there's an application , which, when i open in olly gives me an error message
"bad or unknown format of win 32 executable"

as a result the app stops at the system breakpoint, no breakpoints- hardware or software are saved by olly.its irritating

i saw the memory map of the app. there's a header problem- shows 2 pe headers, no sections are shown and all strange memory map.

i tried to rebulit the pe using lord pe, it failed.
i have ollyadvanced plugin in there.

how can i make the pe a valid pe file, saving my breakpoints???

Try checking "Ignore faulty image (WinUpack)" under Bugfixes in OllyAdvanced.

Examine the PE header fields in a hex editor.

try advanced this works but the header problem is here

00400174 10000000 DD 00000010 ; NumberOfRvaAndSizes = 10 (16.)
00400178 00400000 DD 00004000 ; Export Table address = 4000
0040017C 46000000 DD 00000046 ; Export Table size = 46 (70.)
00400180 E0A40000 DD 0000A4E0 ; Import Table address = A4E0
00400184 3C010000 DD 0000013C ; Import Table size = 13C (316.)
00400188 00A00000 DD 0000A000 ; Resource Table address = A000
0040018C E0040000 DD 000004E0 ; Resource Table size = 4E0 (1248.)
00400190 00000000 DD 00000000 ; Exception Table address = 0

go to header and change with right clik SPECIAL-PE HEADER and look

NumberOfRvaAndSizes = 10

if there are other value than 10 you have this problem.

use a normal crackme and change this number from 10 to other more big and you see.

normally the proteccion with this byte not only is changed, maybe the byte can be tested or decrypt parts for this reason in certain programs, put the 10, make the program not run, you need put a BPM ON ACCESS in the byte and look when is readed, and when is used, checked, etc.

Ricardo Narvaja

the link for the app : 21 post COUNT is enough for you to know that you should not post DIRECT LINKS TO COMMERCIAL APPS in this board. Reasons have been discussed several times in public and in private messages


yes indeed the NumberOfRvaAndSizes are different from 10.


also i saw something strange when i opened the pe header.
well i dont think it'll be very new or important , just wanted to share what i saw.

i opened the memory map. doubled clicked on the PE Header.

i saw the usual dos stub , and moved down expecting the other usual things - PE signature, no of sections, address of entry point and all those pe stuff.
i found nothing.i didnt saw any other entries.i decided to copy the pe header from olly and paste it somewhere. while i kept my mouse clicked with the intention of copying the pe header, as i went down the usual stuff came . now i could see the NumberOfRvaAndSizes and all the usual stuff. i again went to 00400000 , and again clicked my way where i saw the NumberOfRvaAndSizes .again everything went off.just addresses , nothin more.

sorry for my stupidity of giving the direct link of the app!