Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-01-2015, 09:02
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 100
Rept. Given: 0
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 75 Times in 44 Posts
psgama Reputation: 6
Noob Question on Debugging DLL

Kind of a Noob question, as I haven't run into this before.

I have a dotNet application that loads some licensing commands through a regular VB6 DLL that was not written in DotNet. How can I break on calls to this DLL to see what manipulation is being performed on the data being passed through to it with ollydbg?
Reply With Quote
  #2  
Old 10-01-2015, 13:10
tonyweb tonyweb is offline
Family
 
Join Date: Jan 2009
Posts: 190
Rept. Given: 191
Rept. Rcvd 95 Times in 36 Posts
Thanks Given: 1,963
Thanks Rcvd at 299 Times in 122 Posts
tonyweb Reputation: 95
Maybe I miss something but, usually you just have to load the .NET application in Olly and "wait" for the DLL to be loaded.

Once it's loaded (you could use "load library" event notification), just put breakpoints in VB6 DLL code section.

Regards,
Tony
__________________
Want to learn unpacking ... but I'm too stupid
Reply With Quote
The Following 2 Users Say Thank You to tonyweb For This Useful Post:
psgama (10-01-2015), Youtoo (10-01-2015)
  #3  
Old 10-01-2015, 22:27
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 100
Rept. Given: 0
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 75 Times in 44 Posts
psgama Reputation: 6
OK, thank you. Maybe I'm just doing something wrong. My application seems to keep crashing when I load it in ollydbg 2.0, it is a dot net application, and seems to hang just before loading the framework application. I'll remove all my plugins and try starting fresh. Maybe one of them is causing my issue.
Reply With Quote
  #4  
Old 10-01-2015, 23:59
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
Use IDA Pro, load .dll then put your program at start program in Process options.
Start and enjoy.
Reply With Quote
The Following User Says Thank You to Syoma For This Useful Post:
psgama (10-03-2015)
  #5  
Old 10-02-2015, 00:11
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 761
Rept. Given: 384
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 789
Thanks Rcvd at 2,021 Times in 571 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
Quote:
Originally Posted by psgama View Post
...
... How can I break on calls to this DLL to see what manipulation is being performed on the data being passed through to it with ollydbg?
1. "Search for all intermodular calls" in Olly would help (Under Search For, after right-clicking in th eolly main window) . There, look for all calls in to the dll that you want. And put BP as necessary.

OR

2. Go to Debug Events in Olly Debugging Options and configure it to "Break on new module" .
It will break whenever a dll is loaded, in this case....

3. For .Net it is better to use Reflector, though you stated that the dll is in VB6.
Have you tried using VB Decompiler to decompile the VB6 dll ?

These are all good starting points.
Reply With Quote
The Following User Says Thank You to TechLord For This Useful Post:
niculaita (10-03-2015)
  #6  
Old 10-02-2015, 00:44
b30wulf's Avatar
b30wulf b30wulf is offline
Family
 
Join Date: Nov 2013
Posts: 194
Rept. Given: 210
Rept. Rcvd 116 Times in 38 Posts
Thanks Given: 195
Thanks Rcvd at 229 Times in 74 Posts
b30wulf Reputation: 100-199 b30wulf Reputation: 100-199
https://github.com/0xd4d/dnSpy/releases
Give ti a try, it will surprise you...
Reply With Quote
The Following User Says Thank You to b30wulf For This Useful Post:
niculaita (10-03-2015)
  #7  
Old 10-02-2015, 04:40
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 761
Rept. Given: 384
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 789
Thanks Rcvd at 2,021 Times in 571 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
Thank you Beowulf for the suggestion..

I have intentionally not suggested dnSpy as it sometimes crashes when VB6 executables are involved.
On the other hand, Reflector is rather "mature" in the sense that it has been around for quite a while...

The approach I would suggest here would be to DECOMIPLE the VB6 dll with the VB Decompiler (available on this forum), identify the important areas of interest in the decompiled code, and then note down the RVAs of those portions, so that you can again identify them in the debugger, at runtime.

Place BP on those VAs and then check them out.

Another approach would be to change the "characteristics" of the dll to that of an EXE file and then load and debug it in olly.

Do remember that VB6 uses a"runtime" and hence DIRECTLY debugging it is rather messy, as you would getting a lot of "VM-like code of the runtime...

So, its BEST to DECOMPILE it first using the VB Decompiler before embarking on your quest ...

Good Luck
Reply With Quote
The Following User Says Thank You to TechLord For This Useful Post:
psgama (10-02-2015)
  #8  
Old 10-02-2015, 21:58
Naides Naides is offline
Friend
 
Join Date: Mar 2005
Location: Planet Earth
Posts: 40
Rept. Given: 7
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 21
Thanks Rcvd at 10 Times in 7 Posts
Naides Reputation: 2
[QUOTE=. . . in ollydbg 2.0, it is a dot net application . . .[/QUOTE]

For starters use Olly 1.10. Olly 2.0 is OK, but is (and likely will be forever) alpha.

I have used Olly 1.1 in similar situations, and seems to go without problem.
Reply With Quote
The Following User Says Thank You to Naides For This Useful Post:
psgama (10-03-2015)
  #9  
Old 10-03-2015, 10:56
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 100
Rept. Given: 0
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 75 Times in 44 Posts
psgama Reputation: 6
Thank you for all the responses! Olly 1.1 is what I commonly use, but I was under the impression it didn't support debugging of .net applications. I apparently was wrong. Breaking on loading of dlls got me into the code section I needed to be in! And the program doesn't hang like it was in only 2.0. And thank you for all the advice and recommendations. making progress now.
Reply With Quote
  #10  
Old 10-03-2015, 13:07
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 100
Rept. Given: 0
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 75 Times in 44 Posts
psgama Reputation: 6
Once again, thank you all for your help. I can't believe it was as easy as just loading in Ollydbg and breaking on DLL load. Doh! Anyway, I was able to get the information I needed from the DLL to enable the features I was looking for! Thank you all for your advice.
Reply With Quote
The Following 2 Users Say Thank You to psgama For This Useful Post:
TechLord (10-04-2015), tonyweb (10-03-2015)
  #11  
Old 10-06-2015, 01:10
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 78
Rept. Given: 12
Rept. Rcvd 308 Times in 44 Posts
Thanks Given: 2
Thanks Rcvd at 175 Times in 24 Posts
0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399 0xd4d Reputation: 300-399
Quote:
Originally Posted by TechLord View Post
I have intentionally not suggested dnSpy as it sometimes crashes when VB6 executables are involved.
Do you have a file that causes the crash? dnSpy opens .NET files, and VB6 isn't a .NET language.
Reply With Quote
  #12  
Old 10-06-2015, 05:38
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 761
Rept. Given: 384
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 789
Thanks Rcvd at 2,021 Times in 571 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
Quote:
Originally Posted by 0xd4d View Post
Do you have a file that causes the crash? dnSpy opens .NET files, and VB6 isn't a .NET language.
Sorry man, the VB6 was a typo. Obviously I know it i snot .Net and hence had suggested a decompiler instead.

dnSpy is very good except that when "mixed" projects, involving managed and unmanaged code are involved, it sometimes crashes or hangs.

Will try to send specific code segments later. Even in those cases, the crashes are caused due to the obfuscators used or the anti-debug "tricks" rather than a "problem" with dnSpy itself.

GREAT JOB man , with the dnSpy prog !
Reply With Quote
  #13  
Old 10-08-2015, 04:25
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: 127.0.0.1
Posts: 280
Rept. Given: 3
Rept. Rcvd 55 Times in 41 Posts
Thanks Given: 33
Thanks Rcvd at 433 Times in 173 Posts
Jasi2169 Reputation: 55
Dnspy cant debug all .NET programs for example some obfuscated with ezobfuscator when u try to start debugging it immediatley popup saying program crash while debugging

So as techlord said it is for sure anti-debug techniques by obfuscators not dnspy problem

@psgama
If it is .net then i always use net reflector and de4dot for unpack it first ,oftenly i dont use olly on dot net apps my opinion
Once i get the code then reflexil to save patch .net .exe or .dll whatever
Regards
Jasi2169
Reply With Quote
  #14  
Old 10-09-2015, 00:07
Naides Naides is offline
Friend
 
Join Date: Mar 2005
Location: Planet Earth
Posts: 40
Rept. Given: 7
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 21
Thanks Rcvd at 10 Times in 7 Posts
Naides Reputation: 2
@Jasi2169:

psgama is in the not all that unusual situation in which the main program is .NET, but the .dll, where the action seems to be, is NOT.

Olly will not trace the .NET code, at least not directly, but once the main program calls the interesting .dll functions, you can place BP and trace typical assembly code in olly, and you are in business. . .
Reply With Quote
  #15  
Old 10-11-2015, 02:34
Jasi2169's Avatar
Jasi2169 Jasi2169 is offline
Family
 
Join Date: Sep 2015
Location: 127.0.0.1
Posts: 280
Rept. Given: 3
Rept. Rcvd 55 Times in 41 Posts
Thanks Given: 33
Thanks Rcvd at 433 Times in 173 Posts
Jasi2169 Reputation: 55
ooes Naides i guess i miss understood anyway i got you what you trynna say
he can check the call after pausing or use Button "E" in olly shows all
Reply With Quote
Reply

Tags
dll

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[NOOB QUESTION] how can i edit a function to return 1 in IDA pro? Mendax47 General Discussion 6 08-22-2021 09:38
A weird debugging question sgdt General Discussion 5 06-28-2004 13:11
Probably a noob question.. Thom- General Discussion 9 03-05-2004 21:41


All times are GMT +8. The time now is 09:28.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )