Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

OllyDbg Resource Table Parsing Integer Overflow

Found a bug in OllyDbg? Post a report here.
Locked
walied
Member
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt
Contact:

OllyDbg Resource Table Parsing Integer Overflow

Post by walied »

In this post i will quickly show you an integer overflow found in OllyDbg v1.10. This leads to a buffer overflow, which can be exploited to execute code arbitrarily.

In brief, all you have to do is set the size of Resource table to 0xFFFFFFF7.
Image
Olly adds 0x9 to 0xFFFFFFF7, which sums up to Zero due to an integer overflow. Zero byte is then allocated by calling the "GlobalAlloc" function. Finally the "_Readmemory" function is called to copy 0xFFFFFFF7 bytes to the newly allocated memory causing a buffer overflow. See the image below.
Image
But wait, there is a minor issue that i need to shed some light on. The "_Readmemory" function, as its name implies, is a wrapper of the kernel32.dll "ReadProcessMemory" function. So why did this call succeed if the number of bytes to copy is that huge? the reason behind this is that the "_Readmemory" function checks to see if data at the target address is cached. If it is cached, the "memcpy" function is directly called and this is where the buffer overflow occurs.
Image
Here you can find the demo.
http://ollybugs.googlecode.com/files/you.exe
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

Hi walied,

today I've read through the posts you've made so far, the googlecode site of yours and through your blog.
Let me say, that I find your work pretty impressive.
May I ask what your intention is? I mean, do you report these bugs to Oleh also? Are you doing this to show people why Olly sometimes don't work as they expect. To show software developers how they can implement a better debug protection? Or is it just from curiosity?
Please, don't get me wrong. I'm really greatly impressed by your work and there is no offense intended.
I'm just curious.

Keep up the good work!

Best regards
darkelf
I flout Chuck Norris, Spongebob barbecues underwater!
walied
Member
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt
Contact:

Post by walied »

My intention is to be one step ahead of malware using anti-olly tricks that hinder the reversing process and also to provide some new anti-tricks for software protection tools, actually, the FPU bug of Olly v1.10 (implemented in Themida) inspired me to start the whole thing.

I did not contact Oleh for the Olly v1.10 bugs since it is discontinued and no longer supported. As for Olly v2.0 bugs, i tried to contact Oleh, but he was not responsive.

If you have noticed, one of the most vulnerable functions in Olly is the PE header parsing function. This shows us how Oleh did not understand the PE format very well and many other stuff.

I will be very glad to see new protectors deploying my own bugs and exploits.
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

Post by NeOXOeN »

walied: "If you have noticed, one of the most vulnerable functions in Olly is the PE header parsing function. This shows us how Oleh did not understand the PE format very well and many other stuff."

keep a good work.. but on you last comment i would like to say you are missing the point of OLLY.. its debuger.. and it should debug and make a process of debuging easy for us... which it does.. i dont see a point of Oleg looking into pe format and fixing all the crush points you found.. i rather see that it works and debugs perfectly as it does.. adding new stuff optiomation,., plugins new ideas.. then fixing section holes.. which makes olly crush.. you can patch exe easy....you can alwasy find overflow points in every program....so you can in olly .. no matter how much time he spend fixies wholes .. it will alwasy have something still to fix... if you ask me i rather see major wholes fixied then your pe format things.. Above all you can alwasy fix exe easyer then you can fix olly:P


aha here is project for you .. you can do the same with windows media player as you are doing with olly.. its just a matter of time how many bugs you will find...
Locked