Log in

View Full Version : [renamed] debugging tips


Snowski
April 16th, 2005, 02:30
Greetz to all,

I have a question about Armadillo and COPYMEM-II: How can I determine that my target is packed using the COPYMEM-II feature?

What are the signals I should look for, if any?

I have noticed that if I run my target, it opens twice (I can see that in TaskManager)...does that mean the target is packed using COPYMEM-II?

Thanks in advanced for your reply.

Snowski
April 16th, 2005, 03:16
Hmmm, just discovered that a file packed with Amradillo 4.XX without COPYMEM-II also appears twice in the Task Manager...so forget my last statement in the previous post...

First question still stands...how to determine if file was packed using COPYMEM-II?

Ricardo Narvaja
April 16th, 2005, 04:28
yes if there are two process with same name is COPYMEM2

Ricardo Narvaja

Snowski
April 16th, 2005, 04:31
Hi Ricardo,

I am truly enjoying your tutorials by the way, thanks alot, great work!

That is indeed what I thought...however, in the tutorial called "82-ARMADILLO sin copymem2 FOR DUMMIES ENGLISH PROGRAMA BACKUP por TENSHIN.rar ", I read the following:

"Once you load BKFD.exe in OllyDbg, run it an go to file Attach. You will see only one process with that name, and it is red colored. This is the proof that show us that it’s neither Copymem II protected nor Namite."

I did this to my target, and I see only 1 process running...

But in Task Manager, when I run the target, I see two programs running...so is it COPYMEM II or not...?

Thanks again for all your help, Ricardo!

Snowski
April 16th, 2005, 04:44
Just to clarify, here are the first lines in Olly before hitting start:

0043D000 > 60 PUSHAD
0043D001 E8 00000000 CALL HTC_new.0043D006
0043D006 5D POP EBP
0043D007 50 PUSH EAX
0043D008 51 PUSH ECX
0043D009 0FCA BSWAP EDX
0043D00B F7D2 NOT EDX
0043D00D 9C PUSHFD
0043D00E F7D2 NOT EDX
0043D010 0FCA BSWAP EDX
0043D012 EB 0F JMP SHORT HTC_new.0043D023
0043D014 B9 EB0FB8EB MOV ECX,EBB80FEB
0043D019 07 POP ES ; Modification of segment register
0043D01A B9 EB0F90EB MOV ECX,EB900FEB
0043D01F 08FD OR CH,BH
0043D021 EB 0B JMP SHORT HTC_new.0043D02E
0043D023 F2: PREFIX REPNE: ; Superfluous prefix
0043D024 ^EB F5 JMP SHORT HTC_new.0043D01B

If I run the program (F9), I get:

Don't know how to bypass command at address 004465C5. Try to change EIP or pass exception to program.
(I do know how to get around this.)

If I push Shift+F9, OllyDbg closes. Armadillo uses a bug (overflow) in Olly to crash Olly.
(I do know how to get around this.)

The strange thing is that I have these extra lines in the START my code:

0043D009 0FCA BSWAP EDX
0043D00B F7D2 NOT EDX
0043D00D 9C PUSHFD
0043D00E F7D2 NOT EDX
0043D010 0FCA BSWAP EDX

I do not see these in any of the tutorials...looks like a new version of Armadillo was used here, possibly version 4.10...

Snowski
April 16th, 2005, 06:53
Alright...bypassed the ARMADILLO triggers:

"Don't know how to bypass command at address 004465C5. Try to change EIP or pass exception to program. "

No problem there...Shift+F9 does the trick just fine, and thanks to the bugfix in Olly, OllyDbg does not crash...

On to the next step: How to find the "son" and dump it...The current methods posted in manuals do not appear to work.

Adding the "BP WriteProcessMemory" before the first run (F9) results in that bypass exception error...HELP!

Ricardo Narvaja
April 16th, 2005, 11:38
use he not BP (hardware breakpoint on execution) the manual work perfect there are only minor changes.

Ricardo

Snowski
April 16th, 2005, 14:24
Alright, I have tried the HE method as well (HE CreateThread)...as shown in your tutorials, but F9 will give me the "Dont know how to bypass....." dialogbox.

SHIFT+F9 will run nicely, but NOT break...

Also did a search for all referenced text strings, looking for "Don't know how to...", but no strings found.

Am I using the wrong HE?

--------------

Another interesting thing is that when I look in Memory (M), ther is no CODE section. So I set "memory breakpoint on access" on .data (this is the first after the PE).

Again, no breaking...grrr.

My main quest: How can I find the OEP....?

Ricardo Narvaja
April 16th, 2005, 14:48
CreateThread is only for one process (not copymem2) armadillos, and in the more new armadillos donīt work.

The string donīt know how bypass is a message of olly.

If you read all my tutorial in the last armadillo with destruction of table, are the instruction for reapair the bug of illegal instruction of olly.

data or code is the same, is the first section next to header.

the goal is you learn different methods and try for yourself not make a point to point read of the tut, the versions change and all programs are not the same. only learn different possibilities and try, the good unpacker always adapt to the situation.

Ricardo

Snowski
April 16th, 2005, 16:01
Very true Ricardo...thanks.

I try and combine different options and solutions...your tuts are very handy for this (although I do not speak Spanish).

Repairing the bug in Olly is not the problem. You can do that manually or just use RE-Pair that fixes the buffer overflow vulnerability in OllyDbg.

Finding the OEP is my big challenge...but I hope I get there...I will keep digging, and learning!


Ricardo Narvaja
April 16th, 2005, 16:27
but this is OTHER bug a ILLEGAL EXCEPTION bug is different


Ricardo

Snowski
April 16th, 2005, 16:53
Hmmm, indeed, ofcourse...! I must be tired. Been at this all day now.

How can I not see that...thanks!

There is hope...

Snowski
April 20th, 2005, 12:39
Hi Ricardo,

Great news...have been able (finally!) to get the program to break on the point where it starts to write 1000 bytes to the child...!

So it is a COPYMEM-II problem with 1000 bytes method!

Thanks for all your help.

When I am done with the unpacking (fixing tables etc), I will post a complete tutorial.

1bitshort
April 21st, 2005, 09:04
> have been able (finally!) to get the program to break on
> the point where it starts to write 1000 bytes to the child...!

Is that just a breakpoint on WriteProcessMemory?

Snowski
April 21st, 2005, 09:15
Actually, if you BP first on WaitForDebugEvent, you will land there in BP WriteProcessMemory.

I managed to circumvent the BP WaitForDebugEvent, and now it lands on BP WriteProcessMemory, writing two bytes: EB FE (LOOP!)

If you then hit F9 again, it stops at 60 E8 (again two bytes). I have changed those to EB FE as well...to make the parent looping infinitely.