Log in

View Full Version : bug exception handler

Anonymous
November 21st, 2002, 01:32
In this crackme this code
http://www.southernlabs.com/gameroom/Decoding/Win32/Tutorials/CrackedP ad.zip
("http://www.southernlabs.com/gameroom/Decoding/Win32/Tutorials/CrackedPad.zip
")

0040C042 > B8 00C04000 MOV EAX,CRAKPAD.0040C000
0040C047 68 9A7C4000 PUSH CRAKPAD.00407C9A
0040C04C 64:FF35 00000000 PUSH DWORD PTR FS:[0]
0040C053 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
0040C05A 66:9C PUSHFW
0040C05C 60 PUSHAD

install a exception handler,

here

0040C0F5 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]

the program produce the exception and OLLY loose and if you press SHIFT + F7 go to error in trw2000 and sice, go to 407c9a


I think in

0040C05A 66:9C PUSHFW
0040C05C 60 PUSHAD

in tis sentences OLLY loose the exception handler and if there are and exception is not handle for Shift + f7 .

Ricardo Narvaja
TBD
November 21st, 2002, 07:10
Ricardo Narvaja: Olly's response:
"I don't understand the problem. MOVSB command above produces an exception, that's clear. User wants the program to process this exception and presses Shift+F7 - a shortcut for "Step into passing exception to handler". When I try this under NT 4.0 SP5, OllyDbg executes exactly one command of KiUserExceptionDispatcher and correctly pauses on the next command. Then I set breakpoint on the custom dispatcher (407c9A) and run program (F9). As expected, this breakpoint is immediately hit."
Ricardo Narvaja
November 21st, 2002, 09:02
Sorry the error is here
for the value in Fs:[22]

00407DA6 66:64:8B35 1C0>MOV SI,WORD PTR FS:[1C]
00407DAE 66:0FBAF6 00 BTR SI,0
00407DB3 66:64:0335 220>ADD SI,WORD PTR FS:[22]

encripts and produce an error for Fs:[22] this is other problem and confuse me

Sorry
Ricardo Narvaja
TBD
November 21st, 2002, 23:11
ricnar456: i dont see the problem. here are my steps:
F9, SHIFT+F7, CTRL+G (406231), F4, CTRL+A (analyze SMC), CTRL+G(401000 - real OEP), New origin here

or if you have an NT based OS, breakpoint on kernel32.GetLocalTime, ALT+K (see who called this APi), F4, CTRL+G(401000 - real OEP), New origin here
Anonymous
November 22nd, 2002, 00:19
In w98, F[22] isn't 0 9 (zero) and with this value encripts in

00407DB3 66:64:0335 220>ADD SI,WORD PTR FS:[22]

and dont run if dont nop this sentence, thanks .

Ricardo