Log in

View Full Version : Question about Themida and Debugging.

pigmeu
July 22nd, 2009, 13:54
Hi, I'm trying to find an algorithm inside a program, but when I trace until a specified call and run the program, it stays running indefinitely. When I Pause the execution, the program stops at ntdll.dll module at the following address:
Code:


7C90E510 >/$	MOV EDX,ESP

7C90E512  |.	SYSENTER

7C90E514 >\$	RETN		; I stop here after Pause.



Stack:

02C0FA14   7C90DF5A  RETURN to ntdll.ZwWaitForSingleObject+0C

02C0FA18   7C91B24B  RETURN to ntdll.7C91B24B from ntdll.ZwWaitForSingleObject

02C0FA1C   00000140

02C0FA20   00000000

02C0FA24   00000000

02C0FA28   004B7364  test.004B7364



Caller1 : Setting a BP on 7C90DF4E never breaks:

7C90DF4E >/$	MOV EAX,10F   

7C90DF53  |.	MOV EDX,7FFE0300

7C90DF58  |.	CALL DWORD PTR DS:[EDX]

7C90DF5A  \.	RETN 0C


If I try to trace with f7/f8 at 7C90E514 RETN I get the following error message:
Debugged program set single step flag (bit T in EFL). I don't know how to step command at address 7C90E514 correctly. Try to set breakpoint on next command and run.

I already checked the places where it returns to but seems those codes are not being called because I already set a BP on them and the program never breaks.
Anybody can give me ideas on how to solve this issue?
I use Windows XP SP3 + OllyDbg.



My second question is about Themida features. I wanna know what Themida's feature is being used at the following code (Virtual Machine, Code Replace, both or none? :devil:
Code:


;proc1

0040B490   $	PUSH EBP

0040B491   .	MOV EBP,ESP

0040B493   .	SUB ESP,40

0040B496   .	PUSH EBX

0040B497   .	PUSH ESI

0040B498   .	PUSH EDI

0040B499   .-	JMP 00672694                             ;  go to proc2

0040B49E     	DB D6

0040B49F     	DB FE

0040B4A0     	DB 96

...



;proc2

00672694   ? 	PUSH 33AAF500

00672699   .^  	JMP 00658E1A                             ;  go to proc3

0067269E       	DB B1

0067269F       	DB D6

006726A0       	DB 1F

006726A1       	DB EC



;proc3

00658E1A   >  PUSH 0

00658E1C   .   PUSHFD

00658E1D   .   PUSHAD

00658E1E   .   NOP

00658E1F   .   NOP

00658E20   .   CALL 00658E25                            ;  test.00658E25

00658E25   $   POP EBP

00658E26   .   SUB EBP,63A2E11

00658E2C   .   NOP

00658E2D   .   NOP

00658E2E   >   MOV EAX,63BD0E6

00658E33   . > ADD EAX,EBP

00658E35   . 5>PUSH EAX

00658E36   . 8>MOV ESI,DWORD PTR SS:[EBP+6221321]

00658E3C   . B>MOV EBX,1

00658E41   . 8>LEA EAX,DWORD PTR DS:[ESI+33C]

00658E47   > F>LOCK XCHG BYTE PTR DS:[EAX],BL           ;  LOCK prefix

00658E4A   . 0>OR BL,BL

00658E4C   . 7>JNZ SHORT 00658E50                       ;  test.00658E50

00658E4E   . E>JMP SHORT 00658E60                       ;  test.00658E60

00658E50   > 6>PUSHAD

00658E51   . 6>PUSH 0

00658E53   . F>CALL DWORD PTR SS:[EBP+6222321]

00658E59   . 6>POPAD

00658E5A   .^E>JMP SHORT 00658E47                       ;  test.00658E47

00658E5C   .^E>JMP SHORT 00658E2E                       ;  test.00658E2E

00658E5E   . E>JMP SHORT 00658E67                       ;  test.00658E67

00658E60   > 5>POP EAX

00658E61   . 8>MOV DWORD PTR DS:[ESI+3E0],EAX

00658E67   > B>MOV EAX,95

00658E6C   . 8>MOV DWORD PTR DS:[ESI+350],EAX

00658E72   . C>MOV DWORD PTR SS:[ESP+24],6228457

00658E7A   . 0>ADD DWORD PTR SS:[ESP+24],EBP

00658E7E   . 6>POPAD

00658E7F   . 9>POPFD

00658E80   . C>RETN
anom
July 22nd, 2009, 15:57
That code definitely is virtualized. 33AAF500 is the decryption key/bytecode and the RISC VM starts at 00658E1A. That's at least what I can tell, might not be that much tho.
quosego
July 24th, 2009, 15:52
Your first problem is likely to be CodeEncrypt it behaves the same when you don't fix it but do dump it. (It requires the Oreans memory loaded dll's.)
Pretty easy function just read my tut about it to fix it.. Should not behave like that though when just running normally..
pigmeu
July 26th, 2009, 04:31
Thanks for the replies.
quosego, since I couldn't manage to run the unpacked version of this target, I'm running it inside ollydbg using my own ollyscript that fix the IAT jumps and breaks on OEP.
Talking about my mentioned code, before to reach it, I needed to kill all Themida threads because it was the only working way that I found out to break on a new thread created by this target app. (Using Debug>Break on New Thread did not work properly because I got strange results and setting a BP on the entry point of the thread proc, the application does not break on it instantly because the others Themida threads had priority ...) Is this the case?