Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

OllyDbg NumberOfSections Crash

Found a bug in OllyDbg? Post a report here.
Locked
walied
Member
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt
Contact:

OllyDbg NumberOfSections Crash

Post by walied »

In this post i will be discussing another bug that i found in OllyDbg. The idea came to my mind while debugging link.exe shipped with Microsoft Visual Studio 2008.

Debugging link.exe, i was amazed to see that the maximum number of sections that a PE file can hold is 0xFEFF sections (as assumed by link.exe) not 96 (0x60, hex). In the beginning, i thought that i have an old PE/COFF documentation or that it is a mistake since the documentation says "the Windows loader limits the number of sections to 96".
Image
By creating a PE file with 97 sections, i found out that the 96-section limit applies to Windows XP but not to Windows 7, 64-bit.
Image
Image
I quickly asked myself "How will Olly Handle that?!!!".

Quickly opened Olly to debug another instance of it and went to the PE parsing code. See the image below.
Image
As you can see in the image above, Olly takes 0x1FFF (8191, decimal) as the maximum number of sections. That's Cool!!
The C code looks something like this. See the image below.
Image
As you can see, if we give it an executable with 0x2000 (8192, decimal) sections or more, Olly will crash.
Image
Here you can find a Proof Of Concept.
http://ollytlscatch.googlecode.com/file ... ctions.exe
Material in this post has been tried on Windows 7, Wow64 and OllyDbg v1.10. I will be glad if someone gives it a shot on Windows 7, 32 bit or Windows Vista.

You can follow me on Twitter @waleedassar
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

a nice collection of problems

i hope you also communicate your findings to oleh yuschuk the author
so that he may rectify a few possible problems if they exist in od2

happy crashing
walied
Member
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt
Contact:

Post by walied »

I did contact him providing the link for my ollybugs project.

http://code.google.com/p/ollybugs/

No response yet.
Locked