Armadillo crashes Olly

JuneMouse:

I am no expert but here is what I came up with.

Your patch behaves differently with Armadillo, it actually would fail.

It seems in works great with BrainCell and Python24, but with Armadillo its another story.

Below is the Case with Armadillo.

Inside this call:
004AF654 E8 B31CFBFF CALL OLLYDBG_._Readmemory
Olly uses ReadProcessMemory() to Read the chunk of memory.
...
0046142B E8 3EDD0400 CALL <JMP.&KERNEL32.ReadProcessMemory>
The ReadProcessMemory() is setup with the parameters below. So you see it tries to Read 8560059h bytes
from 0100EF70h to 0012F340h.

Code:

0012CC24   000000BC  |hProcess = 000000BC
0012CC28   0100EF70  |pBaseAddress = 0100EF70 - This is good offset: Debug message is here
0012CC2C   0012F340  |Buffer = 0012F340
0012CC30   08560059  |BytesToRead = 8560059 (139853913.)
0012CC34   00000000  \pBytesRead = NULL

But my findings is it Fails on Reading the memory. It is possible because VirtualProtect is not setup
correctly or maybe hProcess is wrong. So you have a good idea but it is not accomplished in this case.

Then we get to your Search routine.
REPNE SCAS uses the same parameters as ReadProcessMemory. This is where it Scans so many bytes, Buffer at 0012F340h and
length is 8560059h. You can press F7 at 004AF665h and see it Scan and ECX decreasing.

Code:

004AF65E    8B3C24              MOV EDI,DWORD PTR SS:[ESP]               ; Set EDI with Start of buffer
004AF661    8B4C24 08           MOV ECX,DWORD PTR SS:[ESP+8]             ; Set length of bytes to Search in ECX
004AF665    F2:AE               REPNE SCAS BYTE PTR ES:[EDI]             ; Scan for 25h in Buffer
004AF667    83F9 00             CMP ECX,0                                ; If ECX = 0 then it reached to End of buffer

Now since Readmemory FAILED, you are searching who knows what, the Debug Message is no where in this buffer.

In my case it found 25h at 0012FB9Ah and look whats that 25h part of:
0012FB98 |7C92 25 38 UNICODE "kernel32.dll"

So you see the problem is with ReadProcessMemory(). So I believe if the buffer(Stack) didn't have this or other 25 then
your patch would not work with Armadillo.

Maybe someone can verify this.
Steps:
1. Open First Ollydbg
2. Now Open Second Olly that been patched with JuneMouse from within First Olly
3. Place a breakpoint at 004AF654, you should see CALL OLLYDBG_._Readmemory there.
4. Now Press F9 and you should see Second Olly in Taskbar.
5. Switch to Second Olly and Open then Run some Armadillo target that uses OutputDebugStringA()
6. Shortly First Olly should Break at 004AF654.
7. Now Press F7 to go into that Call and Scroll down to 0046142B: E8 3EDD0400 - CALL <JMP.&KERNEL32.ReadProcessMemory>
8. Place a Breakpoint there and press F9, once it stops here press F8 and look at the EAX, if it 0, then the Read Failed, 1 = Successful.

FlagMax
well if it failed in ReadProcessMemory() then probably this patch can be modified
to test for the Result and take Appropriate action as i said i did not look
deep into it and didnot test it wtih any other application apart from that
crackme and some masm code i cooked up for testing it

Code:

.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib

.data
MsgBoxText      db "Win32 Assembly is Great!",0
vulnstring      db "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
                   db "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
                   db "%s%s%s%s%s%s%s%s%s%s%s%s ",0

.code
start:
      invoke OutputDebugString,addr MsgBoxText
      invoke OutputDebugString,addr vulnstring
      invoke ExitProcess,NULL
end start

but could youtell me the arguments that are passed here

Code:

004AF654    .  E8 B31CFBFF     CALL    OLLYDBGm._Readmemory        ;  what else reading 
like this 
0012DA60   004AF659  RETURN to OLLYDBGm.004AF659 from OLLYDBGm._Readmemory
0012DA64   0012F340
0012DA68   00403000  OLLYDBGm.00403000
0012DA6C   00000019
0012DA70   00000003

this is from the test code i posted above assembled in qeditor and using hutch masm
buildall in project 
the exact Readmemory stack details

0012CC20   00461430  /CALL to ReadProcessMemory from OLLYDBGm.0046142B
0012CC24   00000100  |hProcess = 00000100 (window)
0012CC28   00403000  |pBaseAddress = 403000
0012CC2C   0012F340  |Buffer = 0012F340
0012CC30   00000019  |BytesToRead = 19 (25.)
0012CC34   00000000  \pBytesRead = NULL

Quote:

It is possible because VirtualProtect is not setup
correctly or maybe hProcess is wrong

regarding hProcess you can open view handles window and look at the handle
details (expand the columns to make visible hidden details)
Handles, item 63
Handle=00000100
Type=Process
Refs= 8.
Access=0002047B READ_CONTROL|QUERY_STATE|MODIFY_STATE|478
T=*

or use processexplorernt from sysinternals and corelate them
like this
Process formatprob.exe(480) 0x100 0x0002047B

hope you can provide some more deatils so that this can be made properly
any way thanks for feedback

This is the arguments I get when running Armadillo target. As you can see the length is really large and its the same in two times Armadillo call OutputDebugString(). So I think they key is to find out where and why this number is not set to the actual message length.

0012DA60 004AF659 RETURN to OLLYDBG_.004AF659 from OLLYDBG_._Readmemory
0012DA64 0012F340
0012DA68 0100EF70
0012DA6C 08560059
0012DA70 00000003

Quote:

Originally Posted by JuneMouse

but could youtell me the arguments that are passed here
[code]
004AF654 . E8 B31CFBFF CALL OLLYDBGm._Readmemory ; what else reading
like this

Hi JuneMouse,

I did more tracing and found the root cause of the problem. It seems in this Armadillo, the address that holds the length of message also gets filled up with some junk. And in your patch you are Pushing DWORD to the stack. Instead you need to push just a WORD. The Code here shows the proper way:

Code:

00431294    0FB71D 26574D00     MOVZX EBX,WORD PTR DS:[4D5726]           ; Copies just a WORD
...
00431336    53                  PUSH EBX                                 ; Push Length to Stack
00431337    A1 20574D00         MOV EAX,DWORD PTR DS:[4D5720]
0043133C    50                  PUSH EAX
0043133D    8D95 98FDFFFF       LEA EDX,DWORD PTR SS:[EBP-268]
00431343    0355 F4             ADD EDX,DWORD PTR SS:[EBP-C]
00431346    52                  PUSH EDX
00431347    E8 C0FF0200         CALL OLLYDBG_._Readmemory                ; Read a Chunk of Memory

Oh so here is a minor fix that I made. Now I believe its 100% working.

Code:

004AF644    60                  PUSHAD
004AF645    6A 03               PUSH 3
004AF647    0FB71D 26574D00     MOVZX EBX,WORD PTR DS:[4D5726]           ; Copies a WORD from 4D5726h and strips the rest junk
004AF64E    53                  PUSH EBX                                 ; Now Push the correct Length of Message to Stack
004AF64F    FF35 20574D00       PUSH DWORD PTR DS:[4D5720]
004AF655    52                  PUSH EDX
004AF656    E8 B11CFBFF         CALL OLLYDBG_._Readmemory
004AF65B    B8 25000000         MOV EAX,25
004AF660    8B3C24              MOV EDI,DWORD PTR SS:[ESP]
004AF663    8B4C24 08           MOV ECX,DWORD PTR SS:[ESP+8]
004AF667    F2:AE               REPNE SCAS BYTE PTR ES:[EDI]
004AF669    83F9 00             CMP ECX,0
004AF66C    75 0E               JNZ SHORT OLLYDBG_.004AF67C
004AF66E    83C4 10             ADD ESP,10
004AF671    61                  POPAD
004AF672    E8 B575FFFF         CALL OLLYDBG_.004A6C2C
004AF677  ^ E9 121CF8FF         JMP OLLYDBG_.0043128E
004AF67C    83C4 10             ADD ESP,10
004AF67F    61                  POPAD
004AF680    83C4 08             ADD ESP,8
004AF683  ^ E9 CB1CF8FF         JMP OLLYDBG_.00431353

Quote:

0012DA68 0100EF70

does this address hold the debugstring that is passed from armadillo
use follow in dump or use ctrl+g and type the address and go there and look
if yes does the length match to the word ptr in that is it 0x59 bytes long string ???

Quote:

0012DA6C 08560059

if the above is valid then i would assume pushing the word ptr content is acceptable

but i think olly originally pushes dword (ill check it later) and it fetches the length from an earlier ReadMemory() or ReadCommand() or Find Ref() code
so

also could you please assemble the code i posted above and check it too
the first param length is 0x 19 and the second param length is 0x 5b
in my code
also if youare pushing word then i would suggest you to do an equivalent to this in windows
for i in `seq 1 65540`; echo -n A >> test.txt (this in bash would create a file test.txt containing AAAAAAAAAAAAAAAA 65540 times
i dont know if windows echo supports it i think you have to write a bat file
with for and execute it to make this dummy file
and then use the bintodb.exe in the masm package and use it to assemble the code

put those dbs here
vulnstring db "65,65,65,65,65,65
db "65,65,65, for 65540 times so that the length crosses the word barrier so that we can deduce if such a long string will still work or not as it is expected to work or still crashes on other bugs or overflows

any way if you say the patch works fine with your modification on all targets
it think it is still fine
some thing is better than nothing
thanks once again

[goggles99]

Update... I fixed the small but troublesome bug that Flagmax pointed out below (Thanks) I also updated the patch with the fix
here is my version...
What do you think???

Code:

JumpGate hex+asm
0043134C               E9 F3E20700    JMP OllyDbg.004AF644

pastable hex
E9 F3 E2 07 00



CodeCave hex+asm
004AF644               51             PUSH ECX
004AF645               50             PUSH EAX
004AF646               57             PUSH EDI
004AF647               8B7C24 0C      MOV EDI,DWORD PTR SS:[ESP+C]
004AF64B               8B4C24 14      MOV ECX,DWORD PTR SS:[ESP+14]
004AF64F               B8 25000000    MOV EAX,25
004AF654               F2:AE          REPNE SCAS BYTE PTR ES:[EDI]
004AF656               83F9 00        CMP ECX,0
004AF659               74 06          JE SHORT OllyDbg.004AF661
004AF65B               C647 FF 20     MOV BYTE PTR DS:[EDI-1],20
004AF65F              ^EB F3          JMP SHORT OllyDbg.004AF654
004AF661               5F             POP EDI
004AF662               58             POP EAX
004AF663               59             POP ECX
004AF664               83C4 10        ADD ESP,10
004AF667               3BC3           CMP EAX,EBX
004AF669              ^E9 E31CF8FF    JMP OllyDbg.00431351


pastable hex
51 50 57 8B 7C 24 0C 8B 4C 24 14 B8 25 00 00 00 F2 AE 83 F9 00 74 06 C6 47 FF 20 EB F3 5F 58 59
83 C4 10 3B C3 E9 E3 1C F8 FF

Wow our patches are so alike its scary hehe. I believe there is a small bug here

Code:

004AF659               74 07          JE SHORT OllyDbg.004AF662

Its jumping over a needed POP
I really like that you replacing all % with a space. Congrats!

Quote:

Originally Posted by goggles99

here is my version...
What do you think???

Code:

JumpGate hex+asm
0043134C               E9 F3E20700    JMP OllyDbg.004AF644

pastable hex
E9 F3 E2 07 00



CodeCave hex+asm
004AF644               51             PUSH ECX
004AF645               50             PUSH EAX
004AF646               57             PUSH EDI
004AF647               8B7C24 0C      MOV EDI,DWORD PTR SS:[ESP+C]
004AF64B               8B4C24 14      MOV ECX,DWORD PTR SS:[ESP+14]
004AF64F               B8 25000000    MOV EAX,25
004AF654               F2:AE          REPNE SCAS BYTE PTR ES:[EDI]
004AF656               83F9 00        CMP ECX,0
004AF659               74 07          JE SHORT OllyDbg.004AF662
004AF65B               C647 FF 20     MOV BYTE PTR DS:[EDI-1],20
004AF65F              ^EB F3          JMP SHORT OllyDbg.004AF654
004AF661               5F             POP EDI
004AF662               58             POP EAX
004AF663               59             POP ECX
004AF664               83C4 10        ADD ESP,10
004AF667               3BC3           CMP EAX,EBX
004AF669              ^E9 E31CF8FF    JMP OllyDbg.00431351


pastable hex
51 50 57 8B 7C 24 0C 8B 4C 24 14 B8 25 00 00 00 F2 AE 83 F9 00 74 07 C6 47 FF 20 EB F3 5F 58 59
83 C4 10 3B C3 E9 E3 1C F8 FF

Ok did more testing. The modified patch is still not working as it should. If you make a large message in OutputDebugString(), then the Readmemory will fail once again. So I search in Olly some more and found a better place to insert a jump to Check_Bad_Message routine. I made small changes to routine.

First here is code from Olly with comments:

Code:

0043131E    BA 00010000     MOV EDX,100                          ; Set EDX to 256d
00431323    2B55 F4         SUB EDX,DWORD PTR SS:[EBP-C]         ; Subtract 14d from that which is Len("Debug String: ")
00431326    4A              DEC EDX                              ; Subtract 1 possible for terminating null char
00431327    3BDA            CMP EBX,EDX                          ; Compare Len(Message) to 241
00431329    7E 09           JLE SHORT OLLYDBG_.00431334          ; If Len(Message) is Less or Equal to 241, then its ok to be Read, So Jump
0043132B    BB 00010000     MOV EBX,100                          ; If it gets here, then the Message is to Long, Set EBX to 256d
00431330    2B5D F4         SUB EBX,DWORD PTR SS:[EBP-C]         ; Subtract 14d from that which is Len("Debug String: ")
00431333    4B              DEC EBX                              ; Subtract 1 possible for terminating null char
00431334    6A 03           PUSH 3
00431336    53              PUSH EBX                             ; At this point EBX is 241d or less, never More, Number of bytes to Read
00431337    A1 20574D00     MOV EAX,DWORD PTR DS:[4D5720]
0043133C    50              PUSH EAX                             ; EAX has the Address where the message is located in the Debugging Process
0043133D    8D95 98FDFFFF   LEA EDX,DWORD PTR SS:[EBP-268]       ; Load address to Buffer where it will Copy Message to
00431343    0355 F4         ADD EDX,DWORD PTR SS:[EBP-C]         ; Increment Buffer to skip over "Debug String: "
00431346    52              PUSH EDX                             ; Now EDX has the Start address where Message is Copied to
00431347    E8 C0FF0200     CALL OLLYDBG_._Readmemory            ; Copy the Message
0043134C    83C4 10         ADD ESP,10
0043134F    3BC3            CMP EAX,EBX                          ; Compare if Number byte Read match Number bytes should have Read
00431351    74 0A           JE SHORT OLLYDBG_.0043135D           ; Jump if Readmeory was Successful
00431353    B8 01000000     MOV EAX,1                            ; If Not Error out

So the new Jump location I found is here:

Code:

00431347   /E9 0AE30700     JMP OLLYDBG_.004AF656                ; Jump to Check_Bad_Message routine

Now for the Modified patch:

Code:

004AF656    E8 B11CFBFF     CALL OLLYDBG_._Readmemory            ; Read the Message from Debugging Process
004AF65B    60              PUSHAD                               ; Backup Registers
004AF65C    8BC8            MOV ECX,EAX                          ; Copy bytes Read to ECX
004AF65E    8B7C24 20       MOV EDI,DWORD PTR SS:[ESP+20]        ; Set EDI to Start of Message Read
004AF662    B8 25000000     MOV EAX,25                           ; Set EAX to 25 (% character)
004AF667    F2:AE           REPNE SCAS BYTE PTR ES:[EDI]         ; Seach for 25 in Message
004AF669    83F9 00         CMP ECX,0                            ; Check if it reached End of Message
004AF66C    74 15           JE SHORT OLLYDBG_.004AF683           ; Jump if didn't find 25 in Message
004AF66E    8B7C24 20       MOV EDI,DWORD PTR SS:[ESP+20]        ; Set EDI to Start of Message Read
004AF672    C707 4578706C   MOV DWORD PTR DS:[EDI],6C707845      ; Place "Exploit" over Message in these MOV DWORD commands
004AF678    C747 04 6F69740>MOV DWORD PTR DS:[EDI+4],74696F
004AF67F    C647 08 00      MOV BYTE PTR DS:[EDI+8],0            ; Place terminating null character
004AF683    61              POPAD                                ; Restore Registers
004AF684  ^ E9 C31CF8FF     JMP OLLYDBG_.0043134C                ; Jump back to Normal flow of Olly

Basically Olly will not read anything more then 241 characters. So in old patch it tried to read more then that and ReadProcessMemory fails for that reason.

In this Final version, Readmemory reads the correct number of bytes. Then I search for 25 in Message. If found, I make the messages say "Debug string: Exploit" You can actually see this Message in Olly status bar at the buttom. Well, I think this is safest patch so far. I learned a lot here that will help me in future

Attached is the final patch thats in this post.