Results 1 to 7 of 7

Thread: Program keeps bouncing me to ntdll.dll when run from OllyDbg

  1. #1
    ljre24
    Guest

    Program keeps bouncing me to ntdll.dll when run from OllyDbg

    I have this program that I'm trying to debug. When I attach to it, I have no problems. But I need to catch it the moment it starts up when it shows me a message box window before the rest of the program starts. The window asks me to connect a dongle. I located a reference to the string and the call to the AfxMessageBox function. But when I set the breakpoint and run the program (F9), it keeps bouncing me back to ntdll.dll. What exctly is going on here? How do I make sure this is some antidebugging scheme or not and how do I solve it?

    Thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    What type of dongle is it?

    Also, look at the statusbar for more information. Does it show an exception or invalid instruction/etc.?

  3. #3
    ljre24
    Guest
    ooh, turns out it was stopping at a hardware breakpoint. I disabled it, and now it generated an exception! What do I do now?

    Log data, item 2
    Address=01E91236
    Message=Access violation when writing to [9A83619A]
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    If it runs fine in your debugger w/o the breakpoint set, and it hits an exception with the breakpoint set, then it's clearly the breakpoint that's being detected by the anti-debugging stuff.
    I'd suggest trying different kinds of breakpoints (software, hardware, memory) and using them in different locations in the function (like the last instruction (retn) instead of the first).

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Also explore the anti-debug plug-ins and patches available for Olly, here in this forum (Olly stuph)and on the web

  6. #6
    ljre24
    Guest
    No, the program crashes even without setting breakpoints. All I have to do is run the program directly from Olly (this doesn't happen when I attach to the process when it's already running).

    I'll test it again anyway just to make sure, but what else could it be?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    It is detecting Olly's (or some other debugger) presence and crashing by throwing some exception.
    The test probably takes place near program initialization, that is why you can attach without being detected (at least not right away).

    It does sound like antidebug protection. Read my post above. . .

Similar Threads

  1. ntdll.RtlCreateUserThread problem
    By vadimpo in forum OllyDbg Support Forums
    Replies: 4
    Last Post: September 5th, 2009, 22:29
  2. Funny API function inside ntdll.dll
    By OHPen in forum Blogs Forum
    Replies: 11
    Last Post: October 30th, 2007, 04:59
  3. 16 bit Program
    By TuttoSommato in forum OllyDbg Support Forums
    Replies: 5
    Last Post: November 9th, 2004, 06:44
  4. ntdll problem
    By bcavlin in forum Bugs
    Replies: 2
    Last Post: October 5th, 2004, 03:49
  5. Program will not load into OllyDbg
    By Mz_66 in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 12th, 2004, 19:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •