Bad String Format

Created the Monday 18 March 2019. Updated 3 years, 6 months ago.

This technique is working only for OllyDBG and is a bit old. OllyDbg has a known bug, it does not correctly handle some strings which causes a with multiple %s input for example.


Technique Identifier

U0104

Technique Tag

Ollydbg


Code Snippets

.386
      .model flat, stdcall
      option casemap :none   ; case sensitive

      include \masm32\include\windows.inc
      include \masm32\include\user32.inc
      include \masm32\include\kernel32.inc

      includelib \masm32\lib\user32.lib
      includelib \masm32\lib\kernel32.lib

    .data
       DbgNotFoundTitle db "Debugger status:",0h
       DbgFoundTitle db "Debugger status:",0h
       DbgNotFoundText db "Debugger not found!",0h
       DbgFoundText db "Debugger found!",0h
       OriginalFileName db "%s%s.exe",0h
    .data?
       filename db 512 dup(?)
    .code

start:

; MASM32 BadStringFormat example
; coded by ap0x
; Reversing Labs: http://ap0x.headcoders.net

; This example takes advantage of OllyDBG not handleing strings properly.
; Code is based on Piotr Bania`s description.
; How does it work? If we name the file %s%s or any other name that has
; %s%s in it`s name OllyDBG will crash.
; How to use this?
; We just check if the file has been renamed.

PUSH 512
PUSH offset filename ;%s%s.exe
PUSH 0
CALL GetModuleFileName

MOV ECX,offset filename
ADD ECX,EAX

  @SeekFileName:
DEC ECX
CMP BYTE PTR[ECX],'\'
JNE @SeekFileName

MOV BYTE PTR[ECX],0
INC ECX

PUSH ECX
PUSH offset OriginalFileName ;%s%s.exe
CALL lstrcmp

TEST EAX,EAX
JNE @DebuggerDetected

PUSH 40h
PUSH offset DbgNotFoundTitle
PUSH offset DbgNotFoundText
PUSH 0
CALL MessageBox

JMP @exit
  @DebuggerDetected:

PUSH 30h
PUSH offset DbgFoundTitle
PUSH offset DbgFoundText
PUSH 0
CALL MessageBox

  @exit:

PUSH 0
CALL ExitProcess

end start

Detection Rules

rule Detect_OllyDBG_BadFormatTrick: AntiDebug {
    meta: 
        description = "Detect bad format not handled by Ollydbg"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "%s%s.exe" fullword ascii
    condition:   
       $1
}

Additional Resources

External Links

Subscribe to our Newsletter


The information entered into this form is mandatory. It will be subjected to computer processing. It is processed by computer in order to support our users and readers. The recipients of the data will be : contact@unprotect.it.

According to the Data Protection Act of January 6th, 1978, you have at any time, a right of access to and rectification of all of your personal data. If you wish to exercise this right and gain access to your personal data, please write to Thomas Roccia at contact@unprotect.it.

You may also oppose, for legitimate reasons, the processing of your personal data.