Armadillo crashes Olly
 

Hi all,

Maybe this is old news but I think it might help the new guys as it helped me.

As some of us know, Armadillo uses OutputDebugStringA() which sends a badly formatted message causing Ollydbg to crash. Perhaps this will be taking care of in the next version of Olly but until then here is what I got to share.

First here is the code where Olly crashes
So at the location of the Call that kills Olly I make it Call my "Check for bad message function" that I placed in the EXE"
Now here is my Function
I placed it here because it looks like Olly don't use this space for anything, padded zero's. If you haven't noticed it, this is my second version of patcher. At first I only compared for the known bad message "%s%s%s..." that Armadillo makes but it can be varied slightly like "%shehe%s..." or "%schad%rules..." which will also Kill Olly so I decided to stop all messages from this API. Now I search for "Debu" and if found, replace with "Debug string: OK" which Olly has no probs with. This is message you see in Olly. Be advised that this fix pretty much disables this API but as long as we can unpack Armadillo we're happy ;)

Since I have 10+ post I can now thank people :D

Big thanks goes to gabri3l who was able to find the cause of crash. Also to diablo2oo2 for his Universal Patcher (dUP) that I used and Author of Ollydbg.
And everyone in this thread hxxp://www.woodmann.com/forum/showthread.php?t=6153

I hope somr people will learn from this,
Have a great day,
Flagmax.

well i saw a crackme that was crashing ollydbg this way

the crakme is here
http://biw.rult.at/vbb/upload/showthread.php?threadid=1042

so i kinda modified ollydbg to prevent it from crashing

the above is my code what i did was to parse the string any string that conmes to this place for % specifier if it existed it will not output that string
if it didnt exist it will output that string

hope it may be of help to some one can some one test this on armadillo and tell me whether it works properly i know it works on this crackme
ollydbg version 1.10
tested on w2k sp4
any other test reports on different os are also appreciated

really nice patch :) working on Windows XP Professional SP2.
will pack this patched OllyDbg.exe in my zip.
but does anyone know why olly crashes at this message?

As Flagmax said: hxxp://www.woodmann.com/forum/showthread.php?t=6153
A patch to OllyDbg is good, but we have many patches for OllyDbg. One for hide OllyDbg with Toolhelp API, one for protect OllyDbg with OutputDebugString (and will have another patch ...?) Can we write a plugin to apply the patch automatically to OllyDbg when OllyDbg start ? Can we use AppInit key ?
Regards

According to CERT this is a security flaw that was found in late July, 2004

http://www.us-cert.gov/cas/bulletins/SB04-217.html

<-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=->

Vendor & Software Name : OllyDbg version 1.10

Vulnerability - Impact : Denial of Service vulnerability exists that could allow an attacker to crash OllyDbg and execute machine code. This vulnerability is due to a format string bug in the code that handles Debugger Messages.

Patches - Workarounds : No solution is available at this time.

Attacks Scripts : A working exploit has been published.

Common Name : OllyDbg Format String Bug

Risk : High

Source : SecuriTeam, July 20, 2004

<-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=->

So it was a published exploit after the final release of 1.10, which was released June 11, 2004

Hopefully its fixed in 2.x

Peace...

it seems u can try to kill all "%" char...

Hi JuneMouse,

That some advanced patch you got :) Looks like you don't like 25 (%) hehe :p Reason I say that is it looks to me you're searching on the stack through 139853913 bytes to find it. If Any 25 found, the you take drastic majors ;) I don't think it actually finds that bad %s%s%s... but some other 25 could be of an address or something else. But it does the job :)

I ran that crackme and it sure does use same string format vulnerability as does Armadillo. Wish it was more unique like %sBad%sC%Bad%s though. I tried your patch and it works with Armadillo just fine. Oh and my patch works with that Crackme ;)

MaRKuS-DJM:
Very good article here about the cause. hxxp://www.cs.ucsb.edu/~jzhou/security/formats-teso.html

TQN:
Where are the other patchers? I want them all :D

deXep:
That is what I kinda do, but you only need to kill the first %s for it to work. Olly copies the string until it reaches two null charecters 00,00 then it stops. So no reason to kill all of them. Actually it has no problems with % at all, you can put as many you like, its the %s folowed by another %s that causes chaos. %s is is used in 'C' programming language to handle Strings.


NOTE: The patch will make a backup of your Ollydbg.exe into Ollydbg.bak but as soon as you start Ollydbg it will overwrite this file with its own so its best that you rename or backup yourself if you ever decide you don't like the patch.

the ROOT cause of this problem is that olly must be using a *printf* function and supply the debug string as the FORMAT parameter. while it should supply "%s" as the format parameter and the debug string as additional param. so maybe somene with a little bit of free time can find this place in olly and patch it.

well oleh is using Message(debugstring);
instead of Message(%s,debugstring);
to sprintf() before his addtolist()
i didnt look into it deep i was satisfied when the crackme stopped crashing ollydbg :)
but
Flagmax why do you say it looks at so much bytes there is a parameter number of bytes to read that is passed to Readmemory() it gets filled up before i call it


the read memory reads only that much bytes and as far as i noticed it sets the nullterminator too i think after it uses ReadProcessMemory() api

and i use that same value for repnesacsb
can you tell me if you single stepped through and tell me if that length value was initialised or not
any way thanks for making it into a usable patch :) (i didnto try it coz i cant download) but hope you made it good :)
and thanks to markus for trying it out on xp-sp2 and liking it :)

the othere patches that TQN refers is in rce forum posted by shub-Nigurrath
it is about changing the ollydbg class string and window text so that it can evade the crop of FindWindow() Coders

can we have a patch that does all the work?? applying different patches could cause problem or maybe an additional bug on Olly :D

Regards

JuneMouse:

I am no expert but here is what I came up with.

Your patch behaves differently with Armadillo, it actually would fail.

It seems in works great with BrainCell and Python24, but with Armadillo its another story.

Below is the Case with Armadillo.

Inside this call:
004AF654 E8 B31CFBFF CALL OLLYDBG_._Readmemory
Olly uses ReadProcessMemory() to Read the chunk of memory.
...
0046142B E8 3EDD0400 CALL <JMP.&KERNEL32.ReadProcessMemory>
The ReadProcessMemory() is setup with the parameters below. So you see it tries to Read 8560059h bytes
from 0100EF70h to 0012F340h.
But my findings is it Fails on Reading the memory. It is possible because VirtualProtect is not setup
correctly or maybe hProcess is wrong. So you have a good idea but it is not accomplished in this case.

Then we get to your Search routine.
REPNE SCAS uses the same parameters as ReadProcessMemory. This is where it Scans so many bytes, Buffer at 0012F340h and
length is 8560059h. You can press F7 at 004AF665h and see it Scan and ECX decreasing.
Now since Readmemory FAILED, you are searching who knows what, the Debug Message is no where in this buffer.

In my case it found 25h at 0012FB9Ah and look whats that 25h part of:
0012FB98 |7C92 25 38 UNICODE "kernel32.dll"

So you see the problem is with ReadProcessMemory(). So I believe if the buffer(Stack) didn't have this or other 25 then
your patch would not work with Armadillo.

Maybe someone can verify this.
Steps:
1. Open First Ollydbg
2. Now Open Second Olly that been patched with JuneMouse from within First Olly
3. Place a breakpoint at 004AF654, you should see CALL OLLYDBG_._Readmemory there.
4. Now Press F9 and you should see Second Olly in Taskbar.
5. Switch to Second Olly and Open then Run some Armadillo target that uses OutputDebugStringA()
6. Shortly First Olly should Break at 004AF654.
7. Now Press F7 to go into that Call and Scroll down to 0046142B: E8 3EDD0400 - CALL <JMP.&KERNEL32.ReadProcessMemory>
8. Place a Breakpoint there and press F9, once it stops here press F8 and look at the EAX, if it 0, then the Read Failed, 1 = Successful.

FlagMax
well if it failed in ReadProcessMemory() then probably this patch can be modified
to test for the Result and take Appropriate action as i said i did not look
deep into it and didnot test it wtih any other application apart from that
crackme and some masm code i cooked up for testing it :)

but could youtell me the arguments that are passed here
regarding hProcess you can open view handles window and look at the handle
details (expand the columns to make visible hidden details)
Handles, item 63
Handle=00000100
Type=Process
Refs= 8.
Access=0002047B READ_CONTROL|QUERY_STATE|MODIFY_STATE|478
T=*

or use processexplorernt from sysinternals and corelate them
like this
Process formatprob.exe(480) 0x100 0x0002047B

hope you can provide some more deatils so that this can be made properly :)
any way thanks for feedback

This is the arguments I get when running Armadillo target. As you can see the length is really large and its the same in two times Armadillo call OutputDebugString(). So I think they key is to find out where and why this number is not set to the actual message length.

0012DA60 004AF659 RETURN to OLLYDBG_.004AF659 from OLLYDBG_._Readmemory
0012DA64 0012F340
0012DA68 0100EF70
0012DA6C 08560059
0012DA70 00000003

Problem Solved...
 

Hi JuneMouse,

I did more tracing and found the root cause of the problem. It seems in this Armadillo, the address that holds the length of message also gets filled up with some junk. And in your patch you are Pushing DWORD to the stack. Instead you need to push just a WORD. The Code here shows the proper way:
Oh so here is a minor fix that I made. Now I believe its 100% working.

does this address hold the debugstring that is passed from armadillo
use follow in dump or use ctrl+g and type the address and go there and look
if yes does the length match to the word ptr in that is it 0x59 bytes long string ???
if the above is valid then i would assume pushing the word ptr content is acceptable

but i think olly originally pushes dword (ill check it later) and it fetches the length from an earlier ReadMemory() or ReadCommand() or Find Ref() code
so :(

also could you please assemble the code i posted above and check it too
the first param length is 0x 19 and the second param length is 0x 5b
in my code
also if youare pushing word then i would suggest you to do an equivalent to this in windows
for i in `seq 1 65540`; echo -n A >> test.txt (this in bash would create a file test.txt containing AAAAAAAAAAAAAAAA 65540 times
i dont know if windows echo supports it i think you have to write a bat file
with for and execute it to make this dummy file :)
and then use the bintodb.exe in the masm package and use it to assemble the code

put those dbs here
vulnstring db "65,65,65,65,65,65
db "65,65,65, for 65540 times so that the length crosses the word barrier :) so that we can deduce if such a long string will still work or not :) as it is expected to work or still crashes on other bugs or overflows

any way if you say the patch works fine with your modification on all targets
it think it is still fine :)
some thing is better than nothing :)
thanks once again