Windows MASM / Bad String Format
| Author | External |
| Platform | Windows |
| Language | MASM |
| Technique | Bad String Format |
Description:
This snippet has been originally published here: http://www.openrce.org/reference_library/anti_reversing_view/8/OllyDbg%20Filename%20Format%20String/
Code
.386
.model flat, stdcall
option casemap :none ; case sensitive
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
DbgNotFoundTitle db "Debugger status:",0h
DbgFoundTitle db "Debugger status:",0h
DbgNotFoundText db "Debugger not found!",0h
DbgFoundText db "Debugger found!",0h
OriginalFileName db "%s%s.exe",0h
.data?
filename db 512 dup(?)
.code
start:
; MASM32 BadStringFormat example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net
; This example takes advantage of OllyDBG not handleing strings properly.
; Code is based on Piotr Bania`s description.
; How does it work? If we name the file %s%s or any other name that has
; %s%s in it`s name OllyDBG will crash.
; How to use this?
; We just check if the file has been renamed.
PUSH 512
PUSH offset filename ;%s%s.exe
PUSH 0
CALL GetModuleFileName
MOV ECX,offset filename
ADD ECX,EAX
@SeekFileName:
DEC ECX
CMP BYTE PTR[ECX],'\'
JNE @SeekFileName
MOV BYTE PTR[ECX],0
INC ECX
PUSH ECX
PUSH offset OriginalFileName ;%s%s.exe
CALL lstrcmp
TEST EAX,EAX
JNE @DebuggerDetected
PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox
JMP @exit
@DebuggerDetected:
PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox
@exit:
PUSH 0
CALL ExitProcess
end startCreated
June 22, 2022
Last Revised
April 22, 2024