flat assembler
Message board for the users of flat assembler.

Index > Heap > Ollydbg bug

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Hey wait a minute, it's not an OllyDbg bug, it's a Borland bug!! Accordingly to FLIRT engine of the last freeware version of IDAPro the buggy function is __fuistq

IDAPro wrote:

Plan FLIRT signature: BCC v4.x/5.x & Builder v1.0/v6.0 win32 runtime
Plan FLIRT signature: Borland Visual Component Library & Packages
Using FLIRT signature: BCC v4.x/5.x & Builder v1.0/v6.0 win32 runtime
Using FLIRT signature: Borland Visual Component Library & Packages

The reference graph to the buggy code:
Image

Well, now report to Borland too Very Happy

[edit] Maybe isn't a Borland fault because is the programmer who is requesting such exceptions... [/edit]
Post 12 Sep 2006, 16:59
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
i still don't get it... which part causes bug?
Post 13 Sep 2006, 06:21
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
In the graph __fuistq and inside __fuistq FISTP generates one of IE or PE exceptions.

I will try to analyse this furher because I'm suspecting that FISTP is executed very few times and that's why Olly has survived so long (check the code where there is a CMP checking the exponent).
Post 13 Sep 2006, 14:23
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
i meant - how to reproduce bug, let's say in C source?
Post 13 Sep 2006, 17:18
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
vid, by using inline assembler in c
Post 13 Sep 2006, 18:33
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
If you want to get the same error you can try http://board.flatassembler.net/topic.php?p=43921#43921 but I don't know how to do the same error on C (because I don't know how to enable FPU exceptions without _ASM{)

I didn't explore in deep the dissasembling yet, the graph shows that __fuistq is referenced by two pointers on top but doesn't show who access both pointers so I need to find the references to the pointer because if there is no one then it's a dead code (which it is not true). Unfortunately I have no time for this Sad
Post 13 Sep 2006, 19:11
View user's profile Send private message Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend
Here is anti-olly trick using this method.
Code:
        ...
i_am_being_debugged__crash_olly:
        mov     word [$+9], 9090h
        jmp     $+18

        fld     tbyte [$+6]
        dt      9223372036854775807.5
        ...    
Whole program analyzes correctly, as the bug causing code is after unconditional jump. When you find out, that you're being debugged (via IsDebuggerPresent or other methods), just jump to this code. After self-modyfing the jump, Olly will analyze next region automatically and so will crash
Post 17 Sep 2006, 20:31
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
Reverend: It does not matter if the fld is executed or not. What matters is that the fld exists in the disassembly portion of the window in Ollydbg. Having the jmp $+18 is not necessary at all. This also works:
Code:
proc abc, foo, bar
 ;...
 ret
endp
fld tbyte[$+6]
dt 9223372036854775807.5    

The important point is to have Ollydbg attempt to disassemble the fld instruction.

As for the more general point about using this as code protection, remember that there are many other debuggers out there and Ollydbg is only one of them. It is also easy to overcome by patching Ollydbg.
Post 18 Sep 2006, 03:52
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
And note that it's enough to set one FPU register to that magic value too. Anything that makes Olly curious about float values is enough to crash Olly.
Post 18 Sep 2006, 04:14
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
thanks guys
Post 18 Sep 2006, 08:16
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend
I guess you misunderstood me.

My code DOES NOT crash olly in the beginning. It does it only when the "mov word [$+9], 9090h" is executed. My piece of code is supposed to kill olly in a moment you choose.
When someone debugs your program via olly, he will not have any problems with crashing unless you let that code execute. That's the point.
Post 19 Sep 2006, 17:34
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
Reverend wrote:
My code DOES NOT crash olly in the beginning.
Okay, if you say so, maybe you have a different version of Olly? Because my version will crash immediately before executing anything.
Code:
include 'win32ax.inc'

start:

i_am_being_debugged__crash_olly: 
        mov     word [$+9], 9090h 
        jmp     $+18 

        fld     tbyte [$+6] 
        dt      9223372036854775807.5 

.end    start

    
Perhaps you can test this on your system and let us know the results and what version of Olly you are using?
Post 19 Sep 2006, 18:05
View user's profile Send private message Visit poster's website Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend
I have OllyDbg v1.10d. My test source:
Code:
        format PE GUI

        mov     word [$+9], 9090h
        jmp     $+18

        fld     tbyte [$+6]
        dt      9223372036854775807.5    
After loading Olly shows (without crashing):
Code:
00401000 > $  66:C705 09104000 9090   mov     [word 401009], 9090
00401009   .  EB 10                   jmp     short PEDEMO.0040101B
0040100B      DB                      db      DB
0040100C      2D                      db      2D                               ;  CHAR '-'
0040100D      11104000                dd      PEDEMO.00401011
00401011      FF                      db      FF
00401012      FF                      db      FF
00401013      FF                      db      FF
00401014      FF                      db      FF
00401015      FF                      db      FF
00401016      FF                      db      FF
00401017      FF                      db      FF
00401018      FF                      db      FF
00401019      3D                      db      3D                               ;  CHAR '='
0040101A   .  40                      inc     eax    
After F8 (step over) twice, debugger crashes.
Post 20 Sep 2006, 19:37
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17270
Location: In your JS exploiting you and your system
revolution
Reverend wrote:
After loading Olly shows (without crashing): ...
I can think of two possible reasons for the different results. A flag/setting on Ollydbg or a difference in processor behaviour.

I have just now tried changing a few different settings in the options with Ollybdg but still I get instant crashing. For the other option my processor is Pentium M 1300 Banias and I also tested Pentium M 1500 Dothan, both give the same results.

The "out of the box" settings with Ollydbg gives instant crashing, perhaps Reverend has changed a setting that stops this problem?
Post 21 Sep 2006, 05:33
View user's profile Send private message Visit poster's website Reply with quote
Reverend



Joined: 24 Aug 2004
Posts: 408
Location: Poland
Reverend
In my 'Debugging options', 'Analysis 1' (and 2, 3) I have every checkbox checked. Only 'Unknown functions preserve EBX, ESI and EDI' is unchecked. In 'Analysis 1' 'Procedure recognition' is set to 'Heuristical'. In 'Analysis 2' 'Trace contents of registers' is set to 'In linear sequences'.

Maybe try to delete your .udd file corresponding to the crash program first.
Post 21 Sep 2006, 19:18
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Fixed in OllyDbg 2.
Post 12 Oct 2007, 05:01
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.