PDA

View Full Version : process terminated exit code 7f(127)


blowfrank
April 17th, 2012, 15:02
Hi all,
I'm trying to reverse an executable, once the debugger (immunity debugger) is attached and set the first breakpoint( in my case is ws2_32 ) after 30 second i get each time process terminated exit code 7f(127), below registers. Someone can help me to bypass it? Is it some antidebugging techniques? i tried to use !hidedebug script but nothing changes.
Thanks a lot
Luc

EAX 77E668F1 kernel32.ExitProcess
ECX 00000000
EDX 00000000
EBX 0051F2D4
ESP 03CAFD18
EBP 00000000
ESI 00000000
EDI 00000000
EIP 7C8284A0 ntdll.KiUserApcDispatcher
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFA7000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000200 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 0.00000000000000000000
ST1 empty 0.00000000000000000000
ST2 empty 0.00000000000000000000
ST3 empty 0.00000000000000000000
ST4 empty 0.00000000000000000000
ST5 empty 0.00000000000000000000
ST6 empty 0.00000000000000000000
ST7 empty 1.2519775166695107000e-312
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

evlncrn8
April 24th, 2012, 00:03
bpx on exitprocess and backtrace?

blowfrank
May 4th, 2012, 08:02
I tried to put a bp ExitProcess, it doesn't break.
Do u have some other advices?
Thanks

blowfrank
May 4th, 2012, 08:45
OPS!! sorry you was right , i was able to break there (ExitProcess), Could you give me some hints on how to proceed in terms of backtrace? hope it doesn't hurt you.
thanks

_genuine
May 20th, 2012, 04:52
When it breaks on ExitProcess, examine the stack and the address of the last function that executed will be somewhere there, inspect that function, or BP it and keep tracing back until you reach a point where the process crashes within a given function. or google for a tool I know called the Error Code look up code, maybe this may hint on what the exit code means.

blabberer
May 21st, 2012, 03:46
Quote:

or google for a tool I know called the Error Code look up code, maybe this may hint on what the exit code means.


if finding the meaning of exit code is the only requirement then you don't have to google

just open a command prompt

and type net helpmsg <your exit code>

like below and you will be presented with the error description

Code:


C:\>net helpmsg 127

The specified procedure could not be found.

C:\>



or if you have any vc (express too) installed you can find errlook.exe in tools directory a gui based error lookup utility

or if you like command line more

you can checkout the error lookup util here (contains newer error codes that net helpmsg doesn't show like com error status E_UNE*** or S_***


Miscellaneous Tools


ErrorLookup 2.01
Command-line lookup utility for Microsoft Windows error and status codes.
for Windows 7/Vista/XP/2003/2000 (x86 and x64)

http://www.resplendence.com/downloads

blowfrank
May 23rd, 2012, 07:07
ehm interesting, this is what I did:

put and hit breakpoint (bp ntdll.KiUserApcDispatcher), registers below:

EAX 77E668F1 kernel32.ExitProcess
ECX 00000000
EDX 00000000
EBX 0051F2D4
ESP 03CAFD18
EBP 00000000
ESI 00000000
EDI 00000000
EIP 7C8284A0 ntdll.KiUserApcDispatcher
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFA8000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
MM0 0.0000000, 0.0000000
MM1 0.0000000, 0.0000000
MM2 0.0000000, 0.0000000
MM3 0.0000000, 0.0000000
MM4 0.0000000, 0.0000000
MM5 0.0000000, 0.0000000
MM6 0.0000000, 0.0000000
MM7 8.267661e-044, 0.0000000



Nothing displayed on (K)call stack..

the stack situation is:

03CAFD18 7C81A32E .| ntdll.LdrInitializeThunk
03CAFD1C 00000000 ....
03CAFD20 7C800000 ..| ntdll.7C800000

Now, how i can proceed? May I investigate on ntdll.LdrInitializeThunk and ntdll.7C800000 putting here breakpoints, it should be the right way?
thanks a lot for the support.

Indy
May 24th, 2012, 17:42
Use the boot log http://msdn.microsoft.com/en-us/library/windows/hardware/ff556886(v=vs.85).aspx ("http://msdn.microsoft.com/en-us/library/windows/hardware/ff556886(v=vs.85).aspx")

blowfrank
May 25th, 2012, 04:46
ok Let me digest it... i don't like windbg... even if probably is time to use and learn it.

blabberer
May 26th, 2012, 05:29
Quote:

ok Let me digest it... i don't like windbg


well then you can find that functionality in ollydbg too get ntglobalflag plugin for ollydbg 1.10 and it will log the ldr snaps to log window