.Target: Client.exe
Reversers Background: computer science
Reversers Experience:
Lots of theoretical. I have read "Reversing" by Eldad Eilam, "Dissassembling Code" by Vlad Pirogov, "Rootkits" by Hoglund...many others...
I have read up on C++ class reverse engineering and Structured Exception Handling from the Articles on this website and the Pietrek article.
Familiar with the existence of a good myriad of anti-debugging techniques.
Not enough Practical experience.
Using: Ida pro 4.7, OllyDbg
Problem:
I can't seem to debug Client.exe effectively.
Description:
I'm relatively new to reversing. I understand the basics and calling conventions between platforms etc. I've read up on a great deal to do with reverse engineering.
I believe I'm decently good at deadlisting and working from there. The obvious problem with that is it takes forever:).
I've been deadlisting Client.exe for a little.
I got past dissecting ini file reading subroutines etc. I've reversed a decent amount of WinMain stack variables, and subroutines.
I decided that I had taken long enough to just deadlist so I'd try running it in Ida's debugger or WinDbg.
If I start the client then attach using OllyDbg the Executable freezes in an unrecoverable fashion.
7D610018 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7D61001B FF75 10 PUSH DWORD PTR SS:[EBP+10]
7D61001E FF75 0C PUSH DWORD PTR SS:[EBP+C]
7D610021 FF55 08 CALL DWORD PTR SS:[EBP+8]
7D610024 8BE6 MOV ESP,ESI
7D610026 5B POP EBX
7D610027 5F POP EDI
7D610028 5E POP ESI
7D610029 5D POP EBP
7D61002A C2 1000 RETN 10
7D61002D > CC INT3
7D61002E C3 RETN
EAX 7EFDE000
ECX 00000000
EDX 00000000
EBX 00000001
ESP 0550FFCC
EBP 0550FFF4
ESI 00000000
EDI 00000000
EIP 7D61002E ntdll.7D61002E
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EF97000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_INVALID_PARAMETER (00000057)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
It looks like it freezes on a breakpoint in ntdll.
If I start client.exe using Olly, it throws the spurious breakpont, I pass it on, it crashes:
CommandLine: "C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\Client.exe"
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00000000`00400000 00000000`0043e000 Client.exe
ModLoad: 00000000`77ec0000 00000000`77ff9000 ntdll.dll
ModLoad: 00000000`6b000000 00000000`6b046000 C:\WINDOWS\system32\wow64.dll
ModLoad: 00000000`6b280000 00000000`6b2ca000 C:\WINDOWS\system32\wow64win.dll
ModLoad: 00000000`78b80000 00000000`78b89000 C:\WINDOWS\system32\wow64cpu.dll
(ad8.e90): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
00000000`77ef2aa0 cc int 3
0:000> g
ModLoad: 00000000`77d40000 00000000`77eb3000 NOT_AN_IMAGE
ModLoad: 00000000`7d4c0000 00000000`7d5f0000 NOT_AN_IMAGE
ModLoad: 00000000`7d600000 00000000`7d6f0000 C:\WINDOWS\SysWOW64\ntdll32.dll
ModLoad: 00000000`77d40000 00000000`77eb3000 NOT_AN_IMAGE
ModLoad: 00000000`77c20000 00000000`77d2c000 NOT_AN_IMAGE
ModLoad: 00000000`7d4c0000 00000000`7d5f0000 C:\WINDOWS\syswow64\kernel32.dll
ModLoad: 00000000`7d930000 00000000`7da00000 C:\WINDOWS\syswow64\USER32.dll
ModLoad: 00000000`7d800000 00000000`7d890000 C:\WINDOWS\syswow64\GDI32.dll
ModLoad: 00000000`004f0000 00000000`0058b000 C:\WINDOWS\syswow64\ADVAPI32.dll
ModLoad: 00000000`7da20000 00000000`7db00000 C:\WINDOWS\syswow64\RPCRT4.dll
ModLoad: 00000000`7d8d0000 00000000`7d920000 C:\WINDOWS\syswow64\Secur32.dll
ModLoad: 00000000`76aa0000 00000000`76acd000 C:\WINDOWS\SysWOW64\WINMM.dll
ModLoad: 00000000`10000000 00000000`102ba000 C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\Engine.dll
ModLoad: 00000000`77670000 00000000`777a9000 C:\WINDOWS\syswow64\ole32.dll
ModLoad: 00000000`77ba0000 00000000`77bfa000 C:\WINDOWS\syswow64\msvcrt.dll
ModLoad: 00000000`00590000 00000000`00606000 C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\FreeImage.dll
ModLoad: 00000000`00610000 00000000`0061a000 C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\baselib.dll
ModLoad: 00000000`6d510000 00000000`6d58d000 C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\dbghelp.dll
ModLoad: 00000000`77b90000 00000000`77b98000 C:\WINDOWS\syswow64\VERSION.dll
ModLoad: 00000000`00620000 00000000`0062b000 C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\NetLib.dll
ModLoad: 00000000`71c00000 00000000`71c17000 C:\WINDOWS\SysWOW64\WS2_32.dll
ModLoad: 00000000`71bf0000 00000000`71bf8000 C:\WINDOWS\SysWOW64\WS2HELP.dll
ModLoad: 00000000`00630000 00000000`00742000 C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\gamebase.dll
ModLoad: 00000000`722c0000 00000000`722ea000 C:\WINDOWS\SysWOW64\DINPUT.dll
ModLoad: 00000000`00750000 00000000`0077a000 C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\lua.dll
ModLoad: 00000000`780c0000 00000000`78121000 C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\MSVCP60.dll
(ad8.e90): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!DbgBreakPoint:
00000000`7d61002d cc int 3
0:000:x86> g
ModLoad: 00000000`7dee0000 00000000`7df40000 C:\WINDOWS\SysWOW64\IMM32.DLL
ModLoad: 00000000`7df50000 00000000`7dfc0000 C:\WINDOWS\SysWOW64\uxtheme.dll
ModLoad: 00000000`4b3c0000 00000000`4b410000 C:\WINDOWS\SysWOW64\MSCTF.dll
ModLoad: 00000000`75e60000 00000000`75e87000 C:\WINDOWS\SysWOW64\apphelp.dll
ModLoad: 00000000`4dc30000 00000000`4dc5e000 C:\WINDOWS\SysWOW64\msctfime.ime
ModLoad: 00000000`02570000 00000000`025fb000 C:\WINDOWS\syswow64\OLEAUT32.DLL
(ad8.e90): C++ EH exception - code e06d7363 (first chance)
ntdll!NtTerminateProcess+0xa:
00000000`77ef0caa c3 ret
I get the same results everytime.
I got the same results using IDA pro in default debugger configuration.
I finally got the program to run in IDA pro after modifying some debugger options of the debugging events IDA will handle.
I finally got it loaded and I immediately got held up in a breakpoint not inserted by IDA in ntdll.dll:7D61002D.
Debugger: Process started: C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\Client.exe
Debugger: Library unloaded.
Debugger: Library loaded: NOT_AN_IMAGE
Debugger: Library unloaded: NOT_AN_IMAGE
Debugger: Library loaded: C:\WINDOWS\SysWOW64\ntdll32.dll
Debugger: Library unloaded.
Debugger: Library unloaded.
Debugger: Library loaded: C:\WINDOWS\syswow64\kernel32.dll
Debugger: Library loaded: C:\WINDOWS\syswow64\USER32.dll
Debugger: Library loaded: C:\WINDOWS\system32\GDI32.dll
Debugger: Library loaded: C:\WINDOWS\system32\ADVAPI32.dll
Debugger: Library loaded: C:\WINDOWS\system32\RPCRT4.dll
Debugger: Library loaded: C:\WINDOWS\system32\Secur32.dll
Debugger: Library loaded: C:\WINDOWS\SysWOW64\WINMM.dll
Debugger: Library loaded: C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\Engine.dll
Debugger: Library loaded: C:\WINDOWS\syswow64\ole32.dll
Debugger: Library loaded: C:\WINDOWS\syswow64\msvcrt.dll
Debugger: Library loaded: C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\FreeImage.dll
Debugger: Library loaded: C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\baselib.dll
Debugger: Library loaded: C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\dbghelp.dll
Debugger: Library loaded: C:\WINDOWS\syswow64\VERSION.dll
Debugger: Library loaded: C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\NetLib.dll
Debugger: Library loaded: C:\WINDOWS\SysWOW64\WS2_32.dll
Debugger: Library loaded: C:\WINDOWS\SysWOW64\WS2HELP.dll
Debugger: Library loaded: C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\gamebase.dll
Debugger: Library loaded: C:\WINDOWS\SysWOW64\DINPUT.dll
Debugger: Library loaded: C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\lua.dll
Debugger: Library loaded: C:\Documents and Settings\Administrator\Desktop\HackBox\Projects\Neocron\neocron2\MSVCP60.dll
Debugger: Breakpoint instruction reached (not inserted by the debugger): 0x7D61002D.
Debugger: Library loaded: C:\WINDOWS\SysWOW64\IMM32.DLL
Debugger: Thread started: id=00000A4C, entry=7D4D1504.
Debugger: Breakpoint reached: 0x0042A45B
Debugger: Library loaded: C:\WINDOWS\SysWOW64\uxtheme.dll
Debugger: Library loaded: C:\WINDOWS\SysWOW64\MSCTF.dll
Debugger: Library loaded: C:\WINDOWS\SysWOW64\apphelp.dll
Debugger: Library loaded: C:\WINDOWS\SysWOW64\msctfime.ime
Debugger: Library loaded: C:\WINDOWS\syswow64\OLEAUT32.DLL
Debugger: Thread terminated: id=00000A4C (exit code = 0x0).
Looks like the same breakpoint from OllyDbg got me here but I was able to continue executin anyway.
The later breakpoint at 0x0042A45B was mine.
What happened now was that an fopen to a updater.ini in the 'ini' folder failed and caused program termination. The file was there and if the client is run without the debugger it works fine.
It would be nice to have help from a veteran reverser. I'm simply too green to figure this out.
I was a little suspicious about anti-debugging so I checked the entry point and it doesn't look like anyone is doing anything funny to foil a reverser on purpose in there. It simply sets up and passes to WinMain.
I know there's the possibility of anti-reversing techniques being inserted into an exception handler and triggering it through that but I don't know enough yet to determine if thats the case.
I see they are using the WheatyExceptionReport classes that are publicly available but it seems they've added a new method (dont see it online) to it called GetExceptionHandler then they follow it with _set_se_translator from the MSVCRT.
I also notice the NOT_AN_IMAGE lines in the IDA output but don't know what that means per se or if it's an issue.
I'm assuming that there is something simple I don't know when it comes to debugging a process. I'd appreciate any insight people have. I am still learning my tools and I know I have much to learn about reversing.
I would be happy to provide my idb file to anyone who is willing to help(I didn't see a way to attach to post). I need some encouragement:).
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}