http://www.openrce.org/rss/feeds/blog OpenRCE: The Open Reverse Code Engineering Community Fri, 20 Apr 2012 15:56:34 -0500 https://www.openrce.org/blog/view/2123/OllyDbg_NumberOfSections_Crash waleedassar <email-suppressed@example.com> <a href="http://waleedassar.blogspot.com/2012/04/ollydbg-numberofsections-crash.html">http://waleedassar.blogspot.com/2012/04/ollydbg-numberofsections-crash.html</a> Sat, 31 Mar 2012 19:23:26 -0500 https://www.openrce.org/blog/view/2108/GetModuleFileNameEx_And_Infinite_Loops waleedassar <email-suppressed@example.com> <a href="http://waleedassar.blogspot.com/2012/03/getmodulefilenameex-and-infinite-loops.html">http://waleedassar.blogspot.com/2012/03/getmodulefilenameex-and-infinite-loops.html</a> Sat, 31 Mar 2012 18:47:42 -0500 https://www.openrce.org/blog/view/2107/OllyDbg_v1.10_And_Wow64 waleedassar <email-suppressed@example.com> If you have ever used OllyDbg v1.10 on Window 7 64-bit version (Wow64), then you must have seen the annoying single-step breaks that frequently interrupt your debug session. I spent a couple of hours to find the reason behind this and finally came out with this small plugin, &quot;OllyWow64&quot;, to fix this bug.<br /> <img src="http://4.bp.blogspot.com/-DEN9z_HxUKU/T3eYbmDMkpI/AAAAAAAAAeQ/rfQ1cr3XBcU/s1600/erty.png" border=0 align=""><br /> <br /> You can find OllyWow64 here.<br /> <a href="http://ollytlscatch.googlecode.com/files/OllyWow64.dll">http://ollytlscatch.googlecode.com/files/OllyWow64.dll</a><br /> The fix is as easy as what you see in the image below.<br /> <img src="http://2.bp.blogspot.com/-unsMOhrTYJo/T3VgG3_ev6I/AAAAAAAAAeI/RPRtH08xUHQ/s1600/Untitled.png" border=0 align=""><br /> Here you can find the source code.<br /> <a href="http://ollytlscatch.googlecode.com/files/OllyWow64.rar">http://ollytlscatch.googlecode.com/files/OllyWow64.rar</a> Thu, 29 Mar 2012 14:06:52 -0500 https://www.openrce.org/blog/view/2106/OllyDbg_Resource_Table_Parsing_Integer_Overflow waleedassar <email-suppressed@example.com> In this post i will quickly show you an integer overflow found in OllyDbg v1.10. This leads to a buffer overflow, which can be exploited to execute code arbitrarily.<br /> <br /> In brief, all you have to do is set the size of Resource table to 0xFFFFFFF7.<br /> <img src="http://3.bp.blogspot.com/-Hx-reft8rAQ/T3SmECkhOTI/AAAAAAAAAdo/TXfv6hNiSek/s1600/Untitled.png" border=0 align=""><br /> Olly adds 0x9 to 0xFFFFFFF7, which sums up to Zero due to an integer overflow. Zero byte is then allocated by calling the &quot;GlobalAlloc&quot; function. Finally the &quot;_Readmemory&quot; function is called to copy 0xFFFFFFF7 bytes to the newly allocated memory causing a buffer overflow. See the image below.<br /> <img src="http://3.bp.blogspot.com/-0Ze-APopdEg/T3SpW4vc28I/AAAAAAAAAdw/9ft2VVXB1Do/s1600/resource_overflow.png" border=0 align=""><br /> But wait, there is a minor issue that i need to shed some light on. The &quot;_Readmemory&quot; function, as its name implies, is a wrapper of the kernel32.dll &quot;ReadProcessMemory&quot; function. So why did this call succeed if the number of bytes to copy is that huge? the reason behind this is that the &quot;_Readmemory&quot; function checks to see if data at the target address is cached. If it is cached, the &quot;memcpy&quot; function is directly called and this is where the buffer overflow occurs.<br /> <img src="http://1.bp.blogspot.com/-xjxucmGmi7s/T3SuJCeq1ZI/AAAAAAAAAd4/xJhY7mVbuNo/s1600/overrrrr.png" border=0 align=""><br /> Here you can find the demo.<br /> <a href="http://ollybugs.googlecode.com/files/you.exe">http://ollybugs.googlecode.com/files/you.exe</a> Sat, 24 Mar 2012 08:56:06 -0500 https://www.openrce.org/blog/view/2102/Anti-Dumping waleedassar <email-suppressed@example.com> Part - 1:<br /> <a href="http://waleedassar.blogspot.com/2012/01/anti-dumping.html">http://waleedassar.blogspot.com/2012/01/anti-dumping.html</a><br /> <br /> Part - 2:<br /> <a href="http://waleedassar.blogspot.com/2012/03/anti-dumping-part-2.html">http://waleedassar.blogspot.com/2012/03/anti-dumping-part-2.html</a>