Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Thread Tools Display Modes
Old 08-07-2005, 08:58 AM
_d_ _d_ is offline
Junior Member
Join Date: Aug 2005
Posts: 2

i i followed this tutorial, to debug the child process


Here are the steps I followed:

- Open the target in OllyDbg
- set the IsDebuggerPresent byte to 00
- bp WriteProcessMemory
- F9 twice as the 2nd WriteProcessmemory is the one where you write the loop
- Edit the buffer in the WriteProcessMemory call to be EB FE so that the child process will be in an infinite loop (take a note of the bytes so you can put them back later)
- F9 again to run the parent - should see 2 processes with the same name in task manager and CPU usage of the child process will be ~100%
- bp WaitForDebugEvent to stop the parent
- Find the process id of the child by doing open in the OllyDbg that is running the parent and finding the process that isn't in red - press cancel
- pick a point in the parent and assemble in

PUSH <process id>
CALL DebugActiveProcessStop

- right click->new origin here on the inserted PUSH - this moves the current execution point to the selected line. It doesn't restart the process.
- breakpoint the NOP and F9
- when the execution stops at the NOP, check EAX is 1 that indicates the DebugActiveProcessStop command was successful
- the child process is no longer being debugged by the parent process so we can attach a new OllyDbg to the child. Leave the parent paused but don't close the OllyDbg.
- press F9 and then F12 in the new debugger after attaching and you should be paused at the EB FE loop in the child process.
- Edit back in the original 2 bytes to remove the loop

Now I'm not sure if what I did next was correct.

- set the IsDebuggerPresent to 00
- put a memory access breakpoint on the first section after the PE header in the memory window
- press F9

but in the child process there are a bunch of 0xcc, so it make no sense to detach the arma-debugger because only the father process knows the replaced bytes.

are there any papers regarding this problem ?

best regards
Reply With Quote
Old 08-23-2005, 11:43 AM
AndreaGeddon AndreaGeddon is offline
Join Date: Dec 2002
Location: Italy
Posts: 42

I am reversing armadillo 4.20, as you correctly say detaching the father is not really useful, unless you have a loader that can emulate armadillo debugging loop. The 0xCC you find in the child are the nanomites, they are used to call the debugger process, which will determine how many bytes after the 0xCC are to be jumped.
In practice, when you see a 0xcc in the child it's just a jump, the parent process will change the context of the faulting thread and the execution will go on.
Also apart nanomites you have copymem2, in the child process the pages are encrypted, you must first decrypt them all beacuse armadillo never leaves all decrypted pages in memory
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.