Ok did more testing. The modified patch is still not working as it should. If you make a large message in OutputDebugString(), then the Readmemory will fail once again. So I search in Olly some more and found a better place to insert a jump to Check_Bad_Message routine. I made small changes to routine.
First here is code from Olly with comments:
Code:
0043131E BA 00010000 MOV EDX,100 ; Set EDX to 256d
00431323 2B55 F4 SUB EDX,DWORD PTR SS:[EBP-C] ; Subtract 14d from that which is Len("Debug String: ")
00431326 4A DEC EDX ; Subtract 1 possible for terminating null char
00431327 3BDA CMP EBX,EDX ; Compare Len(Message) to 241
00431329 7E 09 JLE SHORT OLLYDBG_.00431334 ; If Len(Message) is Less or Equal to 241, then its ok to be Read, So Jump
0043132B BB 00010000 MOV EBX,100 ; If it gets here, then the Message is to Long, Set EBX to 256d
00431330 2B5D F4 SUB EBX,DWORD PTR SS:[EBP-C] ; Subtract 14d from that which is Len("Debug String: ")
00431333 4B DEC EBX ; Subtract 1 possible for terminating null char
00431334 6A 03 PUSH 3
00431336 53 PUSH EBX ; At this point EBX is 241d or less, never More, Number of bytes to Read
00431337 A1 20574D00 MOV EAX,DWORD PTR DS:[4D5720]
0043133C 50 PUSH EAX ; EAX has the Address where the message is located in the Debugging Process
0043133D 8D95 98FDFFFF LEA EDX,DWORD PTR SS:[EBP-268] ; Load address to Buffer where it will Copy Message to
00431343 0355 F4 ADD EDX,DWORD PTR SS:[EBP-C] ; Increment Buffer to skip over "Debug String: "
00431346 52 PUSH EDX ; Now EDX has the Start address where Message is Copied to
00431347 E8 C0FF0200 CALL OLLYDBG_._Readmemory ; Copy the Message
0043134C 83C4 10 ADD ESP,10
0043134F 3BC3 CMP EAX,EBX ; Compare if Number byte Read match Number bytes should have Read
00431351 74 0A JE SHORT OLLYDBG_.0043135D ; Jump if Readmeory was Successful
00431353 B8 01000000 MOV EAX,1 ; If Not Error out
So the new Jump location I found is here:
Code:
00431347 /E9 0AE30700 JMP OLLYDBG_.004AF656 ; Jump to Check_Bad_Message routine
Now for the Modified patch:
Code:
004AF656 E8 B11CFBFF CALL OLLYDBG_._Readmemory ; Read the Message from Debugging Process
004AF65B 60 PUSHAD ; Backup Registers
004AF65C 8BC8 MOV ECX,EAX ; Copy bytes Read to ECX
004AF65E 8B7C24 20 MOV EDI,DWORD PTR SS:[ESP+20] ; Set EDI to Start of Message Read
004AF662 B8 25000000 MOV EAX,25 ; Set EAX to 25 (% character)
004AF667 F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; Seach for 25 in Message
004AF669 83F9 00 CMP ECX,0 ; Check if it reached End of Message
004AF66C 74 15 JE SHORT OLLYDBG_.004AF683 ; Jump if didn't find 25 in Message
004AF66E 8B7C24 20 MOV EDI,DWORD PTR SS:[ESP+20] ; Set EDI to Start of Message Read
004AF672 C707 4578706C MOV DWORD PTR DS:[EDI],6C707845 ; Place "Exploit" over Message in these MOV DWORD commands
004AF678 C747 04 6F69740>MOV DWORD PTR DS:[EDI+4],74696F
004AF67F C647 08 00 MOV BYTE PTR DS:[EDI+8],0 ; Place terminating null character
004AF683 61 POPAD ; Restore Registers
004AF684 ^ E9 C31CF8FF JMP OLLYDBG_.0043134C ; Jump back to Normal flow of Olly
Basically Olly will not read anything more then 241 characters. So in old patch it tried to read more then that and ReadProcessMemory fails for that reason.
In this Final version, Readmemory reads the correct number of bytes. Then I search for 25 in Message. If found, I make the messages say "Debug string: Exploit" You can actually see this Message in Olly status bar at the buttom. Well, I think this is safest patch so far. I learned a lot here that will help me in future
Attached is the final patch thats in this post.