Results 1 to 7 of 7

Thread: Found something strange..

  1. #1
    malikah
    Guest

    Found something strange..

    someone i know found this in the adobe dreamweaver cs3 .exe file:

    Text strings referenced in 7C900000..7C9AFFFF, item 825 Address=7C96581F Disassembly=PUSH 7C965B2C Text string=ASCII "If this bug ends up in the shipping product, it could be a severe security hole."

    What do you suppose it is?
    Last edited by malikah; June 22nd, 2007 at 22:42.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    7C96581F
    Isn't that where DLLs normally reside?

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    As LLXX suggests, identify which DLL this code/data is in, and continue from there (and please let us know too, I'm sure a bunch of other people would like to take a looksie too ).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #4
    malikah
    Guest
    Actually, it was inside the installer .exe. Heres a sample:
    Code:
    7C9657AA    8D45 E0         LEA EAX,DWORD PTR SS:[EBP-20]
    7C9657AD    50              PUSH EAX
    7C9657AE    6A 23           PUSH 23
    7C9657B0    E8 F589FAFF     CALL ntdll.ZwQuerySystemInformation
    7C9657B5    8A45 E0         MOV AL,BYTE PTR SS:[EBP-20]
    7C9657B8    8845 E7         MOV BYTE PTR SS:[EBP-19],AL
    7C9657BB    8B7D 08         MOV EDI,DWORD PTR SS:[EBP+8]
    7C9657BE    807D E7 00      CMP BYTE PTR SS:[EBP-19],0
    7C9657C2    0F84 2A020000   JE ntdll.7C9659F2
    7C9657C8    8B07            MOV EAX,DWORD PTR DS:[EDI]
    7C9657CA    8B08            MOV ECX,DWORD PTR DS:[EAX]
    7C9657CC    81F9 050000C0   CMP ECX,C0000005
    7C9657D2    0F84 8D010000   JE ntdll.7C965965
    7C9657D8    81F9 060000C0   CMP ECX,C0000006
    7C9657DE    0F84 19010000   JE ntdll.7C9658FD
    7C9657E4    81F9 940100C0   CMP ECX,C0000194
    7C9657EA    74 4F           JE SHORT ntdll.7C96583B
    7C9657EC    FF75 0C         PUSH DWORD PTR SS:[EBP+C]
    7C9657EF    53              PUSH EBX
    7C9657F0    81F9 090400C0   CMP ECX,C0000409
    7C9657F6    74 13           JE SHORT ntdll.7C96580B
    7C9657F8    51              PUSH ECX
    7C9657F9    68 445A967C     PUSH ntdll.7C965A44                      ; ASCII "
    
     *** Unhandled exception 0x%08lx, hit in %ws:%s
    
    "
    7C9657FE    E8 EDABFCFF     CALL ntdll.DbgPrint
    7C965803    83C4 10         ADD ESP,10
    7C965806    E9 B0010000     JMP ntdll.7C9659BB
    7C96580B    68 785A967C     PUSH ntdll.7C965A78                      ; ASCII "
    
     *** A stack buffer overrun occurred in %ws:%s
    
    "
    7C965810    E8 DBABFCFF     CALL ntdll.DbgPrint
    7C965815    68 AC5A967C     PUSH ntdll.7C965AAC                      ; ASCII "This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.
    "
    7C96581A    E8 D1ABFCFF     CALL ntdll.DbgPrint
    7C96581F    68 2C5B967C     PUSH ntdll.7C965B2C                      ; ASCII "If this bug ends up in the shipping product, it could be a severe security hole.
    "
    7C965824    E8 C7ABFCFF     CALL ntdll.DbgPrint
    7C965829    68 845B967C     PUSH ntdll.7C965B84                      ; ASCII "The stack trace should show the guilty function (the function directly above __report_gsfailure).
    "
    7C96582E    E8 BDABFCFF     CALL ntdll.DbgPrint
    7C965833    83C4 18         ADD ESP,18
    7C965836    E9 80010000     JMP ntdll.7C9659BB
    7C96583B    8B70 14         MOV ESI,DWORD PTR DS:[EAX+14]
    7C96583E    85F6            TEST ESI,ESI
    7C965840    0F84 75010000   JE ntdll.7C9659BB
    7C965846    8365 FC 00      AND DWORD PTR SS:[EBP-4],0
    7C96584A    8B06            MOV EAX,DWORD PTR DS:[ESI]
    7C96584C    8945 D8         MOV DWORD PTR SS:[EBP-28],EAX
    7C96584F    85C0            TEST EAX,EAX
    7C965851    74 43           JE SHORT ntdll.7C965896
    7C965853    66:8338 01      CMP WORD PTR DS:[EAX],1
    7C965857    75 3D           JNZ SHORT ntdll.7C965896
    7C965859    8975 D4         MOV DWORD PTR SS:[EBP-2C],ESI
    7C96585C    FF75 0C         PUSH DWORD PTR SS:[EBP+C]
    7C96585F    53              PUSH EBX
    7C965860    56              PUSH ESI
    7C965861    68 E85B967C     PUSH ntdll.7C965BE8                      ; ASCII "
    
     *** Resource timeout (%p) in %ws:%s
    
    "
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Classic stack buffer overrun - nice!

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I think it looks more like some kind of generic checking function, probably used during development, that can be used to warn about buffer overflows in certain situations, not a specific buffer overflow problem that has been marked in their code for fixing.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  7. #7
    Standard (MSVC?) stack-checking crap... file was compiled with /Ge option or similar.

    Nothing to see here, everybody move along...

Similar Threads

  1. strange CRC algorithm
    By ka6sqg in forum RCE Cryptographics
    Replies: 1
    Last Post: October 17th, 2012, 09:29
  2. Replies: 5
    Last Post: December 7th, 2010, 05:57
  3. Found what is that "long mode segmentation"
    By OpenRCE_EliCZ in forum Blogs Forum
    Replies: 0
    Last Post: April 3rd, 2009, 10:17
  4. Found OEP. and then?
    By j_petrucci in forum OllyDbg Support Forums
    Replies: 1
    Last Post: May 14th, 2004, 05:41
  5. Can patch a DLL... strange
    By mozfet in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: January 27th, 2001, 15:40

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •