Hi JuneMouse,
I did more tracing and found the root cause of the problem. It seems in this Armadillo, the address that holds the length of message also gets filled up with some junk. And in your patch you are Pushing DWORD to the stack. Instead you need to push just a WORD. The Code here shows the proper way:
Code:
00431294 0FB71D 26574D00 MOVZX EBX,WORD PTR DS:[4D5726] ; Copies just a WORD
...
00431336 53 PUSH EBX ; Push Length to Stack
00431337 A1 20574D00 MOV EAX,DWORD PTR DS:[4D5720]
0043133C 50 PUSH EAX
0043133D 8D95 98FDFFFF LEA EDX,DWORD PTR SS:[EBP-268]
00431343 0355 F4 ADD EDX,DWORD PTR SS:[EBP-C]
00431346 52 PUSH EDX
00431347 E8 C0FF0200 CALL OLLYDBG_._Readmemory ; Read a Chunk of Memory
Oh so here is a minor fix that I made. Now I believe its 100% working.
Code:
004AF644 60 PUSHAD
004AF645 6A 03 PUSH 3
004AF647 0FB71D 26574D00 MOVZX EBX,WORD PTR DS:[4D5726] ; Copies a WORD from 4D5726h and strips the rest junk
004AF64E 53 PUSH EBX ; Now Push the correct Length of Message to Stack
004AF64F FF35 20574D00 PUSH DWORD PTR DS:[4D5720]
004AF655 52 PUSH EDX
004AF656 E8 B11CFBFF CALL OLLYDBG_._Readmemory
004AF65B B8 25000000 MOV EAX,25
004AF660 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
004AF663 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8]
004AF667 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004AF669 83F9 00 CMP ECX,0
004AF66C 75 0E JNZ SHORT OLLYDBG_.004AF67C
004AF66E 83C4 10 ADD ESP,10
004AF671 61 POPAD
004AF672 E8 B575FFFF CALL OLLYDBG_.004A6C2C
004AF677 ^ E9 121CF8FF JMP OLLYDBG_.0043128E
004AF67C 83C4 10 ADD ESP,10
004AF67F 61 POPAD
004AF680 83C4 08 ADD ESP,8
004AF683 ^ E9 CB1CF8FF JMP OLLYDBG_.00431353