Debugged program unable to process exception [Archive]

View Full Version : Debugged program unable to process exception

_InSaNe_

July 27th, 2007, 19:56

Targt info: Peid says armadillo 1.xx - 2.xx
My approach :
i found out that it was also using outputdebugstringa to crash olly so,
bp OutputDebugStringA
patched push 234 to ret 4
removed BP
than bp GetModuleHandleA
to find the good jump for API redirection
found after registration nag.
patched je to jmp always
Remove the breakpoint and new BP CreateThread to check for the call edi ( signature jump to OEP for arma).
then shift + f9 twice and, comes up the warning privileged instruction.
when shift + f9 agn, comes the error,Debugged program unable to process exception.
And then process terminates.
I know i am so close to OEP and yet ......

Sorry cant upload the code much since its real application.(This code is all in red

)

Code:



018C1D30   90               NOP

018C1D31   F7D3             NOT EBX

018C1D33   EF               OUT DX,EAX                               ; I/O command this one here is the culprit.

018C1D34   4A               DEC EDX

018C1D35   DA29             FISUBR DWORD PTR DS:[ECX]

018C1D37   1C 74            SBB AL,74

018C1D39   A7               CMPS DWORD PTR DS:[ESI],DWORD PTR ES:[ED>

018C1D3A   9D               POPFD

018C1D3B   53               PUSH EBX

018C1D3C   83FA 21          CMP EDX,21

018C1D3F   8BB6 92122531    MOV ESI,DWORD PTR DS:[ESI+31251292]

018C1D45   1C 5E            SBB AL,5E

018C1D47   DB79 37          FSTP TBYTE PTR DS:[ECX+37]

018C1D4A   A8 93            TEST AL,93

018C1D4C   15 957F4FD9      ADC EAX,D94F7F95

018C1D51   20CA             AND DL,CL

018C1D53   3D 4E9F258E      CMP EAX,8E259F4E

018C1D58   34 1D            XOR AL,1D

If removed breakpoint on Getmodulehandlea and wont patch the jump to api redirection, then i get the bp to createthread to work however, i cant find call edi.
Also when tried to shift + f9 agn breaks at createthred and i see gettickcount api, more protection ?
I must admit i cant find out whats causing this, after pressing shift + f9 once ( thats after i patched the old jump) i stepped in the code but no good, there is definitely something i am not aware of, some trick armadillo playing that i dont know off.
Any help appreciated.
Regards,
_InSaNe_

P.S.: Sure if its not clear, i will upload much code by making necessary changes.

LLXX

July 27th, 2007, 22:17

The 'dillo can detect breakpoints, you know... in this case it seems to have done so and lead you down the wrong path (i.e. I/O instructions are not encountered in the normal flow of execution.)

_InSaNe_

July 27th, 2007, 22:51

Quote:

[Originally Posted by LLXX;67438]The 'dillo can detect breakpoints, you know... in this case it seems to have done so and lead you down the wrong path (i.e. I/O instructions are not encountered in the normal flow of execution.)

I put bp's on returns so i think that helps, isnt it, i read it somewhere.
Problem is that if i dont patch the API redirection jump than i do get the program to run and break at create thread whereas if i dont patch that jump, i get to above code. And as i also added, if i donot patch and break at createthread than i cant get call edi to OEP.
I think i should add a bit of code:

Code:



7C859D6B   696E 4D 75746578 IMUL EBP,DWORD PTR DS:[ESI+4D],78657475

7C859D72   0090 90909090    ADD BYTE PTR DS:[EAX+90909090],DL

7C859D78 > 68 34020000      PUSH 234                       ; break at outputdebugstringa patched to ret 4

7C859D7D   68 A0A0857C      PUSH kernel32.7C85A0A0

7C859D82   E8 3F87FAFF      CALL kernel32.7C8024C6

7C859D87   A1 CC46887C      MOV EAX,DWORD PTR DS:[7C8846CC]

7C859D8C   8945 E4          MOV DWORD PTR SS:[EBP-1C],EAX

7C859D8F   8B4D 08          MOV ECX,DWORD PTR SS:[EBP+8]

Then i put bp on getmodulehandlea, after many exceptions and breaks, once reminder nags goes, press shift + f9 twice and the i get here:

Code:



018B5FE6   FF15 B8608D01    CALL DWORD PTR DS:[18D60B8]              ; kernel32.GetModuleHandleA

018B5FEC   8B0D AC408E01    MOV ECX,DWORD PTR DS:[18E40AC]

018B5FF2   89040E           MOV DWORD PTR DS:[ESI+ECX],EAX

018B5FF5   A1 AC408E01      MOV EAX,DWORD PTR DS:[18E40AC]

018B5FFA   391C06           CMP DWORD PTR DS:[ESI+EAX],EBX

018B5FFD   75 16            JNZ SHORT 018B6015

018B5FFF   8D85 B4FEFFFF    LEA EAX,DWORD PTR SS:[EBP-14C]

018B6005   50               PUSH EAX

018B6006   FF15 BC628D01    CALL DWORD PTR DS:[18D62BC]              ; kernel32.LoadLibraryA

018B600C   8B0D AC408E01    MOV ECX,DWORD PTR DS:[18E40AC]

018B6012   89040E           MOV DWORD PTR DS:[ESI+ECX],EAX

018B6015   A1 AC408E01      MOV EAX,DWORD PTR DS:[18E40AC]

018B601A   391C06           CMP DWORD PTR DS:[ESI+EAX],EBX

018B601D   0F84 2F010000    JE 018B6152                                        ; pathced to jmp always, i think its the API      redirection one.

018B6023   33C9             XOR ECX,ECX

018B6025   8B07             MOV EAX,DWORD PTR DS:[EDI]

Then removed bp from getmodulehandle and put bp on createthread, and get to that I/O instruction that terminates the process.
If i dont patch above jump, i break at createthread many times but i cant find the call to OEP. I do see call ESI but that definitely not the OEP because the call actually breaks into a instruction splitting it.
Later createthread breaks here just before the program runs.

Code:



004DD527   E8 6059F3FF      CALL edited.00412E8C                    ; JMP to ole32.CoLockObjectExternal

004DD52C   89B3 98080000    MOV DWORD PTR DS:[EBX+898],ESI

004DD532   E8 FDC0F2FF      CALL insane.00409634                    ; JMP to kernel32.GetTickCount

004DD537   8983 84020000    MOV DWORD PTR DS:[EBX+284],EAX

004DD53D   C783 80020000 04>MOV DWORD PTR DS:[EBX+280],4

004DD547   E8 48CAF2FF      CALL edited.00409F94                    ; JMP to USER32.GetDoubleClickTime

004DD54C   8983 B0080000    MOV DWORD PTR DS:[EBX+8B0],EAX

004DD552   E8 DDC0F2FF      CALL edited.00409634                    ; JMP to kernel32.GetTickCount

004DD557   8983 B4080000    MOV DWORD PTR DS:[EBX+8B4],EAX

004DD55D   33C0             XOR EAX,EAX

004DD55F   8983 AC080000    MOV DWORD PTR DS:[EBX+8AC],EAX

004DD565   BA 5CD64D00      MOV EDX,edited.004DD65C                 ; ASCII "Courier New"

004DD56A   8B43 58          MOV EAX,DWORD PTR DS:[EBX+58]

004DD56D   E8 865FF4FF      CALL edited.004234F8

004DD572   BA 0A000000      MOV EDX,0A

I think there is nothing in above code that tells about the target, if any edits necessary, i will do'em.
Well may be you can identify the OEP so i will also add the code when createthread breaks for first time, because thats where its suppose to jump to OEP. ( According to many tuts i read.)

Code:



First breaks here, step in to retn:

7C810650   E8 D7FDFFFF      CALL kernel32.CreateRemoteThread

7C810655   5D               POP EBP

7C810656   C2 1800          RETN 18

7C810659   33ED             XOR EBP,EBP

7C81065B   53               PUSH EBX



Then i get here:



018BC544   50               PUSH EAX

018BC545   FF15 4C628D01    CALL DWORD PTR DS:[18D624C]              ; kernel32.CloseHandle

018BC54B   5F               POP EDI

018BC54C   5E               POP ESI

018BC54D   C9               LEAVE

018BC54E   C3               RETN                                                        ; again step into and 



I land here:

018CF8F7   59                        POP ECX

018CF8F8   BE 98FA8D01               MOV ESI,18DFA98

018CF8FD   8BCE                      MOV ECX,ESI

018CF8FF   E8 1C93FDFF               CALL 018A8C20

018CF904   84C0                      TEST AL,AL

018CF906   75 09                     JNZ SHORT 018CF911

018CF908   6A 01                     PUSH 1

018CF90A   8BCE                      MOV ECX,ESI

018CF90C   E8 E4E2FDFF               CALL 018ADBF5

018CF911   C705 E0C08D01 D8CF8D01    MOV DWORD PTR DS:[18DC0E0],18DCFD8

018CF91B   B9 00EC8D01               MOV ECX,18DEC00

018CF920   E8 20F2FFFF               CALL 018CEB45

018CF925   53                        PUSH EBX

018CF926   E8 1AF2FFFF               CALL 018CEB45

018CF92B   59                        POP ECX

018CF92C   33D2                      XOR EDX,EDX

018CF92E   8955 DC                   MOV DWORD PTR SS:[EBP-24],EDX

018CF931   895D FC                   MOV DWORD PTR SS:[EBP-4],EBX

018CF934   A0 BC008E01               MOV AL,BYTE PTR DS:[18E00BC]

018CF939   8845 C8                   MOV BYTE PTR SS:[EBP-38],AL

018CF93C   84C0                      TEST AL,AL

018CF93E   75 47                     JNZ SHORT 018CF987

018CF940   A1 E4008E01               MOV EAX,DWORD PTR DS:[18E00E4]

018CF945   8B48 38                   MOV ECX,DWORD PTR DS:[EAX+38]

018CF948   894D C4                   MOV DWORD PTR SS:[EBP-3C],ECX

018CF94B   894D D0                   MOV DWORD PTR SS:[EBP-30],ECX

018CF94E   8B0D FC008E01             MOV ECX,DWORD PTR DS:[18E00FC]           ; Edited.00400000

018CF954   894D C0                   MOV DWORD PTR SS:[EBP-40],ECX

018CF957   8B70 60                   MOV ESI,DWORD PTR DS:[EAX+60]

018CF95A   3370 4C                   XOR ESI,DWORD PTR DS:[EAX+4C]

018CF95D   3370 48                   XOR ESI,DWORD PTR DS:[EAX+48]

018CF960   03F1                      ADD ESI,ECX

018CF962   8975 D4                   MOV DWORD PTR SS:[EBP-2C],ESI

018CF965   8B58 6C                   MOV EBX,DWORD PTR DS:[EAX+6C]

018CF968   3358 64                   XOR EBX,DWORD PTR DS:[EAX+64]

018CF96B   3358 54                   XOR EBX,DWORD PTR DS:[EAX+54]

018CF96E   895D A8                   MOV DWORD PTR SS:[EBP-58],EBX

018CF971   8D4D D0                   LEA ECX,DWORD PTR SS:[EBP-30]

018CF974   E8 8716FDFF               CALL 018A1000

018CF979   33D2                      XOR EDX,EDX

018CF97B   F7F3                      DIV EBX

018CF97D   03D6                      ADD EDX,ESI

018CF97F   8955 CC                   MOV DWORD PTR SS:[EBP-34],EDX

018CF982   8B12                      MOV EDX,DWORD PTR DS:[EDX]

018CF984   8955 DC                   MOV DWORD PTR SS:[EBP-24],EDX

018CF987   834D FC FF                OR DWORD PTR SS:[EBP-4],FFFFFFFF

018CF98B   EB 11                     JMP SHORT 018CF99E

018CF98D   6A 01                     PUSH 1

018CF98F   58                        POP EAX

018CF990   C3                        RETN

I hope this will suffice.
Regards,
_InSaNe_

fr33ke

July 28th, 2007, 05:24

You need to restore the code you patched after you are done with it. Armadillo uses the CRC of it to decrypt other pieces of code.

So when you patch the magic jump set a breakpoint on the jmp that is followed by salc; salc; (it's a bit lower than the patched jump) When it hits, remove the breakpoint, go up to your patch, select it, right-click and restore the original code.

nikolatesla20

July 28th, 2007, 07:26

If this app has the double process protection (see if the app has two entries in the process list), you can bpx on GetThreadContext, and the EIP in the context structure will contain the OEP of the child program

, because that's where the first exception will occur..

Also, you must at all times, if you set a normal breakpoint, remove it again. I don't know if in older Armadillos like this, but in the newer ones (2.4 onward), the magic jump to keep the imports from being redirected, is in an encrypted code block. That code is decrypted, then used, and then re-encrypted using its own checksum. So if you have a breakpoint in it after it is decrypted, it won't re-encrypt correctly. You have to remove the breakpoint before the re-encryption routine runs.

I found that in newer armadillos (2.3 to 2.6 - I stopped getting into it after that), if you simply put a breakpoint on VirtualProtect, each time it breaks, check the code that it returns to. If the next instruction after returning is a PUSH <something>, then you are right in the import table code, just before it starts to redirect, and you just have to scroll down to find the magic jump and change it. But you still have to bpx before the re-encryption runs again - only if you want the program to keep running. You can still change the jump and get a clean import table from a memory dump

even if it crashes later. (Using ImpRec)

-nt20

_InSaNe_

August 23rd, 2007, 07:41

Ok found the OEP, if you want tut on how i did it, i can, but i DIDNT unpacked it, pls dont get mad at me coz import table is really fu***d up. However i will try my best to unpack it completely, now the problem is when you click to register the lamer, a new thread executes, when i attach new instance of olly to thread, i cant really make much of it.
Problem: Is it possible to keygen armadillo protection, i have read that only keygen made or rather serials ( 3 of them) are the only achievements so far and that arma people think its because the person in question ( who made those serials) is in possesion of a very strong computer ????? ( i read it somewhere at fravia's).
Illuminate the blurness i am surrounded with.
Regards,
_InSaNe_

deroko

August 23rd, 2007, 08:40

what's the problem with import table? is it shuffled, so imprec can't fix it or something else?

LLXX

August 23rd, 2007, 17:46

Either imports redirection is being used or you're just doing it wrong.

Nearly all programs will make API calls to GetCommandLineA / GetModuleHandle / etc. a short while after OEP. If it's a direct call into the kernel, you'll probably need a loader. If it's a call [xxxxxxxx], go to xxxxxxxx and if the region around it is full of similar valued dords all pointing into the kernel or other DLLs, ImpRec will work; else also loader time.

_InSaNe_

August 26th, 2007, 10:45

Ofcourse import redirection is being used. Let me tell you what progress i have made so far.
Armadillo version ( i think i know the correct version now) is v 4.40
Protection info: Standard
Father process -->> true
Copymem2 -->> true ( not sure, but it wont allow me to breakpoint anywhere but at returns, else code is directed to IO instructions.)
Nanomites: not that i know of
Antidebug: yes uses OutputDebugStringA to crash olly
Code Splicing : not sure
When i try to find imports at OEP, nothing found says imprec.
Yea one more thing, its the call ecx ( second one that jumps to OEP).
Ummmm, one more thing, armagui unpacked it ok, so wtf, coz i cant do it.

VINNIE

September 27th, 2007, 04:10

Aren't you surpose to detach it first? You made no mention that you had detached it if it is indeed copymemII

LLXX

September 27th, 2007, 22:02

Aren't YOU supposed to check the DATE OF THE LAST POST first?