|
|
#18
01-26-2005, 07:42
|
|||
|
|||
|
Ok did more testing. The modified patch is still not working as it should. If you make a large message in OutputDebugString(), then the Readmemory will fail once again. So I search in Olly some more and found a better place to insert a jump to Check_Bad_Message routine. I made small changes to routine.
First here is code from Olly with comments: Code:
0043131E BA 00010000 MOV EDX,100 ; Set EDX to 256d
00431323 2B55 F4 SUB EDX,DWORD PTR SS:[EBP-C] ; Subtract 14d from that which is Len("Debug String: ")
00431326 4A DEC EDX ; Subtract 1 possible for terminating null char
00431327 3BDA CMP EBX,EDX ; Compare Len(Message) to 241
00431329 7E 09 JLE SHORT OLLYDBG_.00431334 ; If Len(Message) is Less or Equal to 241, then its ok to be Read, So Jump
0043132B BB 00010000 MOV EBX,100 ; If it gets here, then the Message is to Long, Set EBX to 256d
00431330 2B5D F4 SUB EBX,DWORD PTR SS:[EBP-C] ; Subtract 14d from that which is Len("Debug String: ")
00431333 4B DEC EBX ; Subtract 1 possible for terminating null char
00431334 6A 03 PUSH 3
00431336 53 PUSH EBX ; At this point EBX is 241d or less, never More, Number of bytes to Read
00431337 A1 20574D00 MOV EAX,DWORD PTR DS:[4D5720]
0043133C 50 PUSH EAX ; EAX has the Address where the message is located in the Debugging Process
0043133D 8D95 98FDFFFF LEA EDX,DWORD PTR SS:[EBP-268] ; Load address to Buffer where it will Copy Message to
00431343 0355 F4 ADD EDX,DWORD PTR SS:[EBP-C] ; Increment Buffer to skip over "Debug String: "
00431346 52 PUSH EDX ; Now EDX has the Start address where Message is Copied to
00431347 E8 C0FF0200 CALL OLLYDBG_._Readmemory ; Copy the Message
0043134C 83C4 10 ADD ESP,10
0043134F 3BC3 CMP EAX,EBX ; Compare if Number byte Read match Number bytes should have Read
00431351 74 0A JE SHORT OLLYDBG_.0043135D ; Jump if Readmeory was Successful
00431353 B8 01000000 MOV EAX,1 ; If Not Error out
Code:
00431347 /E9 0AE30700 JMP OLLYDBG_.004AF656 ; Jump to Check_Bad_Message routine Code:
004AF656 E8 B11CFBFF CALL OLLYDBG_._Readmemory ; Read the Message from Debugging Process 004AF65B 60 PUSHAD ; Backup Registers 004AF65C 8BC8 MOV ECX,EAX ; Copy bytes Read to ECX 004AF65E 8B7C24 20 MOV EDI,DWORD PTR SS:[ESP+20] ; Set EDI to Start of Message Read 004AF662 B8 25000000 MOV EAX,25 ; Set EAX to 25 (% character) 004AF667 F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; Seach for 25 in Message 004AF669 83F9 00 CMP ECX,0 ; Check if it reached End of Message 004AF66C 74 15 JE SHORT OLLYDBG_.004AF683 ; Jump if didn't find 25 in Message 004AF66E 8B7C24 20 MOV EDI,DWORD PTR SS:[ESP+20] ; Set EDI to Start of Message Read 004AF672 C707 4578706C MOV DWORD PTR DS:[EDI],6C707845 ; Place "Exploit" over Message in these MOV DWORD commands 004AF678 C747 04 6F69740>MOV DWORD PTR DS:[EDI+4],74696F 004AF67F C647 08 00 MOV BYTE PTR DS:[EDI+8],0 ; Place terminating null character 004AF683 61 POPAD ; Restore Registers 004AF684 ^ E9 C31CF8FF JMP OLLYDBG_.0043134C ; Jump back to Normal flow of Olly In this Final version, Readmemory reads the correct number of bytes. Then I search for 25 in Message. If found, I make the messages say "Debug string: Exploit" You can actually see this Message in Olly status bar at the buttom. Well, I think this is safest patch so far. I learned a lot here that will help me in future  Attached is the final patch thats in this post. 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| help unpacked .dll now crashes | Mitchjs | General Discussion | 3 | 04-28-2008 07:41 |
| Armadillo 4.42 & Olly | TmC | General Discussion | 1 | 04-23-2006 09:22 |
| Ida2Sice crashes Softice?! | bEaST | General Discussion | 0 | 09-07-2005 22:17 |
| OllyScript 0.85 and Olly 1.10 crashes ??!? | Shub-Nigurrath | General Discussion | 6 | 07-11-2004 19:10 |
Threaded Mode