Results 1 to 11 of 11

Thread: Debugged program unable to process exception

  1. #1

    Question Debugged program unable to process exception

    Targt info: Peid says armadillo 1.xx - 2.xx
    My approach :
    i found out that it was also using outputdebugstringa to crash olly so,
    bp OutputDebugStringA
    patched push 234 to ret 4
    removed BP
    than bp GetModuleHandleA
    to find the good jump for API redirection
    found after registration nag.
    patched je to jmp always
    Remove the breakpoint and new BP CreateThread to check for the call edi ( signature jump to OEP for arma).
    then shift + f9 twice and, comes up the warning privileged instruction.
    when shift + f9 agn, comes the error,Debugged program unable to process exception.
    And then process terminates.
    I know i am so close to OEP and yet ......

    Sorry cant upload the code much since its real application.(This code is all in red )
    Code:
    018C1D30   90               NOP
    018C1D31   F7D3             NOT EBX
    018C1D33   EF               OUT DX,EAX                               ; I/O command this one here is the culprit.
    018C1D34   4A               DEC EDX
    018C1D35   DA29             FISUBR DWORD PTR DS:[ECX]
    018C1D37   1C 74            SBB AL,74
    018C1D39   A7               CMPS DWORD PTR DS:[ESI],DWORD PTR ES:[ED>
    018C1D3A   9D               POPFD
    018C1D3B   53               PUSH EBX
    018C1D3C   83FA 21          CMP EDX,21
    018C1D3F   8BB6 92122531    MOV ESI,DWORD PTR DS:[ESI+31251292]
    018C1D45   1C 5E            SBB AL,5E
    018C1D47   DB79 37          FSTP TBYTE PTR DS:[ECX+37]
    018C1D4A   A8 93            TEST AL,93
    018C1D4C   15 957F4FD9      ADC EAX,D94F7F95
    018C1D51   20CA             AND DL,CL
    018C1D53   3D 4E9F258E      CMP EAX,8E259F4E
    018C1D58   34 1D            XOR AL,1D
    If removed breakpoint on Getmodulehandlea and wont patch the jump to api redirection, then i get the bp to createthread to work however, i cant find call edi.
    Also when tried to shift + f9 agn breaks at createthred and i see gettickcount api, more protection ?
    I must admit i cant find out whats causing this, after pressing shift + f9 once ( thats after i patched the old jump) i stepped in the code but no good, there is definitely something i am not aware of, some trick armadillo playing that i dont know off.
    Any help appreciated.
    Regards,
    _InSaNe_

    P.S.: Sure if its not clear, i will upload much code by making necessary changes.
    Last edited by _InSaNe_; July 27th, 2007 at 21:04. Reason: Found something new.

  2. #2
    The 'dillo can detect breakpoints, you know... in this case it seems to have done so and lead you down the wrong path (i.e. I/O instructions are not encountered in the normal flow of execution.)

  3. #3
    Quote Originally Posted by LLXX View Post
    The 'dillo can detect breakpoints, you know... in this case it seems to have done so and lead you down the wrong path (i.e. I/O instructions are not encountered in the normal flow of execution.)
    I put bp's on returns so i think that helps, isnt it, i read it somewhere.
    Problem is that if i dont patch the API redirection jump than i do get the program to run and break at create thread whereas if i dont patch that jump, i get to above code. And as i also added, if i donot patch and break at createthread than i cant get call edi to OEP.
    I think i should add a bit of code:
    Code:
    7C859D6B   696E 4D 75746578 IMUL EBP,DWORD PTR DS:[ESI+4D],78657475
    7C859D72   0090 90909090    ADD BYTE PTR DS:[EAX+90909090],DL
    7C859D78 > 68 34020000      PUSH 234                       ; break at outputdebugstringa patched to ret 4
    7C859D7D   68 A0A0857C      PUSH kernel32.7C85A0A0
    7C859D82   E8 3F87FAFF      CALL kernel32.7C8024C6
    7C859D87   A1 CC46887C      MOV EAX,DWORD PTR DS:[7C8846CC]
    7C859D8C   8945 E4          MOV DWORD PTR SS:[EBP-1C],EAX
    7C859D8F   8B4D 08          MOV ECX,DWORD PTR SS:[EBP+8]
    Then i put bp on getmodulehandlea, after many exceptions and breaks, once reminder nags goes, press shift + f9 twice and the i get here:
    Code:
    018B5FE6   FF15 B8608D01    CALL DWORD PTR DS:[18D60B8]              ; kernel32.GetModuleHandleA
    018B5FEC   8B0D AC408E01    MOV ECX,DWORD PTR DS:[18E40AC]
    018B5FF2   89040E           MOV DWORD PTR DS:[ESI+ECX],EAX
    018B5FF5   A1 AC408E01      MOV EAX,DWORD PTR DS:[18E40AC]
    018B5FFA   391C06           CMP DWORD PTR DS:[ESI+EAX],EBX
    018B5FFD   75 16            JNZ SHORT 018B6015
    018B5FFF   8D85 B4FEFFFF    LEA EAX,DWORD PTR SS:[EBP-14C]
    018B6005   50               PUSH EAX
    018B6006   FF15 BC628D01    CALL DWORD PTR DS:[18D62BC]              ; kernel32.LoadLibraryA
    018B600C   8B0D AC408E01    MOV ECX,DWORD PTR DS:[18E40AC]
    018B6012   89040E           MOV DWORD PTR DS:[ESI+ECX],EAX
    018B6015   A1 AC408E01      MOV EAX,DWORD PTR DS:[18E40AC]
    018B601A   391C06           CMP DWORD PTR DS:[ESI+EAX],EBX
    018B601D   0F84 2F010000    JE 018B6152                                        ; pathced to jmp always, i think its the API      redirection one.
    018B6023   33C9             XOR ECX,ECX
    018B6025   8B07             MOV EAX,DWORD PTR DS:[EDI]
    Then removed bp from getmodulehandle and put bp on createthread, and get to that I/O instruction that terminates the process.
    If i dont patch above jump, i break at createthread many times but i cant find the call to OEP. I do see call ESI but that definitely not the OEP because the call actually breaks into a instruction splitting it.
    Later createthread breaks here just before the program runs.
    Code:
    004DD527   E8 6059F3FF      CALL edited.00412E8C                    ; JMP to ole32.CoLockObjectExternal
    004DD52C   89B3 98080000    MOV DWORD PTR DS:[EBX+898],ESI
    004DD532   E8 FDC0F2FF      CALL insane.00409634                    ; JMP to kernel32.GetTickCount
    004DD537   8983 84020000    MOV DWORD PTR DS:[EBX+284],EAX
    004DD53D   C783 80020000 04>MOV DWORD PTR DS:[EBX+280],4
    004DD547   E8 48CAF2FF      CALL edited.00409F94                    ; JMP to USER32.GetDoubleClickTime
    004DD54C   8983 B0080000    MOV DWORD PTR DS:[EBX+8B0],EAX
    004DD552   E8 DDC0F2FF      CALL edited.00409634                    ; JMP to kernel32.GetTickCount
    004DD557   8983 B4080000    MOV DWORD PTR DS:[EBX+8B4],EAX
    004DD55D   33C0             XOR EAX,EAX
    004DD55F   8983 AC080000    MOV DWORD PTR DS:[EBX+8AC],EAX
    004DD565   BA 5CD64D00      MOV EDX,edited.004DD65C                 ; ASCII "Courier New"
    004DD56A   8B43 58          MOV EAX,DWORD PTR DS:[EBX+58]
    004DD56D   E8 865FF4FF      CALL edited.004234F8
    004DD572   BA 0A000000      MOV EDX,0A
    I think there is nothing in above code that tells about the target, if any edits necessary, i will do'em.
    Well may be you can identify the OEP so i will also add the code when createthread breaks for first time, because thats where its suppose to jump to OEP. ( According to many tuts i read.)
    Code:
    First breaks here, step in to retn:
    7C810650   E8 D7FDFFFF      CALL kernel32.CreateRemoteThread
    7C810655   5D               POP EBP
    7C810656   C2 1800          RETN 18
    7C810659   33ED             XOR EBP,EBP
    7C81065B   53               PUSH EBX
    
    Then i get here:
    
    018BC544   50               PUSH EAX
    018BC545   FF15 4C628D01    CALL DWORD PTR DS:[18D624C]              ; kernel32.CloseHandle
    018BC54B   5F               POP EDI
    018BC54C   5E               POP ESI
    018BC54D   C9               LEAVE
    018BC54E   C3               RETN                                                        ; again step into and 
    
    I land here:
    018CF8F7   59                        POP ECX
    018CF8F8   BE 98FA8D01               MOV ESI,18DFA98
    018CF8FD   8BCE                      MOV ECX,ESI
    018CF8FF   E8 1C93FDFF               CALL 018A8C20
    018CF904   84C0                      TEST AL,AL
    018CF906   75 09                     JNZ SHORT 018CF911
    018CF908   6A 01                     PUSH 1
    018CF90A   8BCE                      MOV ECX,ESI
    018CF90C   E8 E4E2FDFF               CALL 018ADBF5
    018CF911   C705 E0C08D01 D8CF8D01    MOV DWORD PTR DS:[18DC0E0],18DCFD8
    018CF91B   B9 00EC8D01               MOV ECX,18DEC00
    018CF920   E8 20F2FFFF               CALL 018CEB45
    018CF925   53                        PUSH EBX
    018CF926   E8 1AF2FFFF               CALL 018CEB45
    018CF92B   59                        POP ECX
    018CF92C   33D2                      XOR EDX,EDX
    018CF92E   8955 DC                   MOV DWORD PTR SS:[EBP-24],EDX
    018CF931   895D FC                   MOV DWORD PTR SS:[EBP-4],EBX
    018CF934   A0 BC008E01               MOV AL,BYTE PTR DS:[18E00BC]
    018CF939   8845 C8                   MOV BYTE PTR SS:[EBP-38],AL
    018CF93C   84C0                      TEST AL,AL
    018CF93E   75 47                     JNZ SHORT 018CF987
    018CF940   A1 E4008E01               MOV EAX,DWORD PTR DS:[18E00E4]
    018CF945   8B48 38                   MOV ECX,DWORD PTR DS:[EAX+38]
    018CF948   894D C4                   MOV DWORD PTR SS:[EBP-3C],ECX
    018CF94B   894D D0                   MOV DWORD PTR SS:[EBP-30],ECX
    018CF94E   8B0D FC008E01             MOV ECX,DWORD PTR DS:[18E00FC]           ; Edited.00400000
    018CF954   894D C0                   MOV DWORD PTR SS:[EBP-40],ECX
    018CF957   8B70 60                   MOV ESI,DWORD PTR DS:[EAX+60]
    018CF95A   3370 4C                   XOR ESI,DWORD PTR DS:[EAX+4C]
    018CF95D   3370 48                   XOR ESI,DWORD PTR DS:[EAX+48]
    018CF960   03F1                      ADD ESI,ECX
    018CF962   8975 D4                   MOV DWORD PTR SS:[EBP-2C],ESI
    018CF965   8B58 6C                   MOV EBX,DWORD PTR DS:[EAX+6C]
    018CF968   3358 64                   XOR EBX,DWORD PTR DS:[EAX+64]
    018CF96B   3358 54                   XOR EBX,DWORD PTR DS:[EAX+54]
    018CF96E   895D A8                   MOV DWORD PTR SS:[EBP-58],EBX
    018CF971   8D4D D0                   LEA ECX,DWORD PTR SS:[EBP-30]
    018CF974   E8 8716FDFF               CALL 018A1000
    018CF979   33D2                      XOR EDX,EDX
    018CF97B   F7F3                      DIV EBX
    018CF97D   03D6                      ADD EDX,ESI
    018CF97F   8955 CC                   MOV DWORD PTR SS:[EBP-34],EDX
    018CF982   8B12                      MOV EDX,DWORD PTR DS:[EDX]
    018CF984   8955 DC                   MOV DWORD PTR SS:[EBP-24],EDX
    018CF987   834D FC FF                OR DWORD PTR SS:[EBP-4],FFFFFFFF
    018CF98B   EB 11                     JMP SHORT 018CF99E
    018CF98D   6A 01                     PUSH 1
    018CF98F   58                        POP EAX
    018CF990   C3                        RETN
    I hope this will suffice.
    Regards,
    _InSaNe_

  4. #4
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    You need to restore the code you patched after you are done with it. Armadillo uses the CRC of it to decrypt other pieces of code.

    So when you patch the magic jump set a breakpoint on the jmp that is followed by salc; salc; (it's a bit lower than the patched jump) When it hits, remove the breakpoint, go up to your patch, select it, right-click and restore the original code.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  5. #5
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    If this app has the double process protection (see if the app has two entries in the process list), you can bpx on GetThreadContext, and the EIP in the context structure will contain the OEP of the child program , because that's where the first exception will occur..

    Also, you must at all times, if you set a normal breakpoint, remove it again. I don't know if in older Armadillos like this, but in the newer ones (2.4 onward), the magic jump to keep the imports from being redirected, is in an encrypted code block. That code is decrypted, then used, and then re-encrypted using its own checksum. So if you have a breakpoint in it after it is decrypted, it won't re-encrypt correctly. You have to remove the breakpoint before the re-encryption routine runs.

    I found that in newer armadillos (2.3 to 2.6 - I stopped getting into it after that), if you simply put a breakpoint on VirtualProtect, each time it breaks, check the code that it returns to. If the next instruction after returning is a PUSH <something>, then you are right in the import table code, just before it starts to redirect, and you just have to scroll down to find the magic jump and change it. But you still have to bpx before the re-encryption runs again - only if you want the program to keep running. You can still change the jump and get a clean import table from a memory dump even if it crashes later. (Using ImpRec)

    -nt20

  6. #6
    Ok found the OEP, if you want tut on how i did it, i can, but i DIDNT unpacked it, pls dont get mad at me coz import table is really fu***d up. However i will try my best to unpack it completely, now the problem is when you click to register the lamer, a new thread executes, when i attach new instance of olly to thread, i cant really make much of it.
    Problem: Is it possible to keygen armadillo protection, i have read that only keygen made or rather serials ( 3 of them) are the only achievements so far and that arma people think its because the person in question ( who made those serials) is in possesion of a very strong computer ????? ( i read it somewhere at fravia's).
    Illuminate the blurness i am surrounded with.
    Regards,
    _InSaNe_

  7. #7
    what's the problem with import table? is it shuffled, so imprec can't fix it or something else?

  8. #8
    Either imports redirection is being used or you're just doing it wrong.

    Nearly all programs will make API calls to GetCommandLineA / GetModuleHandle / etc. a short while after OEP. If it's a direct call into the kernel, you'll probably need a loader. If it's a call [xxxxxxxx], go to xxxxxxxx and if the region around it is full of similar valued dords all pointing into the kernel or other DLLs, ImpRec will work; else also loader time.

  9. #9
    Ofcourse import redirection is being used. Let me tell you what progress i have made so far.
    Armadillo version ( i think i know the correct version now) is v 4.40
    Protection info: Standard
    Father process -->> true
    Copymem2 -->> true ( not sure, but it wont allow me to breakpoint anywhere but at returns, else code is directed to IO instructions.)
    Nanomites: not that i know of
    Antidebug: yes uses OutputDebugStringA to crash olly
    Code Splicing : not sure
    When i try to find imports at OEP, nothing found says imprec.
    Yea one more thing, its the call ecx ( second one that jumps to OEP).
    Ummmm, one more thing, armagui unpacked it ok, so wtf, coz i cant do it.

  10. #10
    VINNIE
    Guest
    Aren't you surpose to detach it first? You made no mention that you had detached it if it is indeed copymemII
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11

    sage

    Aren't YOU supposed to check the DATE OF THE LAST POST first?

Similar Threads

  1. Replies: 10
    Last Post: February 1st, 2013, 09:13
  2. Replies: 0
    Last Post: January 12th, 2008, 00:08
  3. OllyDbg unable to proceed
    By alan in forum OllyDbg Support Forums
    Replies: 3
    Last Post: May 22nd, 2005, 21:26
  4. Debugged program unable to process exception
    By abitofboth_ in forum OllyDbg Support Forums
    Replies: 6
    Last Post: April 13th, 2005, 05:28
  5. ollydbg unable to load the program!
    By Anonymous in forum Bugs
    Replies: 13
    Last Post: January 30th, 2003, 15:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •