Thread: Armadillo crashes Olly
View Single Post
  #11  
Old 01-24-2005, 09:49
Flagmax
 
Posts: n/a
JuneMouse:

I am no expert but here is what I came up with.

Your patch behaves differently with Armadillo, it actually would fail.

It seems in works great with BrainCell and Python24, but with Armadillo its another story.

Below is the Case with Armadillo.

Inside this call:
004AF654 E8 B31CFBFF CALL OLLYDBG_._Readmemory
Olly uses ReadProcessMemory() to Read the chunk of memory.
...
0046142B E8 3EDD0400 CALL <JMP.&KERNEL32.ReadProcessMemory>
The ReadProcessMemory() is setup with the parameters below. So you see it tries to Read 8560059h bytes
from 0100EF70h to 0012F340h.
Code:
0012CC24   000000BC  |hProcess = 000000BC
0012CC28   0100EF70  |pBaseAddress = 0100EF70 - This is good offset: Debug message is here
0012CC2C   0012F340  |Buffer = 0012F340
0012CC30   08560059  |BytesToRead = 8560059 (139853913.)
0012CC34   00000000  \pBytesRead = NULL
But my findings is it Fails on Reading the memory. It is possible because VirtualProtect is not setup
correctly or maybe hProcess is wrong. So you have a good idea but it is not accomplished in this case.

Then we get to your Search routine.
REPNE SCAS uses the same parameters as ReadProcessMemory. This is where it Scans so many bytes, Buffer at 0012F340h and
length is 8560059h. You can press F7 at 004AF665h and see it Scan and ECX decreasing.
Code:
004AF65E    8B3C24              MOV EDI,DWORD PTR SS:[ESP]               ; Set EDI with Start of buffer
004AF661    8B4C24 08           MOV ECX,DWORD PTR SS:[ESP+8]             ; Set length of bytes to Search in ECX
004AF665    F2:AE               REPNE SCAS BYTE PTR ES:[EDI]             ; Scan for 25h in Buffer
004AF667    83F9 00             CMP ECX,0                                ; If ECX = 0 then it reached to End of buffer
Now since Readmemory FAILED, you are searching who knows what, the Debug Message is no where in this buffer.

In my case it found 25h at 0012FB9Ah and look whats that 25h part of:
0012FB98 |7C92 25 38 UNICODE "kernel32.dll"

So you see the problem is with ReadProcessMemory(). So I believe if the buffer(Stack) didn't have this or other 25 then
your patch would not work with Armadillo.

Maybe someone can verify this.
Steps:
1. Open First Ollydbg
2. Now Open Second Olly that been patched with JuneMouse from within First Olly
3. Place a breakpoint at 004AF654, you should see CALL OLLYDBG_._Readmemory there.
4. Now Press F9 and you should see Second Olly in Taskbar.
5. Switch to Second Olly and Open then Run some Armadillo target that uses OutputDebugStringA()
6. Shortly First Olly should Break at 004AF654.
7. Now Press F7 to go into that Call and Scroll down to 0046142B: E8 3EDD0400 - CALL <JMP.&KERNEL32.ReadProcessMemory>
8. Place a Breakpoint there and press F9, once it stops here press F8 and look at the EAX, if it 0, then the Read Failed, 1 = Successful.
Last edited by Flagmax; 01-24-2005 at 10:24.
Reply With Quote