Question on Borland [Archive] - RCE Messageboard's Regroupment

DaBoo

October 28th, 2006, 12:52

Hi got a question on debugging a program made with Borland C++ 1999
this program has only one file a EXE file and when i load it up in olly every thing seems fine in till you hit F9 the programs starts then olly Terminated
so checked the file with PEiD v0.93 to see it was packed or had a krypto and it found none it just says Borland C++ 1999 [Overlay] and the only thing that is packed is the Fast Check but the Entropy or Ep check but it acts like it is packed or has a krypto with a anti-debug but there is a CPPDebugHook
API Call being called in tree spots you think that this call is my anti-debugger
i did search for it on here but found no info on the call thanks for any info

evlncrn8

October 28th, 2006, 13:12

probably anti debug, search more on the subject...
try bpx on exitprocess / terminatethread.. see where it came from and backtrace...

DaBoo

October 28th, 2006, 13:18

Thanks for the reply ill try that

naides

October 28th, 2006, 13:29

Daboo: Check the Anti-Anti-debug plugins available in the Olly forum area, see if they can avoid Olly detection for you.
Some of them allow to activate one countermeasure at a time, so you can dissect how your prog detects Olly

blabberer

October 28th, 2006, 13:33

though your question doesnt make sense

cppdebug hook is part of borland c run time

it will be there in each and every file compiled by bcc

and borland doesnt have any equivalent of
/linker nodefaultlib switch of vc so you cant eliminate borland from compiling that crt even if you dont use it

Code:



00401000 >/$ /EB 10         JMP     SHORT 00401012

00401002  |  |66            DB      66                               ;  CHAR 'f'

00401003  |  |62            DB      62                               ;  CHAR 'b'

00401004  |  |3A            DB      3A                               ;  CHAR ':'

00401005  |  |43            DB      43                               ;  CHAR 'C'

00401006  |  |2B            DB      2B                               ;  CHAR '+'

00401007  |  |2B            DB      2B                               ;  CHAR '+'

00401008  |  |48            DB      48                               ;  CHAR 'H'

00401009  |  |4F            DB      4F                               ;  CHAR 'O'

0040100A  |  |4F            DB      4F                               ;  CHAR 'O'

0040100B  |  |4B            DB      4B                               ;  CHAR 'K'

0040100C  |  |90            NOP

0040100D  |  |E9            DB      E9

0040100E  |. |1CA14000      DD      OFFSET w2khero.___CPPdebugHook

00401012  |> \A1 0FA14000   MOV     EAX, DWORD PTR DS:[40A10F]

00401017  |.  C1E0 02       SHL     EAX, 2

0040101A  |.  A3 13A14000   MOV     DWORD PTR DS:[40A113], EAX

0040101F  |.  52            PUSH    EDX                              ;  ntdll.KiFastSystemCallRet

00401020  |.  6A 00         PUSH    0                                ; /pModule = NULL

00401022  |.  E8 EF8C0000   CALL    <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA

as to f9 if it is a console application f9 means it executed and terminated
and when debugee terminates the debugger also will say process terminated

is that what you are asking

next time instead of f9iing try f7inng till it terminates and see if you can f7 several times

btw read up

DaBoo

October 28th, 2006, 19:46

Hi thanks for all the replys but yes when i run the program from with in olly the program starts up and runs but olly terminated the debugging and the program stays running i tryed to attach to the program wile it is running at it says Bad or unkowen format and breaks at DbgBreakPoint in the Ntdll so i know its anti-debug trick just not sure what one i need to do alot of steping to find out where its hidding

LLXX

October 29th, 2006, 04:10

Quote:

when i run the program from with in olly the program starts up and runs but olly terminated the debugging and the program stays running

If it stays running, with Olly open, then that's not much of an anti-debug... probably a "dump-and-run". I've seen a few of these. Basically they're like a packer, only less optimised and they unpack to the temp directory or something and then spawn from there. The main unpacking process then terminates, hence you observe the symptoms you described.

Load the file into a hex editor or (even better) MS-DOS EDIT in binary mode and scroll through it. If there is a large block of data toward the rear that looks compressed, it's probably what I described above.

blabberer

October 29th, 2006, 05:18

then like litana says it might be doing WinExec() or CreateProcess() or ShellExecute() or CreateprocessEx()
and spawning a new instance (but a new instance shouldnt hinder ollydbg from attaching to it) btw its normal for any attached process to stop on
ntdll!Debugbreak() look at call stack and find the user mode mode code that
is on the stack and break there

DaBoo

October 29th, 2006, 08:01

Thanks for the info ill try all of the info you guys gave me