Breaking DLL with OLLY

Hello all,

I used to use SoftIce on another box which had Win98 but I refuse to put DriverStudio on my XP box so I am happy with Olly and the rest of the gang of tools. HOWEVER, I have a certain application which loads dll's of course on initial loading BUT there are DIFFERENT dlls that load after program execution which I wish to break into to in particular 1 that is packed with Neolite 2 but then there is a custom packing routine after that which I want to investigate. I would have changed to CC on program start and intercept with Softice and I ALREADY tried the option in OLLY to break on new module load which did not work. The main executable is hanging when I shift F9 and then olly hangs saying that it's receiving no response. I also replaced dll entry bytes to EB FE and couldn't attach to it either. Any other suggestions would be greatly appreciated. Also, I have already successfully unpacked and examined the Neolite part no problem with LoadDLL in Olly which is how I found out about the custom packed part. But after rebuilding the imports I still couldn't get a dead listing but the Resources and Text strings were all available.

Thanks ahead of time!
Wackyass

[deXep]

Maybe u need loaddll.exe, download it from ollydbg homepage

I edited my post but the edit hasn't shown up and at the bottom it says:

Last edited by Wackyass : 09-29-2004 at 22:43. Reason: Forget to mention I tried LoadDLL

I already used that which is how I unpacked neolite in no time but the rest of the custom packing can not be unpacked further unless it is getting certain data from the host process. Which means that I need to halt operation and step through while running which was easy with Softice on bpint 3 but I don't know how to go about it other than what I have already tried.

Wackyass

Ok I would suggest you uninstall and install the program again to start over fresh. You can use the option in olly: options-> debugging options -> events -> and set Break on new module (DLL). Once you break on the dll, alt+e and double click on it. Right click on the entry point and select new origin here. Then start your unpacking or whatever.

Ok, after doing some more investigating and older techniques I was able to break on int 03 by replacing the dll entry point to CC and unchecking the exception for int 03 in Olly. HOWEVER, I am unable to attach to the process since it is hung in memory and Olly shows this Yes/No dialog box:

-->
In order to perform action that is not supported by OS, OllyDbg has injected short piece of code into the debugged application, but received no response within 5 seconds. Do you want to wait for another 5 seconds? (If you answer No, the consistency and stability of program is not guaranteed and you should restart it as soon as possible).
-->


Any help from this point would be greatly appreciated.

Wackyass

[goggles99]

Sorry to bump an old thread, but I thought this may help someone else too.

I actually found this thread on Google while searching for this OllyDbg error. There isn't much out there on it but it is very annoying and makes setting breakpoints impossible (since OllyDbg keeps looping witht his error message).

Quote:

In order to perform action that is not supported by OS, OllyDbg has injected short piece of code into the debugged application, but received no response within 5 seconds. Do you want to wait for another 5 seconds? (If you answer No, the consistency and stability of program is not guaranteed and you should restart it as soon as possible).

I found out that I got this error only when the "Decode registers for any IP" option was checked under Options -> Debugging Options -> Registers tab.

I havn't debugged OllyDbg yet to find out exactly what is causing this error.

Beware, I didn't check this option manually. I have found that a couple of settings seem to sometimes "activate" somehow once in a while.

Hope this is helpfull to someone else looking for help or at least something to keep in mind in case you ever encounter this problem...

[omidgl]

Use this option ---> Debugging Options > Events > Break on new module (DLL)

Regards
O M I D

[NeOXOeN]

First of all i dont understand what its your real problem ?, topic says something but after reading text i understood you want something else:P

First of all i would like to ask you ..did you unpacked exe packed NeOLite.?

Secondly you are loaded dll which is part of app ..in main exe ,so in order you will be able to break in dll you need to find a place when app loads its own DLL.How does app do that ,there are really a lot of ways that you can load dll ,use google if you are not sure how

Thirdly its not necessary that you can load dll independently into olly ,since main app is using it.Above all dll its just packed nothing else.Sice would probably manage it better in olly you need to be sure in which contexts are you breaking it.Sice does job for you .

4th after breaking you need to change bytes back and set ignore error in debug option and ( right context ),and one more thing OLLy is not the tool for you :P you need to learn it how to use it, its has its good and bad point .
I preffer SIce :P


And about dead listing you should changes characheristis of sections(any peditor will do) and use IDa. I am sure you will be able to find it.


Above all there alredy unpackers out which would do job for you ,since apprently you dont know what you are doing :P
Use that it will help you in better understanding


But i would like to suggest to you that you read some tuts about unpacking there are a lot good ones avalible on this forum and i am sure there is one about NeOlite unpacking too



Bye NeO

[nikola]

@omidgl: "and I ALREADY tried the option in OLLY to break on new module load which did not work"

@Wackyass: I'm still not clear what you are trying to do. You are saying that your dll is multilevel packed and you unpacked neolite part? Becouse... if so, i think that you done a very hard work. When you load dll, try finding OEP. When you get to OEP, dump it and retrieve IAT. Thats when surely both Neolite and custom layer are unpacked becouse dll got to DllMain().