View Full Version : Olly open file but don't stop to EP!
djneo
August 11th, 2004, 02:58
Hello, it's my first message to this forum and i would want to greetz Ricardo for his tuts really good!
My problem is a prog when it loaded in ollydbg, directly start and make invalid lock sequence exception. When i want to bypass this , i have the message "unable to debug this program" and it terminate.
I see instruction LOCK NOP but i don't know what it is.
How the prog can start?
PS : (for Ricardo) i tried to unpack armadillo protection but i found different tricks.
I can detach son of his father because there is just a WriteProcessMemory of 2 bytes,after i can find magic jump and rebuild IAT, but after there is anti debug with jmp in another section don't dump and it seems to have nanomites.
i'm just a newbie, so i would know if you can help me.
thank you
Ricardo Narvaja
August 11th, 2004, 08:51
Well armadillo is not for newbies jeje is very difficult.
If olly dont stop use ollydbg 1.10, quit the plugins and try again, and if dont stop try and old ollydbg 1.08 i think and look if stop in this program.
And there are programs than detect debugger before reach OEP, is difficult to think by is so.
Ricardo Narvaja
djneo
August 11th, 2004, 09:07
Thank you for youir answer.
The program which is packed with armadillo is not the same that it don't break in OP.
For armadilled program, my problem is that i have to solve nanomite and anti debug in the same time to have valid dump but it's not easy.
For the other prog, i think it is packed because all sections have strange name.
I use ollydbg 1.10, but I don't understand "quit the plugins and try again".
Just a little question.
If I put an int3 with a hex editor on the OEP what ollydbg is gonna do?
Ricardo Narvaja
August 11th, 2004, 10:04
quit the plugin , is if you have plugins installed quit and next try again, but i think is a trouble with version 1.10 try 1.08 or 1.09 for look if program stop.
If you put CC in the oep (INT3) and configure olly in OPTIONS - JUST IN TIME DEBUGGING- MAKE OLLY JUST IN TIME DEBUGGER and when you run the program in the cc make an exception an autimatically olly atachs to a process, and replace the cc for the original byte and ready.
The same is if you replace the first two bytes for EB FE (infinite loop) when you run the program nothing happens, atach olly manually to the process and replace for the original bytes and RUN.
Use olly 1.08 or 1.09 and have no troubles and stop in the start.
Ricardo Narvaja
djneo
August 11th, 2004, 11:12
the problem is not ollydbg, it's just because the prog is packed
when i break on a int3 after i trace a little and i see it write in the first section. But after there is int1 and debugger crash.
Ricardo Narvaja
August 11th, 2004, 11:29
packed or not any program may stop in the entry point , and there are few programs don't stop in the entry point in olly 1.10 if you don't want try in other old 1.09 or 1.08 ollydbg don't try.
I have programs stop in EP in 1.08 and 1.09 and don't stop in 1.10.
Ricardo Narvaja
tigerheart
August 11th, 2004, 11:45
djneo, the problem is that the PE's section flags are not set right. I've had that problem many times before, just open LordPE (or another PE editor), and change the section flags to 'E0000060' which is for Executable as code, Readable, Writable, Contains executable code, and contains initialized data. That should fix the problem.
Tigerheart
djneo
August 11th, 2004, 13:34
I tried with 1.09c and it's the same thing.
if I put sections at E0000060 , the prog don't run.
->Section Header Table
1. item:
Name: .text
VirtualSize: 0x000D7000
VirtualAddress: 0x00001000
SizeOfRawData: 0x00000000
PointerToRawData: 0x00000400
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xE0000020
(CODE, EXECUTE, READ, WRITE)
2. item:
Name: s5w7v5wh
VirtualSize: 0x00019000
VirtualAddress: 0x000D8000
SizeOfRawData: 0x00000000
PointerToRawData: 0x00000400
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xE0000060
(CODE, INITIALIZED_DATA, EXECUTE, READ, WRITE)
3. item:
Name: .data
VirtualSize: 0x00115000
VirtualAddress: 0x000F1000
SizeOfRawData: 0x00000000
PointerToRawData: 0x00000400
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xC0000040
(INITIALIZED_DATA, READ, WRITE)
4. item:
Name: .rsrc
VirtualSize: 0x00088000
VirtualAddress: 0x00206000
SizeOfRawData: 0x0002B000
PointerToRawData: 0x00000400
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xC0000040
(INITIALIZED_DATA, READ, WRITE)
5. item:
Name: 7hah8k9c
VirtualSize: 0x00012000
VirtualAddress: 0x0028E000
SizeOfRawData: 0x00000000
PointerToRawData: 0x0002B400
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xE2000060
(CODE, INITIALIZED_DATA, DISCARDABLE, EXECUTE, READ, WRITE)
6. item:
Name: ch8fvvpj
VirtualSize: 0x00001000
VirtualAddress: 0x002A0000
SizeOfRawData: 0x00000000
PointerToRawData: 0x0002B400
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xC0000040
(INITIALIZED_DATA, READ, WRITE)
7. item:
Name: 2b6salod
VirtualSize: 0x0004E000
VirtualAddress: 0x002A1000
SizeOfRawData: 0x00000000
PointerToRawData: 0x0002B400
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xE0000020
(CODE, EXECUTE, READ, WRITE)
8. item:
Name: o41w0a9e
VirtualSize: 0x000DC000
VirtualAddress: 0x002EF000
SizeOfRawData: 0x000DBE30
PointerToRawData: 0x0002B400
PointerToRelocations: 0x00000000
PointerToLinenumbers: 0x00000000
NumberOfRelocations: 0x0000
NumberOfLinenumbers: 0x0000
Characteristics: 0xE0000060
(CODE, INITIALIZED_DATA, EXECUTE, READ, WRITE)
Ricardo Narvaja
August 11th, 2004, 14:20
tre problem start in version 1.09 c try 1.09 b or less
Ricardo
djneo
August 11th, 2004, 14:29
i tried with 1.08b version but it's exactly the same thing.
If i uncheck all box in exception tab, the first break it' in int3.
After the code copy data in the first section and after there is
INVALID LOCK SEQUENCE with LOCK INT3 and code F0:F1
Ricardo Narvaja
August 11th, 2004, 14:56
Well sorry
Ricardo Narvaja
djneo
August 11th, 2004, 14:58
Really strange this protection, any detector knows protection, so I think it's a manuel protection.
I'm not good enough for that.
But what prog do when there is int3 and no debugger?
Ricardo Narvaja
August 11th, 2004, 15:50
execute the exception (RING0) and when return to RING 3 the next line executed is seh handler.
Ricardo
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.