Armadillo crashes Olly

[goggles99]

Update... I fixed the small but troublesome bug that Flagmax pointed out below (Thanks) I also updated the patch with the fix
here is my version...
What do you think???

Code:

JumpGate hex+asm
0043134C               E9 F3E20700    JMP OllyDbg.004AF644

pastable hex
E9 F3 E2 07 00



CodeCave hex+asm
004AF644               51             PUSH ECX
004AF645               50             PUSH EAX
004AF646               57             PUSH EDI
004AF647               8B7C24 0C      MOV EDI,DWORD PTR SS:[ESP+C]
004AF64B               8B4C24 14      MOV ECX,DWORD PTR SS:[ESP+14]
004AF64F               B8 25000000    MOV EAX,25
004AF654               F2:AE          REPNE SCAS BYTE PTR ES:[EDI]
004AF656               83F9 00        CMP ECX,0
004AF659               74 06          JE SHORT OllyDbg.004AF661
004AF65B               C647 FF 20     MOV BYTE PTR DS:[EDI-1],20
004AF65F              ^EB F3          JMP SHORT OllyDbg.004AF654
004AF661               5F             POP EDI
004AF662               58             POP EAX
004AF663               59             POP ECX
004AF664               83C4 10        ADD ESP,10
004AF667               3BC3           CMP EAX,EBX
004AF669              ^E9 E31CF8FF    JMP OllyDbg.00431351


pastable hex
51 50 57 8B 7C 24 0C 8B 4C 24 14 B8 25 00 00 00 F2 AE 83 F9 00 74 06 C6 47 FF 20 EB F3 5F 58 59
83 C4 10 3B C3 E9 E3 1C F8 FF

Ok did more testing. The modified patch is still not working as it should. If you make a large message in OutputDebugString(), then the Readmemory will fail once again. So I search in Olly some more and found a better place to insert a jump to Check_Bad_Message routine. I made small changes to routine.

First here is code from Olly with comments:

Code:

0043131E    BA 00010000     MOV EDX,100                          ; Set EDX to 256d
00431323    2B55 F4         SUB EDX,DWORD PTR SS:[EBP-C]         ; Subtract 14d from that which is Len("Debug String: ")
00431326    4A              DEC EDX                              ; Subtract 1 possible for terminating null char
00431327    3BDA            CMP EBX,EDX                          ; Compare Len(Message) to 241
00431329    7E 09           JLE SHORT OLLYDBG_.00431334          ; If Len(Message) is Less or Equal to 241, then its ok to be Read, So Jump
0043132B    BB 00010000     MOV EBX,100                          ; If it gets here, then the Message is to Long, Set EBX to 256d
00431330    2B5D F4         SUB EBX,DWORD PTR SS:[EBP-C]         ; Subtract 14d from that which is Len("Debug String: ")
00431333    4B              DEC EBX                              ; Subtract 1 possible for terminating null char
00431334    6A 03           PUSH 3
00431336    53              PUSH EBX                             ; At this point EBX is 241d or less, never More, Number of bytes to Read
00431337    A1 20574D00     MOV EAX,DWORD PTR DS:[4D5720]
0043133C    50              PUSH EAX                             ; EAX has the Address where the message is located in the Debugging Process
0043133D    8D95 98FDFFFF   LEA EDX,DWORD PTR SS:[EBP-268]       ; Load address to Buffer where it will Copy Message to
00431343    0355 F4         ADD EDX,DWORD PTR SS:[EBP-C]         ; Increment Buffer to skip over "Debug String: "
00431346    52              PUSH EDX                             ; Now EDX has the Start address where Message is Copied to
00431347    E8 C0FF0200     CALL OLLYDBG_._Readmemory            ; Copy the Message
0043134C    83C4 10         ADD ESP,10
0043134F    3BC3            CMP EAX,EBX                          ; Compare if Number byte Read match Number bytes should have Read
00431351    74 0A           JE SHORT OLLYDBG_.0043135D           ; Jump if Readmeory was Successful
00431353    B8 01000000     MOV EAX,1                            ; If Not Error out

So the new Jump location I found is here:

Code:

00431347   /E9 0AE30700     JMP OLLYDBG_.004AF656                ; Jump to Check_Bad_Message routine

Now for the Modified patch:

Code:

004AF656    E8 B11CFBFF     CALL OLLYDBG_._Readmemory            ; Read the Message from Debugging Process
004AF65B    60              PUSHAD                               ; Backup Registers
004AF65C    8BC8            MOV ECX,EAX                          ; Copy bytes Read to ECX
004AF65E    8B7C24 20       MOV EDI,DWORD PTR SS:[ESP+20]        ; Set EDI to Start of Message Read
004AF662    B8 25000000     MOV EAX,25                           ; Set EAX to 25 (% character)
004AF667    F2:AE           REPNE SCAS BYTE PTR ES:[EDI]         ; Seach for 25 in Message
004AF669    83F9 00         CMP ECX,0                            ; Check if it reached End of Message
004AF66C    74 15           JE SHORT OLLYDBG_.004AF683           ; Jump if didn't find 25 in Message
004AF66E    8B7C24 20       MOV EDI,DWORD PTR SS:[ESP+20]        ; Set EDI to Start of Message Read
004AF672    C707 4578706C   MOV DWORD PTR DS:[EDI],6C707845      ; Place "Exploit" over Message in these MOV DWORD commands
004AF678    C747 04 6F69740>MOV DWORD PTR DS:[EDI+4],74696F
004AF67F    C647 08 00      MOV BYTE PTR DS:[EDI+8],0            ; Place terminating null character
004AF683    61              POPAD                                ; Restore Registers
004AF684  ^ E9 C31CF8FF     JMP OLLYDBG_.0043134C                ; Jump back to Normal flow of Olly

Basically Olly will not read anything more then 241 characters. So in old patch it tried to read more then that and ReadProcessMemory fails for that reason.

In this Final version, Readmemory reads the correct number of bytes. Then I search for 25 in Message. If found, I make the messages say "Debug string: Exploit" You can actually see this Message in Olly status bar at the buttom. Well, I think this is safest patch so far. I learned a lot here that will help me in future

Attached is the final patch thats in this post.

Wow our patches are so alike its scary hehe. I believe there is a small bug here

Code:

004AF659               74 07          JE SHORT OllyDbg.004AF662

Its jumping over a needed POP
I really like that you replacing all % with a space. Congrats!

Quote:

Originally Posted by goggles99

here is my version...
What do you think???

Code:

JumpGate hex+asm
0043134C               E9 F3E20700    JMP OllyDbg.004AF644

pastable hex
E9 F3 E2 07 00



CodeCave hex+asm
004AF644               51             PUSH ECX
004AF645               50             PUSH EAX
004AF646               57             PUSH EDI
004AF647               8B7C24 0C      MOV EDI,DWORD PTR SS:[ESP+C]
004AF64B               8B4C24 14      MOV ECX,DWORD PTR SS:[ESP+14]
004AF64F               B8 25000000    MOV EAX,25
004AF654               F2:AE          REPNE SCAS BYTE PTR ES:[EDI]
004AF656               83F9 00        CMP ECX,0
004AF659               74 07          JE SHORT OllyDbg.004AF662
004AF65B               C647 FF 20     MOV BYTE PTR DS:[EDI-1],20
004AF65F              ^EB F3          JMP SHORT OllyDbg.004AF654
004AF661               5F             POP EDI
004AF662               58             POP EAX
004AF663               59             POP ECX
004AF664               83C4 10        ADD ESP,10
004AF667               3BC3           CMP EAX,EBX
004AF669              ^E9 E31CF8FF    JMP OllyDbg.00431351


pastable hex
51 50 57 8B 7C 24 0C 8B 4C 24 14 B8 25 00 00 00 F2 AE 83 F9 00 74 07 C6 47 FF 20 EB F3 5F 58 59
83 C4 10 3B C3 E9 E3 1C F8 FF

well so you are utilising its original ReadMemory() and using its own output and just scanning the output it produces for the format specifier that makes sense
and makes the patch a little more smaller
so my little contribution had infact helped a little to make it better against
weakness of ollydbg i am happy

[Crudd[RET]]

Added your guys patch to my program RE-Pair (I used goggles99 actual code, so many thanks to him). It also patches all occurences of 'ollydbg' (case insesitive) in the .exe to a random string. So this will defeat the FindWindow method of detecting Olly. Im planning on adding an option that will rename Olly (simple), and its name in all of its plugins (needed to allow them to keep working). This will defeat the CreateToolHelp method of detection. Also, any other suggestions or comments are appreciated.

Crudd [RET]
[EDIT] http://exetools.com/forum/showthread.php?t=6589 [\EDIT]