Need help with dumping an exe with OllyDump

[szczurcio]

Hey,

I was playing with a simple UPX .exe. I found the OEP and I want to dump it using OllyDump, but its auto-detection fails and gives me errors:

 

 

I suppose I'm just trying to dump the wrong address, but I don't really understand the options:

 

Most tuts will just happily tell you to click OK without explaining anything, so that doesn't help me. I know the OEP address, but what should I put in the start address box? The first address Olly shows to me? What about the size and the Bases (code/data)? I'd be grateful if someone could explain it in detail.

Edited February 19, 2015 by szczurcio

[evlncrn8]

the base address is the start address.. typically 0x400000 for a windows exe..

base of code is the base address (plus start address) of where 'code' starts...

data is just a variation on the above

[szczurcio]

Thing is, the base address is different from the default (0x400000) for this .exe, I don't know why MSVC decided to compile it like this. Anyway, here is the file in question:

 

https://www.sendspace.com/file/gwjez7

 

(my own simple test code, just printfs to console, virus scan if someone's anxious: https://www.virustotal.com/en/file/bc491ea2120dd4720daa51b4a98967e20d42f3930c8d02fdcc169b3a8e2089a8/analysis/1424373899/ )

Edited February 19, 2015 by szczurcio

[kao]

That imagebase change caused by ASLR in Windows Vista+. To keep things simple, you can either disable ASLR for reversing targets or switch to Windows XP for reversing. Also OllyDump import rebuilding might not work correctly in Win7+ - Scylla is much better option.

 

To answer your question - in start box you should enter imagebase of main module. You can find it in Modules, Log or Memory window in Olly.

[szczurcio]

Yep, that fixed it, thanks