Search code examples
c++assemblyx86ida

How to Fix the Instruction in Code which cause application crash

The main application file is crashing becausing The server is affected by a format string bug when handles the players nicknames due the access to an invalid memory zone. The instruction executed is "cmp [EAX], 00000000" where EAX contains 4 of the bytes in the nickname and Crashes the Server.

I debugged and found that "%s" is missing before the logging string passed to the File_printf function. So i have tried to add this string via IDA Debugger and Successed. After entering these bytes now the server is crashing with the message "server is not vulnerable" before it was crashing with the message "server is vulnerable" CODE Bytes I have entered to patch the application: 

RVA
    00400000

OFFSET
    0041dfad    cc  68          ; push 0061d0dc
           +    cc  |0061d0dc

           +    cc  e8          ; call 0040d270
           +    cc  ^0040d270

           +    cc  83          ; add esp,04
           +    cc  c4
           +    cc  04

           +    cc  e9          ; jmp 0041e059
           +    cc  ^0041e059

    0041e054    e8  e9          ; jmp 0041dfad
           +    ??  ^0041dfad

0055DD63 cmp     dword ptr [eax], 0

 /*source*/
if ( *(_DWORD *)a1 )
    a1 = sub_445D50();
  if ( v2 )
  {
    --*(_DWORD *)(v2 + 4);
    *(_DWORD *)a1 = *(_DWORD *)(v2 + 20);
    *(_DWORD *)(v2 + 20) = a1;
  }
  else
  {
    v3 = *(_DWORD *)((a1 - 4) & 0xFFFFFFFC);
    --dword_798ABD0;
    sub_445D50();
    memset(*(void **)(v3 + 8), 0xCDu, *(_DWORD *)(v3 + 16));
    free((void *)v3);
  }
}

/Hex Value/ 0055DD63 83 38 00

After Testing the Server to Crash then the server Crashed with the message in the testing tool "Server is not Vulnerable" but Crashed.

And in the Debugger IDA i get this result with the detailed Message:

55dd63: The Instruction at 0x55DD63 referenced memory at 0x61616161, The memory could not be read -> 61616161 (exc.code c0000005, tid 4692)

Image 1

Image 2

Image 3

Image 4

Image 5

I can Share the testing tool also but not here because the testing tool has .simplese trojan and it may harm your pc, but i can share the Source code of the testing tool on Request.

Solution

  • The bug is caused by the logging function NetManager_LogMessage which takes the text to dump, adds a timestamp (using snprintf) and then passes the whole string to the function File_printf without the needed format argument (%s) and you need to using the value 05 instead of 04 to make an ampty space to fool the bug. This trick work on many games and good luck