Results 1 to 9 of 9

Thread: Question on Borland

  1. #1
    DaBoo
    Guest

    Question on Borland

    Hi got a question on debugging a program made with Borland C++ 1999
    this program has only one file a EXE file and when i load it up in olly every thing seems fine in till you hit F9 the programs starts then olly Terminated
    so checked the file with PEiD v0.93 to see it was packed or had a krypto and it found none it just says Borland C++ 1999 [Overlay] and the only thing that is packed is the Fast Check but the Entropy or Ep check but it acts like it is packed or has a krypto with a anti-debug but there is a CPPDebugHook
    API Call being called in tree spots you think that this call is my anti-debugger
    i did search for it on here but found no info on the call thanks for any info
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    probably anti debug, search more on the subject...
    try bpx on exitprocess / terminatethread.. see where it came from and backtrace...

  3. #3
    DaBoo
    Guest
    Thanks for the reply ill try that
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Daboo: Check the Anti-Anti-debug plugins available in the Olly forum area, see if they can avoid Olly detection for you.
    Some of them allow to activate one countermeasure at a time, so you can dissect how your prog detects Olly

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,511
    Blog Entries
    15
    though your question doesnt make sense

    cppdebug hook is part of borland c run time

    it will be there in each and every file compiled by bcc

    and borland doesnt have any equivalent of
    /linker nodefaultlib switch of vc so you cant eliminate borland from compiling that crt even if you dont use it

    Code:
    00401000 >/$ /EB 10         JMP     SHORT 00401012
    00401002  |  |66            DB      66                               ;  CHAR 'f'
    00401003  |  |62            DB      62                               ;  CHAR 'b'
    00401004  |  |3A            DB      3A                               ;  CHAR ':'
    00401005  |  |43            DB      43                               ;  CHAR 'C'
    00401006  |  |2B            DB      2B                               ;  CHAR '+'
    00401007  |  |2B            DB      2B                               ;  CHAR '+'
    00401008  |  |48            DB      48                               ;  CHAR 'H'
    00401009  |  |4F            DB      4F                               ;  CHAR 'O'
    0040100A  |  |4F            DB      4F                               ;  CHAR 'O'
    0040100B  |  |4B            DB      4B                               ;  CHAR 'K'
    0040100C  |  |90            NOP
    0040100D  |  |E9            DB      E9
    0040100E  |. |1CA14000      DD      OFFSET w2khero.___CPPdebugHook
    00401012  |> \A1 0FA14000   MOV     EAX, DWORD PTR DS:[40A10F]
    00401017  |.  C1E0 02       SHL     EAX, 2
    0040101A  |.  A3 13A14000   MOV     DWORD PTR DS:[40A113], EAX
    0040101F  |.  52            PUSH    EDX                              ;  ntdll.KiFastSystemCallRet
    00401020  |.  6A 00         PUSH    0                                ; /pModule = NULL
    00401022  |.  E8 EF8C0000   CALL    <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA

    as to f9 if it is a console application f9 means it executed and terminated
    and when debugee terminates the debugger also will say process terminated

    is that what you are asking

    next time instead of f9iing try f7inng till it terminates and see if you can f7 several times

    btw read up

  6. #6
    DaBoo
    Guest
    Hi thanks for all the replys but yes when i run the program from with in olly the program starts up and runs but olly terminated the debugging and the program stays running i tryed to attach to the program wile it is running at it says Bad or unkowen format and breaks at DbgBreakPoint in the Ntdll so i know its anti-debug trick just not sure what one i need to do alot of steping to find out where its hidding
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    when i run the program from with in olly the program starts up and runs but olly terminated the debugging and the program stays running
    If it stays running, with Olly open, then that's not much of an anti-debug... probably a "dump-and-run". I've seen a few of these. Basically they're like a packer, only less optimised and they unpack to the temp directory or something and then spawn from there. The main unpacking process then terminates, hence you observe the symptoms you described.

    Load the file into a hex editor or (even better) MS-DOS EDIT in binary mode and scroll through it. If there is a large block of data toward the rear that looks compressed, it's probably what I described above.

  8. #8
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,511
    Blog Entries
    15
    then like litana says it might be doing WinExec() or CreateProcess() or ShellExecute() or CreateprocessEx()
    and spawning a new instance (but a new instance shouldnt hinder ollydbg from attaching to it) btw its normal for any attached process to stop on
    ntdll!Debugbreak() look at call stack and find the user mode mode code that
    is on the stack and break there

  9. #9
    DaBoo
    Guest
    Thanks for the info ill try all of the info you guys gave me
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Linking .res using Borland C++
    By toolmanx in forum The Newbie Forum
    Replies: 8
    Last Post: May 8th, 2007, 09:28
  2. Borland Delphi 4/5 Fishing
    By Hav-in Fun in forum The Newbie Forum
    Replies: 1
    Last Post: August 25th, 2005, 15:03
  3. Borland Builder Exceptions
    By RottenFish in forum The Newbie Forum
    Replies: 0
    Last Post: April 8th, 2004, 23:01
  4. Help compiling lmcrypt with Borland
    By LostAtC in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: July 6th, 2002, 21:55
  5. Building lmcrypt with Borland C++
    By Buz Killer in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: December 11th, 2000, 13:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •