Page 1 of 3 123 LastLast
Results 1 to 15 of 42

Thread: dongle app written in dos

  1. #1
    ksbrace
    Guest

    dongle app written in dos

    Ok,
    I'm playing around with an old app that a bowling alley near my house uses all of the time. It appears to have been written in DOS and it crashes W32DASM everytime I attempt to load it. It uses ntvdm.exe, after looking this up, it is a 16bit dos emulator...correct? I load it in Olly and I see this:
    7C90EB94 C3 RETN
    7C90EB95 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]
    7C90EB9C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
    7C90EBA0 90 NOP
    7C90EBA1 90 NOP

    Searched this forum and found something relative to this here:http://www.woodmann.com/forum/showthread.php?t=7411&highlight=file+analysis
    on post #2. So, based on that something is happening before original entry point.

    I also found IsDebuggerPresent when I ctrl-N.

    Maybe this is above my head, but I thought maybe I could ask for a few pointers and/or things to try out. IMHO, I find it highly doubtful that this is that secure.....but I could be wrong. Thanks in advance
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    ksbrace,

    Unless olly is disassembling incorrectly, this is not a 16 bit app, it uses extended registers, ESP vs: SP, EAX vs: AX - a good way to really check this out is to find a copy of IDA 4.3 - the free version or if you are fortunate enough a later versions, (it's up to 4.8xx, with 5.0 coming soon), it should tell you if it really is a 16 bit NE app. Also IsDebuggerPresent wouldn't be found in old dos apps.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  3. #3
    ksbrace
    Guest
    Sigint33,
    I get a message when I load it in Olly saying: Not a valid PE file
    file 'target' is probably not a 32-bit Portable Executable. Try to load it anyway?

    I chose yes. I will look for a copy of IDA and try using that.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    ksbrace
    Guest
    Ok, found 4.3..didn't search too hard for any later version.
    At the top it says:
    File Name: target
    Format: MS-DOS executable
    then at seg000, it says:
    segment byte public 'CODE' use16.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Don't take my word as gospel, yes ntdvm.exe is NT Dos Virtual Machine - but in googling around I found that its also employed for Win98 compatability - if it is a 16 bit dos app. then you may have to resort to using Borland's Turbo Debugger - I think if you search this forum you may find some info on it - I have a 16 bit app that I've fixed everything except the initial nag - (from a dead listing), and it behaves similarly to what you describe - if you get Turbo Debugger running on XP SP2 let me know how, it always locks up on me - but I really didn't spend more than a couple of minutes playing with it.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #6
    If I'm not wrong Turbo Debugger doesn't works in winxp.You can try this debugger super tracer tr252.zip.
    esther


    Reverse the code,Reverse Your Minds First

  7. #7
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I'll give it a try!

    Thanx esther.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  8. #8
    Quote Originally Posted by ksbrace
    I load it in Olly and I see this
    That's somewhere in the kernel. What you need to determine is whether Olly is actually loaded the ntvdm.exe or your target. This can be done by changing the options so that Olly breaks at the entrypoint.

    The best way to determine what file format it is written in is to open it in a text editor like Notepad and examine the header portion. If the prominent letters "PE" appear in the middle of some whitespace then it's a standard Win32 PE, if it's NE then it's Win16, and if there's nothing but repetitive-looking entries it would be a standard DOS MZ.
    Last edited by LLXX; January 25th, 2006 at 01:32.

  9. #9
    ksbrace
    Guest
    LLXX,
    Olly loaded ntvdm.exe. When I loaded the target.exe into Notepad, I found this:
    Borland C++ - Copyright. When I start the app, I get the following message(Prior to the 'no dongle present' msg):
    Title: 16 bit MS-DOS Subsystem
    path/target.exe
    RNBOVDD.DLL. An installable Virtual Device Driver faild DLL initialization. Choose 'Close to terminate the application.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    *Sigint33,
    I get a message when I load it in Olly saying: Not a valid PE file
    file 'target' is probably not a 32-bit Portable Executable. Try to load it anyway?

    Well 16bits programs (windows3.1 )doesn't mean its a dos one since you can load it in ollydbg and you found isdebuggerpresent api which means its a windows program
    esther


    Reverse the code,Reverse Your Minds First

  11. #11
    ksbrace
    Guest
    ok, after another look, I found the isdebuggerpresent inside the ntvdm.exe and not the target.exe.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Quote Originally Posted by ksbrace
    When I loaded the target.exe into Notepad, I found this:
    Borland C++ - Copyright.
    That just indicates that it was compiled with Borland's C++ compiler... and you're looking too far into the file. Turn on the word wrap and scroll up until you see the "MZ" as the first two characters.

    If you can find "This program cannot be run in DOS mode" and then the letters "PE" after some miscellaneous characters, it's a PE.

    A Win3.1 file will have "This program requires Microsoft Windows" and then "NE" immediately before some "" characters.

    A standard DOS MZ will have none of the above characteristics.

    Based on what you've posted so far, my assumption is that you have a standard MZ file.

  13. #13
    hadicol
    Guest
    i have tried debugging dos programs with olly on XP. i gave up because i can never seem to get out of the ntvdm emulator and into the program! now that i think of it, you can probably never enter the program assembler.

    however you can use the good ol' "debug" program (yes, debug is the name of the program). it's command line, ugly, it works, and even though its 16bit only it still comes with windows for some reason... type ? for help. But turbo debugger is alot easier, runs fine for me (XP SP2), free for download. HIEW can disassemble 16bit too. these work because they are also being run under ntvdm!

    so basically, ya it's a 16-bit program if ntvdm is running it. so use outdated tools. 32bit tools will not process it correctly. If it is an old 16-bit Windows program the "Windows on Windows" emulator wowexec.exe will also be in the process list as well as ntvdm.exe if theres no wowexec it is DOS.
    Last edited by hadicol; January 26th, 2006 at 02:43.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    In DS 3.2 and I'm almost sure DS3.1 \SoftIce Folder there is a subfolder called util16.

    In there are two files, symbol loaders, that need to be invoked from a DOS window:
    DLDR.exe for MZ format DOS 16 bit applications
    and
    WLDR.exe for NE format Windows 16 bit applications


    Sice pops up and you are at the entry point of your prehistoric code.
    Sice fucks up/locks up even more frequent than the usual while tracing those 16 bit creatures, but a difference from old Borland Turbo debuggers an other outdated toys, Sice 16 bit debugger runs in a pure 32 bit OS (WinXP) and CPU (Pentium 4)
    Last edited by naides; January 26th, 2006 at 16:02.

  15. #15
    ksbrace
    Guest
    I could use some help/guidance on the following:
    I start the target and immediately hit ctrl-D. I then begin to F10 and I get to a line that looks like this:
    Code:
    FE2E:377C   CALL 5001
    That line causes the 'Target security missing' msg.

    My question: what is the FE2E?

    When I look with w32dasm, I don't see anything close to FE2E.

    Also, I don't seem to be utilizing the dldr.exe and wldr.exe files. Based on the info that I have looked, I want to use the dldr.exe.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 1
    Last Post: November 15th, 2013, 23:38
  2. Replies: 1
    Last Post: August 31st, 2005, 23:06
  3. Assembly incorrect for the written code
    By yaa in forum OllyDbg Support Forums
    Replies: 1
    Last Post: January 9th, 2004, 12:08
  4. +puark's never written articles
    By yaa in forum The Newbie Forum
    Replies: 0
    Last Post: December 8th, 2002, 01:29
  5. how do i use SICE to do what i want to do with programs written in VB
    By yobo in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 26th, 2001, 14:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •