Can not open an unpacked file with Ollydbg

1
votes

i wanted to have a little fun with a sample of code which I tried to analyze. So, first I give it to the PEiD program and that tells me that it is packed with UPX. So, then I unpacked it with UPX. To ckeck if it unpacked correctly, I opened now the unpacked version again with PEiD which now tells me: Nothing found Then I opened the unpacked version with "Detect it Easy 0.88" and it tells me the following:

enter image description here

As you can see, it is compiled with Microsoft Visual C/C++ etc. So, I assume that the unpacking process was ok. Also, I open it with IDA PRO. Everything seems to be clear (I mean there is a big list of imported functions, IDA PRO starts the unpacked version with a WinMain(x,x,x,x) etc.) But when I open it with Ollydbg then the following happens:

a) It starts with the MOV-instructions that you can see in the picture (see below)

b) you can not see it in the picture, but ollydbg asks me to pass an Access violation exception to the program, so I press Shift+F9. But when I do that and after press F7 to step further, suddenly the process terminates itself. enter image description here

My Question: What can I do in such a case?

PS: I checked all exception field in the Debug options menu. But without any success.

best regards,

1
assemblyollydbg
It's weird. Image base is 0x400000 but entrypoint is 0x108a05 (way below entry point) and the address you show here is completely irrelevant: 0x7702049E. that seems like an invalid entry point.Sedat Kapanoglu
It's an access violation, of-cause the program will crash/terminate. Does your Windows installation have DEP enabled? If so, disable it. DEP can interfere with this as DEP is designed specifically to prevent the 'sniffing' of a program's memory.AStopher
Debug the error: if it is 0xc0000005 then the problem is certainly DEP.AStopher
Hey, now I have disabled DEP, but the error is still there. It appears everytime when I pass the exception to the program.user3097712
Simple question, does the unpacked program runs normally without any debuggin?Ollegn

1 Answers

0
votes

There some things to consider, IDA analyses the static code in your disk, and Olly runs your program and debugs it, assuming that the unpacked PE runs fine when not being debugged, the program may have some security against hooks, try executing your program naturally and then attaching to the process, if you still not succeed try some anti-anti-debugging addons like advancedOlly or HideOd for olly.