F9->Shift-F9 Exception passing in Olly

[bgrimm]

Perhaps a simple "How does it work that way?" question:

I was just practicing on an ExeSheild packed target and was wondering how/why Ollydbg acts differently when, after triggering a memory access violation, if you hit "F9" THEN "Shift-F9", it stops program execution, just "Shift-F9", proggy runs off on its own.

If that didn't make much sense, I am confused on WHY this works:

For a simple unpack of an Exeshield target, I just loaded it in Olly.
Then ran it and it hit a memory access violation:

00405B52 8B00 mov eax,dword ptr ds:[eax]
00405B54 EB 01 jmp short TestApp_.00405B57

Access Violation when reading [00000000] ... blah blah blah.

Now if I hit "F9" and then pass the exception with Shift-F9, I stop one byte past the OEP and all is good.
If I just pass the exception with "Shift-F9", proggy runs and no stop... ok, whatever.

When I'm stopped at the exception and I press "F9", nothing really seems to happen, its not appearing to trace an instruction or anything, so what does it do? <confused>

A tutorial from Hacnho had this F9-Shift-F9 steps in it but it did not really explain WHAT had happened.

Thanks,
-bg

[hosiminh]

Are you doing Unpackme #11 EXE Stealth v2.75a from hancho's unpackme section ?

I unpacked it on win 98 , but for some reason i always got Exception repeating ad infinitum: Access violation when reading [0000005F] and unpackme doesn't run within Ollydbg on Win xp sp2.

[bgrimm]

Quote:

Originally Posted by hosiminh

Are you doing Unpackme #11 EXE Stealth v2.75a from hancho's unpackme section ?

No, the app in question is just a simple masm app that I encrypted with
ExeShield 0.5 by Smoke (2004), with all the anti-trace/debug options checked.

I saw Hacnho's Tutes on both Exeshield & EXE Stealth, but Exe Stealth is different and I have not looked into that protection yet.


-bg

attached is my testapp + exeshield 0.5

[dyn!o]

That are "Pressing" tutorials... The innovation of last two years...

"Press five times F9 + 6 times F8 + 7 times F7 + 8 times F8..... and you are done." ...so "cool".

It's like:

1. Come closer to the target.
2. Get your panties down.
3. Pull out The Master (jimmy).
4. Insert the mighty MC into the victim.
5. Middle-shake (10 times) the middle part of your body.
6. Hard-shake (6 times) the middle part of your body.
7. Ultra-shake (3 times) the middle part of your body.
8. Get out. You are done.

Hmm...

Regards.

[bgrimm]

I guess to rephrase the question, I'm not wondering about how the protection/unpacking works, it's what is ollydbg doing with the extra F9<run program> command and then hitting Shift-F9 Pass exception & run command.

For example I tried the same commands in olly on an app protected by Yoda's Protector (not cryptor). Just executed program until exception, then pressed F9, then passed exception with shift-F9 and it stopped at oep. (I would assume if the protection used multiple exceptions it would stop just outside the seh handler of the packer/cryptor and allow me to trace from there).

Matter of fact pressing any F5/6/7/8/9 key then pressing Shift-F9 causes the debugged program to stop after passing the exception. That is my confusion.

-bg

[D-Jester]

Programs often use this type of protection to make it difficult to trace the execution of the program

When an application runs into an exception while its debugged, the debugger will halt (pause).
EXE packers use this to see if the program handles the exception or (if its being debugged) not.
This is done by setting up what it called a Structured Exception Handler (SEH) it is usually set up right before an exception.
The program pushes the "handler" this is where execution will continue at if the program handles it own exceptions.
By pressing SHIFT + F9 you pass the exception to the application and allow it to continue as it normally would even if it weren't debugged.
These exception occur even if the program isn't being debugged, you just don't see them because they are automtically handled by the program.
If you just press F9, F7, F8...etc the program detects that execution did not continue as it should have and terminates itself, or windows terminates it because the exception was not handled.

Some Reading Material:
hxxp://msdn.microsoft.com/library/en-us/ debug/base/structured_exception_handling.asp

Did I explain what you wanted to know?

[JMI]

Small correction. The actual URL which will get you to the document is:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/base/structured_exception_handling.asp



Regards,

When you press Shift + F7, Shift + F8 Olly set trap flag and moves you on next instruction (in kernel32 "exception handlers" handler, root handler), when you press Shift + F9 control passed to application exception handler, and when press any of F7, F8 or F9 just nothing happen because Olly don't know who should handle exception

here is some useful links:
hxxp://www.jorgon.freeserve.co.uk/ExceptFrame.htm
hxxp://www.microsoft.com/msj/0197/exception/exception.aspx

if you don't want press Shift + F9 many times (if many exceptions occurs) just go to:
Options -> Debugging options -> Exceptions -> Ignore also following custom exceptions or ranges -> Add last exception

[MaRKuS-DJM]

to skip all exceptions, add range 00000000-FFFFFFFF to custom exceptions. no more skipping of exceptions if your run from startup with SHIFT+F9

Bgrimm does the TestApp run in w2k it seems it doesnt have import table at all
w2k would require atleast one import to function properly
so i tried encrypting icztutes messagebox.exe with all the check boxes checked
it said file successfully encrypted
but i try to run it it doesnt run
i see it fails
CALL ntdll.LdrpRunInitializeRoutines

probably he is hard coding some address in one of his blah blah
Log data, item 0
Address=77E878C1
Message=Access violation when executing [77E878C1]
77e8 would be my kernel32.dll base which hasnt been mapped yet by the loader


and i thought he might have encrypted his own exeblah and it seems he hasnt
encrypted it
can youverify if it actually runs in w2k sp4 ??
thanks and regards

[bgrimm]

It appears some of the "magic" Exeshield performs on the target executable breaks its functionality in win2k.

In the attached example all the cryptor options were turned on, including IAT destruction. Which would explain your missing functions.

The original executable was a simple example from hutch's masm distribution that did originally run on all platforms. (original code by iczelion)

I didn't try different combinations of options of encryption to see what exactly breaks it, if it is the unpacking code, or changes in the PE structure.
The original encryptor itself is included with my attachment in this thread if your interested.

I did not spend much time looking at the target executables code after packing, as this particular protector appears really weak, and as you discovered, not platform friendly.
(My couple boxes here are XPsp1 machines but after you mentioned that compatibility problem I fired up a 2000sp4 VM and sure enough, the app did not run as you said. )

It was simply an exercise in learning to trace packer program flow in Olly.
(and trying to learn more, like Dyn!o mentioned earlier, then just which buttons to press in what order to arrive at an OEP.)

-bg

hehe i already used that on icztutes if you didnt happen to notice in my post

Quote:

so i tried encrypting icztutes messagebox.exe with all the check boxes checked
it said file successfully encrypted
but i try to run it it doesnt run
i see it fails
CALL ntdll.LdrpRunInitializeRoutines

also i loaded the exe itself onto ollydbg to find the magic it uses
seems straight forward i only see it is transforming some thing in pe header to wtf?
and then ciphering off all the import table structure i think that is the problem
he must probably leave a pointer to a dummy import table atleast that points to some dummy import which may or may not be used i think ill try tinkering with the exe that it crypts and then post here

actually i wanted to understand the problem with ollydbg ( i mean what you were meaning by the first question rather than getting involved with unpacking and tinkering with this cryptor but it seems i have to

i did not understand the problem at all
if f99ned olly should run without going to the handler
if shift f99ned olly should run by going through handler

if you used windbg you might have noticed
go with handler
go without handler and all its variants its
the same in olly too
any way unless i have a valid exe with a valid problem i cant check
what the problem is

to jmi i am purposely not editing the above post to add this if you think i should have edited the post then please reduce my post count by one but leave this post as it is thanks and regards

yes i was still poking with this so i modified the pe header back to its original
with regards to import table
i see it is crashing when accessing it
registers when crash

Quote:

EAX 00400000
ECX 777B3C93
EDX 00002010
EBX 00402010 <--- import table address that i modified back in pe header
ESP 0012F93C
EBP 0012F978
ESI 00131EE0
EDI 87CBCF87
EIP 77F8F85E

crash here

Quote:

77F8F84B MOV ECX, DWORD PTR DS:[EBX+10]
77F8F84E TEST ECX, ECX
77F8F850 JE 77F88B40
77F8F856 MOV EAX, DWORD PTR DS:[ESI+18]
77F8F859 MOV EDI, DWORD PTR DS:[EBX+C]
77F8F85C ADD EDI, EAX
77F8F85E CMP DWORD PTR DS:[ECX+EAX], 0

the above code is still in stack setup by ntoskrnl
not even ntdll has been mapped yet

call stack

Quote:

Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0012F97C 77F8651E 77F8F7B5 77F86519 0012F978
0012FC9C 77F96416 77F91B3B 77F96411 0012FC98
0012FD20 77F9FB67 Includes 77F96416 77F9FB65 0012FD1C

all these are mapped sections that are setting up the exe no physical dll
calls have been made yet not even Ldr blah blah

now if you notice ebx == 402010
and look at unmodified import table

Quote:

00000610 54 20 00 00 00 00 00 00 T ......
00000618 00 00 00 00 6A 20 00 00 ....j ..
00000620 08 20 00 00 4C 20 00 00  ..L ..

that is first thunk and blah blah
now modified has

Quote:

00000610 6B FF BB B7 B3 AF AB A7 k&yuml;&raquo;��&sup3;&macr;&laquo;��
00000618 A3 9F 9B 97 87 CF 8B 87 &pound;Ÿ›��‡&Iuml;‹‡
00000620 93 3C 7B 77 EA 2C 6B 67 ��<{w��,kg

now log details of crash
Log data, item 0
Address=77F8F85E
Message=Access violation when reading [77BB3C93]

so first thunk resolved + imagebase == 77bb3c93 invalid this hasnt been mapped anywhere this memory is neither allocated mapped or
nothing
whereeas in original
it will be
400000 + 2008 == 402008 will be valid

ok so it is upto the author to rectify this situation

bgrimm do you have any other working exe where you can reproduce what you were talking that runs in w2k so that i can try reproducing it

[bgrimm]

JuneMouse,

I PM'd you with info but I see I could not attach files.

Here are files mentioned, see if it has similar problems you encountered.
The exeshield packed file did not run on my 2000 VM but is included in case you wanted to compare.



-bg

[BetaMaster]

Quote:

Originally Posted by MaRKuS-DJM

to skip all exceptions, add range 00000000-FFFFFFFF to custom exceptions. no more skipping of exceptions if your run from startup with SHIFT+F9

have you tried that with armadillo nanomites application?it seems stuck at any int3 command, and no way to pass exception to protector.