PDA

View Full Version : OllyDbg question

rukawaruki
October 31st, 2006, 19:44
Hello,

Say I have

lea ecx, [ebp+FFFFFED8].

Normally, when lea is selected, it shows the jump path, showing where the jump was taken. But the program I am working on is not showing me the path.
Is this because the program is packed? (I unpacked it manually using Olly, therefore there is a chance that I made a mistake when unpacking)

Thanks.
naides
October 31st, 2006, 20:27
LEA means "Load effective address"

ECX gets the address of EBP + FFFFFED8 which is the same as EBP- 128 in signed arithmetic.

I do not see jumps in this code, it is simply storing a stack address in ECX.
making ECX a pointer. . .

Can you explain the "jump path" part of the question with a more elaborate example? I cannot see how this may be related to correct unpacking
rukawaruki
October 31st, 2006, 20:46
naides, what I mean by the jump path is that if you click on the lea (select) you see the path just like you see one when you select any jumps.

So when I did this last time, lea showed some kind of path (arrow) to a certain address.

If anyone understands what I'm talking about, please teach me why I see the path because both naides and I are confused.

But, the main thing I'm trying to learn is to see the jump path.
blabberer
November 1st, 2006, 04:32
rukawaruki ,

ollydbg does not show jump path to each and every lea command,

if lea command is the start of any sequence if it is jumped to ollydbg will show that arrow ,

and for it to show that arrow you need to do

options -> debugging options --> cpu

and have check marks on all the three of this check boxes

1) show jump path
2) show grayed path if jump is not taken
3) show jumps to selected command <----- this is what you might be missing

if you read the sentance correctly (which i myself sometimes dont do as showed by delta in one of the previous posts

the third option lets ollydbg show if any of the jumps are jumping to this
specific command which you have selected under your cursor
and also in the information pane it will show which all jumps are jumping to this command (it is not for just lea or anything its for any command that is being jumped you saw lea and think only lea gets that arrow it is not so)


@ naides hope you got your elaborate explanation too
naides
November 1st, 2006, 05:50
rukawaruki
November 1st, 2006, 10:11
blabberer,

thank you for a detailed explanation.
However, I already had the check marks on all of those three boxes.
I am sure I saw the jumping path on the same 'lea' I'm talking about when I was working on the same program before. There were a few updates since then. Can they update the program so that I cannot see such paths anymore?

The program was unpacked by UPX so I manually unpacked it using OllyDbg. The process was as follows:

1. Open program and it asks if I want to continue the analysis since it might be compressed, encrypted, or contains large amount of embedded data. I said no.

2. I found the OEP, and dumped it.

3. I imported it using importrec.

Is there anything I missed while unpacking?

What should I do?
dELTA
November 1st, 2006, 17:26
My guess is that there simply is no jump targeting this instruction anymore. You can easily test this by setting a breakpoint on the lea instruction, and a breakpoint on the instruction before it, and then run the program. If the breakpoint on the lea instruction is hit without the preceding breakpoint being hit first, there is a jump to it, otherwise there isn't (well, not any that's being taken during your execution anyway).

But sure, they could prevent you from seeing the arrow if they have encrypted or otherwise obfuscated the jump in a way that Olly's analysis can't see it. Also, I'd imagine that Olly's analysis of this kind of thing only goes a certain distance from the current point, so they might just have increased the distance to the jump from this instruction too, e.g. by adding more code inside a loop or if-clause.
rukawaruki
November 1st, 2006, 22:55
Thanks deLTA.

Setting a breakpoint on the lea causes a problem (outside of the code).

When I open the program Olly already pops an Entry Point Alert box saying the program has entry point outside the code. Maybe this file is self-extratcting or self-modifying. Please keep it in mind when setting breakpoints.

I already said that I unpacked the program. But since it won't let me set a breakpoint on lea, I have a feeling that my unpacking was unsuccessful.
LLXX
November 1st, 2006, 23:45
You didn't unpack it properly.

Ensure "size of code section" in PE header is correct and the section attributes for all the code sections have "contains executable code".

Edit: Just noticed you mentioned it was UPX'd, in that case just use UPX's built-in decompression option (upx -d filename.exe) - no need to unpack manually if there's an automated method available, unless you do not know how to unpack and are doing it as an exercise; just like learning to do maths by hand, then later using calculator instead.
blabberer
November 2nd, 2006, 12:06
Quote:

Also, I'd imagine that Olly's analysis of this kind of thing only goes a certain distance from the current point, so they might just have increased the distance to the jump from this instruction too


as far as i can recall the only limit was the jmp should not point to a different memory block (viz jmp kernel32.ExitProcess kinda jmps)if the jump is within one block ollydbg will show the arrow
so whats the problem to write a few dumscripts to test

Code:


.386

.model flat,stdcall

option casemap:none

include \masm32\include\windows.inc

include \masm32\include\user32.inc

include \masm32\include\kernel32.inc

includelib \masm32\lib\user32.lib

includelib \masm32\lib\kernel32.lib





.data

caption db "this is a world record for long jump",0

text    db "dELTA is creative i have way too much free time and ollydbg is amazing",0



.code

start:

        jmp longjump

        db 1000000 dup (90h)

backjump:

	invoke ExitProcess,eax

longjump:

lea eax,offset caption

lea edx,offset text

push NULL

push eax

push edx

push NULL

call MessageBoxA

jmp backjump



end start


rukawaruki if it is upx and you are not trying to learn how to unpack use upx -d

btw unpacking upx in ollydbg is simple

ctrl+s
type
popad
jmp CONST
hit enter
you will be at the end of upx unpacking routine
select the jmp const line
press shift+f4
select pause always
in the when paused pass the following command to plugin edit box
type .si (dot step in) hit ok
and f9
ollydbg will pause on oep
select ollydump
and hit dump (with all default options including build imports ticked and get eip as oep doing its job)
you should have a faultless unpacked executable


and in ollydbg the result of dumbcode above
rukawaruki
November 3rd, 2006, 08:16
blabberer,

so I found popad and jmp right next to each other.
I chose jmp and shift + f4 (conditional break).
I chose always pause.
In the box where it says If program pauses, pass following commands to plugins: I put '.si'.
And run. And the addresses Olly gives me is messed up like this 7cc32123.

Did I do something wrong? I am not using a program to unpack because I am trying to learn how to manually unpack successfully.
blabberer
November 3rd, 2006, 13:50
then it might not be upx or some newer version of upx in some newer versions of upx there are more than one popad jmp const sequence it seems
i checked 1.25 there are three in this 1.25 select the last one

also jmp const line will actually show you where it is going to jump
like jmp 401000 confirm

here is a simple screen dump of a sample upx created , compressed, unpacked. all in one


Code:


D:\Borland\upx125w>copy con hello.c

#include <stdio.h>

int main (void)

{

        printf("hello rukawaruki\n";

        return 1;

}

^Z

        1 file(s) copied.



D:\Borland\upx125w>bcc32 hello.c

Borland C++ 5.5.1 for Win32 Copyright (c) 1993, 2000 Borland

hello.c:

Turbo Incremental Link 5.00 Copyright (c) 1997, 2000 Borland



D:\Borland\upx125w>dir hello*

 Volume in drive D has no label.

 Volume Serial Number is F019-DC3B



 Directory of D:\Borland\upx125w



11/03/2006  11:50 PM                87 hello.c

11/03/2006  11:51 PM               479 hello.obj

11/03/2006  11:51 PM           393,216 hello.tds

11/03/2006  11:51 PM            52,224 hello.exe

               4 File(s)        446,006 bytes

               0 Dir(s)   2,842,271,744 bytes free



D:\Borland\upx125w>hello.exe

hello rukawaruki <-------------------------------------



D:\Borland\upx125w>upx -9 -q -o rukahello.exe hello.exe

                     Ultimate Packer for eXecutables

   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004

UPX 1.25w        Markus F.X.J. Oberhumer & Laszlo Molnar        Jun 29th 2004



        File size         Ratio      Format      Name

   --------------------   ------   -----------   -----------

     52224 ->     25088   48.04%    win32/pe     rukahello.exe



Packed 1 file.



D:\Borland\upx125w>dir *hell*

 Volume in drive D has no label.

 Volume Serial Number is F019-DC3B



 Directory of D:\Borland\upx125w



11/03/2006  11:50 PM                87 hello.c

11/03/2006  11:51 PM               479 hello.obj

11/03/2006  11:51 PM           393,216 hello.tds

11/03/2006  11:51 PM            52,224 hello.exe

11/03/2006  11:51 PM            25,088 rukahello.exe

               5 File(s)        471,094 bytes

               0 Dir(s)   2,842,238,976 bytes free



D:\Borland\upx125w>rukahello.exe

hello rukawaruki <----------------------------------------------



D:\Borland\upx125w>d:\Borland\odbg110\odbg110\OLLYDBG.EXE rukahello.exe



D:\Borland\upx125w>



log of ollydbg

Log data

Address    Message

           OllyDbg v1.10

           Command line: rukahello.exe

           Loading function descriptions from 'common.arg'

             Info: Simple .ARG file that decodes ZwSystemDebugControl



           Console file 'D:\Borland\upx125w\rukahello.exe'

           Command line plugin v1.10

             Written by Oleh Yuschuk

           OllyDump v3.00.110  by Gigapede

           Analyze This! plugin v0.1

             Copyright (C) 2004 Joe Stewart

           Labeler v1.33.108  by Gigapede

           New process with ID 0000022C created

004149A0   Main thread with ID 00000940 created

00400000   Module D:\Borland\upx125w\rukahello.exe

             Invalid or compressed Image Export Directory

             CRC changed, discarding .udd data

77D40000   Module C:\WINDOWS\system32\USER32.DLL

77F10000   Module C:\WINDOWS\system32\GDI32.dll

7C800000   Module C:\WINDOWS\system32\kernel32.dll

7C900000   Module C:\WINDOWS\system32\ntdll.dll

004149A0   Program entry point

00414AEF   Breakpoint at rukahell.00414AEF <-----------------------------

           OllyDump -- Start "JMP [Thunk]"(0x25FF) and "CALL [Thunk]"(0x15FF) search

0040136F   call[Thunk] found on 0040136F  Thunk:0040A1EC

0040137F   call[Thunk] found on 0040137F  Thunk:0040A1E8

00401393   call[Thunk] found on 00401393  Thunk:0040A1F0

004013F7   call[Thunk] found on 004013F7  Thunk:0040A1E8

0040140F   call[Thunk] found on 0040140F  Thunk:0040A1EC

0040142B   call[Thunk] found on 0040142B  Thunk:0040A1F0

00401451   call[Thunk] found on 00401451  Thunk:0040A1F4

00404F50   jmp [Thunk] found on 00404F50  Thunk:0040B760

00404F56   jmp [Thunk] found on 00404F56  Thunk:0040B764

00404F5C   jmp [Thunk] found on 00404F5C  Thunk:0040B768

00404F62   jmp [Thunk] found on 00404F62  Thunk:0040B76C

00406E7B   call[Thunk] found on 00406E7B  Thunk:0040BA3C

00406E94   call[Thunk] found on 00406E94  Thunk:0040BA40

00406E9A   call[Thunk] found on 00406E9A  Thunk:0040BA44

00406FAB   call[Thunk] found on 00406FAB  Thunk:0040BA48

00406FF4   call[Thunk] found on 00406FF4  Thunk:0040BA4C

004071F9   call[Thunk] found on 004071F9  Thunk:0040BAF8

00407419   call[Thunk] found on 00407419  Thunk:0040BAFC

004098B8   jmp [Thunk] found on 004098B8  Thunk:0040F0E0

004098BE   jmp [Thunk] found on 004098BE  Thunk:0040F0E4

004098C4   jmp [Thunk] found on 004098C4  Thunk:0040F0E8

004098CA   jmp [Thunk] found on 004098CA  Thunk:0040F0EC

004098D0   jmp [Thunk] found on 004098D0  Thunk:0040F0F0

004098D6   jmp [Thunk] found on 004098D6  Thunk:0040F0F4

004098DC   jmp [Thunk] found on 004098DC  Thunk:0040F0F8

004098E2   jmp [Thunk] found on 004098E2  Thunk:0040F0FC

004098E8   jmp [Thunk] found on 004098E8  Thunk:0040F100

004098EE   jmp [Thunk] found on 004098EE  Thunk:0040F104

004098F4   jmp [Thunk] found on 004098F4  Thunk:0040F108

004098FA   jmp [Thunk] found on 004098FA  Thunk:0040F10C

00409900   jmp [Thunk] found on 00409900  Thunk:0040F110

00409906   jmp [Thunk] found on 00409906  Thunk:0040F114

0040990C   jmp [Thunk] found on 0040990C  Thunk:0040F118

00409912   jmp [Thunk] found on 00409912  Thunk:0040F11C

00409918   jmp [Thunk] found on 00409918  Thunk:0040F120

0040991E   jmp [Thunk] found on 0040991E  Thunk:0040F124

00409924   jmp [Thunk] found on 00409924  Thunk:0040F128

0040992A   jmp [Thunk] found on 0040992A  Thunk:0040F12C

00409930   jmp [Thunk] found on 00409930  Thunk:0040F130

00409936   jmp [Thunk] found on 00409936  Thunk:0040F134

0040993C   jmp [Thunk] found on 0040993C  Thunk:0040F138

00409942   jmp [Thunk] found on 00409942  Thunk:0040F13C

00409948   jmp [Thunk] found on 00409948  Thunk:0040F140

0040994E   jmp [Thunk] found on 0040994E  Thunk:0040F144

00409954   jmp [Thunk] found on 00409954  Thunk:0040F148

0040995A   jmp [Thunk] found on 0040995A  Thunk:0040F14C

00409960   jmp [Thunk] found on 00409960  Thunk:0040F150

00409966   jmp [Thunk] found on 00409966  Thunk:0040F154

0040996C   jmp [Thunk] found on 0040996C  Thunk:0040F158

00409972   jmp [Thunk] found on 00409972  Thunk:0040F15C

00409978   jmp [Thunk] found on 00409978  Thunk:0040F160

0040997E   jmp [Thunk] found on 0040997E  Thunk:0040F164

00409984   jmp [Thunk] found on 00409984  Thunk:0040F168

0040998A   jmp [Thunk] found on 0040998A  Thunk:0040F16C

00409990   jmp [Thunk] found on 00409990  Thunk:0040F170

00409996   jmp [Thunk] found on 00409996  Thunk:0040F174

0040999C   jmp [Thunk] found on 0040999C  Thunk:0040F178

004099A2   jmp [Thunk] found on 004099A2  Thunk:0040F17C

004099A8   jmp [Thunk] found on 004099A8  Thunk:0040F194

004099AE   jmp [Thunk] found on 004099AE  Thunk:0040F198

004099B4   jmp [Thunk] found on 004099B4  Thunk:0040F19C

           OllyDump --  Check Leaked Thunks in Thunk Blocks

           OllyDump -- Resolve Forwarder

           ntdll.RtlGetLastWin32Error must be forwarded API from kernel32.dll

7C802654   Export Address Table RVA:00002654

7C80903D   Forwarded API ntdll.RtlGetLastWin32Error found on the ForwarderRVA:0000903D  pos:360

7C80667D   *pDW:0000667D  Forwarder:GetLastError  Forwarded:ntdll.RtlGetLastWin32Error

           ntdll.RtlAllocateHeap must be forwarded API from kernel32.dll

7C802654   Export Address Table RVA:00002654

7C809058   Forwarded API ntdll.RtlAllocateHeap found on the ForwarderRVA:00009058  pos:514

7C8071FA   *pDW:000071FA  Forwarder:HeapAlloc  Forwarded:ntdll.RtlAllocateHeap

           ntdll.RtlFreeHeap must be forwarded API from kernel32.dll

7C802654   Export Address Table RVA:00002654

7C80906E   Forwarded API ntdll.RtlFreeHeap found on the ForwarderRVA:0000906E  pos:520

7C807242   *pDW:00007242  Forwarder:HeapFree  Forwarded:ntdll.RtlFreeHeap

           ntdll.RtlUnwind must be forwarded API from kernel32.dll

7C802654   Export Address Table RVA:00002654

7C809208   Forwarded API ntdll.RtlUnwind found on the ForwarderRVA:00009208  pos:708

7C807E85   *pDW:00007E85  Forwarder:RtlUnwind  Forwarded:ntdll.RtlUnwind

           OllyDump -- Import Table

0040F0E0   DLL:kernel32.dll  FirstThunkRVA:F0E0

             DLL Name      Address   Ordinal   API Name

0040F0E0     kernel32.dll  7C809B77   0032     CloseHandle

0040F0E4     kernel32.dll  7C801A24   0050     CreateFileA

0040F0E8     kernel32.dll  7C81CAA2   00B7     ExitProcess

0040F0EC     kernel32.dll  7C809943   00F7     GetACP

0040F0F0     kernel32.dll  7C812BE6   00FE     GetCPInfo

0040F0F4     kernel32.dll  7C812C8D   010A     GetCommandLineA

0040F0F8     kernel32.dll  7C809737   013F     GetCurrentThreadId

0040F0FC     kernel32.dll  7C81CC23   014E     GetEnvironmentStrings

0040F100     kernel32.dll  7C811069   015F     GetFileType

0040F104     kernel32.dll  7C910331   0169     GetLastError

0040F108     kernel32.dll  7C80C9C1   016B     GetLocalTime

0040F10C     kernel32.dll  7C80B357   0174     GetModuleFileNameA

0040F110     kernel32.dll  7C80B529   0176     GetModuleHandleA

0040F114     kernel32.dll  7C81E82A   018B     GetOEMCP

0040F118     kernel32.dll  7C80AC28   0198     GetProcAddress

0040F11C     kernel32.dll  7C80AA49   019B     GetProcessHeap

0040F120     kernel32.dll  7C801EEE   01AD     GetStartupInfoA

0040F124     kernel32.dll  7C812CA9   01AF     GetStdHandle

0040F128     kernel32.dll  7C80A480   01B3     GetStringTypeW

0040F12C     kernel32.dll  7C8114AB   01DB     GetVersion

0040F130     kernel32.dll  7C812851   01DC     GetVersionExA

0040F134     kernel32.dll  7C81F1B7   01F7     GlobalMemoryStatus

0040F138     kernel32.dll  7C9105D4   0203     HeapAlloc

0040F13C     kernel32.dll  7C91043D   0209     HeapFree

0040F140     kernel32.dll  7C801D77   0242     LoadLibraryA

0040F144     kernel32.dll  7C809CAD   0265     MultiByteToWideChar

0040F148     kernel32.dll  7C81EAE1   0297     RaiseException

0040F14C     kernel32.dll  7C937A40   02C5     RtlUnwind

0040F150     kernel32.dll  7C81B25B   02DC     SetConsoleCtrlHandler

0040F154     kernel32.dll  7C810DA6   0307     SetFilePointer

0040F158     kernel32.dll  7C80C6CF   0255     LockResource

0040F15C     kernel32.dll  7C812B0F   034C     TlsAlloc

0040F160     kernel32.dll  7C813453   034D     TlsFree

0040F164     kernel32.dll  7C809750   034E     TlsGetValue

0040F168     kernel32.dll  7C809BF5   034F     TlsSetValue

0040F16C     kernel32.dll  7C862B8A   0358     UnhandledExceptionFilter

0040F170     kernel32.dll  7C809A81   036B     VirtualAlloc

0040F174     kernel32.dll  7C809B14   036E     VirtualFree

0040F178     kernel32.dll  7C80A0C7   037F     WideCharToMultiByte

0040F17C     kernel32.dll  7C810F9F   038C     WriteFile

0040F194   DLL:USER32.DLL  FirstThunkRVA:F194

             DLL Name      Address   Ordinal   API Name

0040F194     USER32.DLL    77D4FACD   00DC     EnumThreadWindows

0040F198     USER32.DLL    77D8050B   01DD     MessageBoxA

0040F19C     USER32.DLL    77D4A2DE   02D9     wsprintfA

           OllyDump -- Calculating New File Size...

           New Import Section Size:600  New File Size:16600

           OllyDump -- Making New Import Table...

           OllyDump -- Dump and Rebuild Finish!!





D:\Borland\upx125w>dir *hell*

 Volume in drive D has no label.

 Volume Serial Number is F019-DC3B



 Directory of D:\Borland\upx125w



11/03/2006  11:50 PM                87 hello.c

11/03/2006  11:51 PM               479 hello.obj

11/03/2006  11:51 PM           393,216 hello.tds

11/03/2006  11:51 PM            52,224 hello.exe

11/03/2006  11:51 PM            25,088 rukahello.exe

11/04/2006  12:07 AM            91,648 rukahellodump.exe<-----------------------------

               6 File(s)        562,742 bytes

               0 Dir(s)   2,831,327,232 bytes free



D:\Borland\upx125w>rukahellodump.exe

hello rukawaruki<-------------------------------------------



D:\Borland\upx125w>


its as simple as that

btw admins move this to unpacking section if it is apprpriate there
JMI
November 3rd, 2006, 14:22
Even though it's "Unpacking," it's unpacking using OllyDbg and we are attempting to keep most things "Olly" here. So carry on.

Regards,