FlagMax
well if it failed in ReadProcessMemory() then probably this patch can be modified
to test for the Result and take Appropriate action as i said i did not look
deep into it and didnot test it wtih any other application apart from that
crackme and some masm code i cooked up for testing it
Code:
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
MsgBoxText db "Win32 Assembly is Great!",0
vulnstring db "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
db "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
db "%s%s%s%s%s%s%s%s%s%s%s%s ",0
.code
start:
invoke OutputDebugString,addr MsgBoxText
invoke OutputDebugString,addr vulnstring
invoke ExitProcess,NULL
end start
but could youtell me the arguments that are passed here
Code:
004AF654 . E8 B31CFBFF CALL OLLYDBGm._Readmemory ; what else reading
like this
0012DA60 004AF659 RETURN to OLLYDBGm.004AF659 from OLLYDBGm._Readmemory
0012DA64 0012F340
0012DA68 00403000 OLLYDBGm.00403000
0012DA6C 00000019
0012DA70 00000003
this is from the test code i posted above assembled in qeditor and using hutch masm
buildall in project
the exact Readmemory stack details
0012CC20 00461430 /CALL to ReadProcessMemory from OLLYDBGm.0046142B
0012CC24 00000100 |hProcess = 00000100 (window)
0012CC28 00403000 |pBaseAddress = 403000
0012CC2C 0012F340 |Buffer = 0012F340
0012CC30 00000019 |BytesToRead = 19 (25.)
0012CC34 00000000 \pBytesRead = NULL
Quote:
It is possible because VirtualProtect is not setup
correctly or maybe hProcess is wrong
|
regarding hProcess you can open view handles window and look at the handle
details (expand the columns to make visible hidden details)
Handles, item 63
Handle=00000100
Type=Process
Refs= 8.
Access=0002047B READ_CONTROL|QUERY_STATE|MODIFY_STATE|478
T=*
or use processexplorernt from sysinternals and corelate them
like this
Process formatprob.exe(480) 0x100 0x0002047B
hope you can provide some more deatils so that this can be made properly
any way thanks for feedback