Log in

View Full Version : Olly and debugging an asm code


LaBBa
May 27th, 2009, 00:29
i'm trying to debug an application an i don't understand somthing about it
here is the code that i done understand:

Code:

0050426D 5D POP EBP
0050426E C745 FC 020000>MOV DWORD PTR SS:[EBP-4],2
00504275 E5 02 IN EAX,2 ; I/O command
00505277 . C745 FC FEFFFF>MOV DWORD PTR SS:[EBP-4],-2


when i reach with olly to the 00504275 in eax,2 commnad and execute it (step) i get thrown to some place in ntdll.

if i "nops" the command then i get to a message the let me know that a debugger was found.

any idae ?

evlncrn8
May 27th, 2009, 02:26
IN is a privileged instruction, thus, when executed from ring 3, it will cause an exception (which is probably handled in your case by an exception handler in the code)
so it probably works like this

<no debugger>
code -> executes the IN EAX, 2 instruction -> seh is hit -> seh adjusts the eip, sets flags or whatever to say no debugger was found and carries on...

<debugger>

code -> executes the IN EAX, 2 instruction -> seh is NOT hit -> thus, flags are not hit etc, nopping the instruction will definately not cause the seh to be activated -> flags not set = debugger found...

evaluator
May 27th, 2009, 02:57
so! you should continue tracing in Ntdll for previously installed Handler

LaBBa
May 27th, 2009, 07:26
ok .. got it .. thanks..
I hate this target .. its a crackME with many debug tricks and it is an MD5 crypto..

arc_
May 27th, 2009, 07:28
Read up about SEH chains and the CONTEXT structure that exception handlers get passed. Once you've done that, debug your target again and run it up to just before the "in" instruction. Find the current top-level SEH record and make sure the exception handler that it points to is actually part of your target program, and not of some Windows dll. Place a breakpoint on the handler and step over the "in" - an exception gets thrown and given to Olly, press shift-F9 to pass it to the debuggee (i.e. its SEH chain). You will break in the exception handler that you placed a breakpoint in. Now look closely what the handler does. As evlncrn8 said, it will probably modify the eip field in CONTEXT structure and continue normal program execution at a different address.