down menu, then choose "memory", the shortcut is Alt-M

Look at the information, carefully. You will see the base address, the size, the name of your app module(s) (Owner), the name of each one of its sections as they are mapped, loaded in memory. You will also see the other modules, dlls system dlls etc with their addresses.

Figure out the address of the code you are interested in on in this scheme of things. 007670CC belongs to which module?, which segment? What is the distance form its base address?

Now look at the same file with a PE viewer. Like PE-tools, CFF Explorer etc.

You will see the way those segments are organized in the file on disk.

Look carefully. Tha names of the sections are the same but the addresses are different. Those are RAW values, instead of Virtual values.


This should help you locate your code in the Disk file, if it is there at all...

There is a virtual address calculator in CFF Explorer, that may help you locate what you are looking for in the disk file, if it is there, or to figure out the space it should be.

Play around with those tools, come back with questions

alt+e --> right click -> view memory

ollydbg will show you a contigious display of memory with the name of module

like this



i just added a virtual alloc to the above exe



the allocated memory



the details of newly allocated memory

Memory map, item 22
Address=00830000
Size=00001000 (4096.)
Owner= 00830000 (itself)
Section=
Type=Priv 00021040
Access=RWE
Initial access=RWE


if you notice it doesnt have a name for owner of this memory range

type is not image but private

subtle differnances will tell you that its some thing different
and you are not dealing with

but i just confirmed copy to executable doesnt show up in unanalysed
memory portion
if you say its showing up then its definately in exes memory image
but its doing some tricks and probably erases your patches
in runtime

What surprises me is the fact that someone is trying to use a debugger as a hex editor, and that he/she doesn't even know how to use a hex editor yet!

@LLXX
well to be frank i didnt know some thing like hexditors existed and could be usefull to do some jobs like repetetive search and replace till i met some beasts like ^DaeMonS^ crackmes and to be able to deal with some of his crackmes successfully one atleast should have been conversant enough with
assembly and editing and trampolining and noppping and other little nice secrets of old school

the only hexeditor that i snooped around in my earlier days was what fravia
hosted on his page some thing called psedit that honked my computers beeper several times and asked me to send $25 dollors to some clair valley address which i promptly ignored and never had any use for later

off late i do all my editing and miscellaneous stuff in DEBUGGER
you want search and replace just write simple script and execute it and well
apart from search and replace may be hiews xorring a range of bytes with mask may be usefull in some cases but you can dump trampoline a xorring routine binary copy paste in dumps create backups and view them with ollydbg so basically you have no need for a hex editor if you fully understand the power of ollydbg (only thing ollydbg cant do that hexeditor can do is add extra padding to existing file and save natively (note the word NATIVELY)

but you can call a helper to do it via plugin for example you can call
santmants ZeroAdd via a simple commandline extension to add extra section
and save it as new

but opinions are opinions you go with what rocks your boat and i go with
what keeps my cup full at the end of it