Thread: Armadillo crashes Olly
View Single Post
  #1  
Old 01-22-2005, 09:20
Flagmax
 
Posts: n/a
Armadillo crashes Olly
Hi all,

Maybe this is old news but I think it might help the new guys as it helped me.

As some of us know, Armadillo uses OutputDebugStringA() which sends a badly formatted message causing Ollydbg to crash. Perhaps this will be taking care of in the next version of Olly but until then here is what I got to share.

First here is the code where Olly crashes
Code:
0042E125    8B45 0C               MOV EAX,DWORD PTR SS:[EBP+C]             ; Moves Address where deadly msg is to EAX
0042E128    50                    PUSH EAX                                 ; Push this address on Stack
0042E129    8D95 FCEDFFFF         LEA EDX,DWORD PTR SS:[EBP-1204]
0042E12F    52                    PUSH EDX
0042E130    E8 1F8B0700           CALL OLLYDBG.004A6C54                    ; Inside this call is where Olly dies
So at the location of the Call that kills Olly I make it Call my "Check for bad message function" that I placed in the EXE"
Code:
0042E130    E8 9193FEFF           CALL OLLYDBG.004174C6                    ; Now Call my routine to Fix deadly msg
Now here is my Function
Code:
004174C6    8138 44656275         CMP DWORD PTR DS:[EAX],75626544          ; Check if it's the deadly message "Debug string: %s%s%s%s%s%s%s%s%s%s%s%..."
004174CC    75 07                 JNZ SHORT OLLYDBG.004174D5               ; If its not, Jump Over Fix
004174CE    C740 0E 4F4B0000      MOV DWORD PTR DS:[EAX+E],4B4F            ; Fix by making message say "Debug string: OK"
004174D5    E9 7AF70800           JMP OLLYDBG.004A6C54                     ; Jump to the location where the original Call goes
I placed it here because it looks like Olly don't use this space for anything, padded zero's. If you haven't noticed it, this is my second version of patcher. At first I only compared for the known bad message "%s%s%s..." that Armadillo makes but it can be varied slightly like "%shehe%s..." or "%schad%rules..." which will also Kill Olly so I decided to stop all messages from this API. Now I search for "Debu" and if found, replace with "Debug string: OK" which Olly has no probs with. This is message you see in Olly. Be advised that this fix pretty much disables this API but as long as we can unpack Armadillo we're happy

Since I have 10+ post I can now thank people

Big thanks goes to gabri3l who was able to find the cause of crash. Also to diablo2oo2 for his Universal Patcher (dUP) that I used and Author of Ollydbg.
And everyone in this thread hxxp://www.woodmann.com/forum/showthread.php?t=6153

I hope somr people will learn from this,
Have a great day,
Flagmax.
Attached Files
File Type: rar Ollydbg1.10patch1.2.rar (3.5 KB, 52 views)
Reply With Quote