;Title             : OllyDbg/Immunity Debugger - Crash POC
;Researcher        : Souhail Hammou (Dark-Puzzle)
;Research Team     : http://itsecurity.ma
;Facebook          : http://www.facebook.com/dark.puzzle.sec
;Date              : 29/07/2013
;==================================================================
.386
.model flat,stdcall
option casemap:none
include /masm32/include/masm32.inc
include /masm32/include/kernel32.inc
includelib /masm32/lib/masm32.lib
includelib /masm32/lib/kernel32.lib
;==================================================================

;Details and Analysis :
;Pictures : 1.jpg : http://oi44.tinypic.com/dytanq.jpg
;      2.jpg : http://oi42.tinypic.com/2md0uvm.jpg

;This bug affects both OllyDbg and Immunity Debugger, a user can crash the debugger using one of the "pane" functionalities. The pane actually helps the reverser
;in order to locate where jumps were taken from or where they will lead, it will also display the memory addresses and display the ASCII format of what it holds if
;it's a printable string of course when the instruction containing that memory address is clicked.
;What we will be looking at is the "modify register" command that will help you modify a register value directly from the pane.

;Let's fully demonstrate the issue by debugging an x86 ASM little program "MASM Syntax".
.data
welcome  db  "Hello...",0
bye   db  "Bye",0
.data?
whatever db  10 dup(?)
.code
test_me :
invoke StdOut, addr welcome
mov eax, 00403000h        ;demonstrating mov instruction
lea ecx, bye          ;demonstrating lea instruction 
invoke StdOut, addr bye
invoke StdIn, addr whatever,10
invoke ExitProcess,0
end test_me
;Now let's see how the debugger is disassembling the targets' instructions :  
  ;0040100A  |. B8 00304000    MOV EAX,test.00403000                          ;  ASCII "Hello..."
  ;0040100F  |. 8D0D 09304000  LEA ECX,DWORD PTR DS:[403009]          ;  00403009 is pointing to ASCII "Bye"    

;Now without stepping into the MOV instruction , try just to click on it and you'll see the following in the pane :
;  00403000=test.00403000 (ASCII "Hello...")

;Select this line and click the right button , now click on "modify register" which will open a box indicating that you are about to edit the value of EAX register
;Without stepping again, select the LEA instruction you will see in the pane this :
;  Address=00403009, (ASCII "Bye")
;Click the right button on that line again, and select "Modify Register" ... Boom !! Crash !
;The difference between MOV and LEA is that when dealing with MOV the debugger will edit the value of the register which the instruction is moved to.
;But when dealing with LEA instruction the debugger will just crash.
;===========================================================
;Quick Crash Analysis :
;===========================================================

;When the user will click "modify register" in the case of a LEA instruction , Olly/Immunity debugger will try to print "Modify reg" 
;using this set of instructions:
  ;004302B9   . 8B1C95 A475650>MOV EBX,DWORD PTR DS:[EDX*4+6575A4]               ; | Important Instruction !
  ;----Cut----
  ;----Cut----
  ;004309DA   > 8B049D 48D25E0>MOV EAX,DWORD PTR DS:[EBX*4+5ED248]               ; | Important Instruction !
  ;004309E1   . 8DB424 C609000>LEA ESI,DWORD PTR SS:[ESP+9C6]                    ; |
  ;004309E8   . 31FF           XOR EDI,EDI                                       ; |
  ;004309EA   . C74424 04 0E48>MOV DWORD PTR SS:[ESP+4],Immunity.0060480E        ; |ASCII "Modify %s"
  ;004309F2   . 893424         MOV DWORD PTR SS:[ESP],ESI                        ; |
  ;004309F5   . 894424 08      MOV DWORD PTR SS:[ESP+8],EAX                      ; |
  ;004309F9   . E8 12501A00    CALL <JMP.&ntdll.sprintf>                         ; \sprintf
  
;Actually when dealing with a MOV instruction. at address 004302B9 , [EBX*4+6575A4] will hold a small value that indicates the placement of the targeted register string 
;in memory that will be multiplied by 4 and added to memory address 005ED248.
;But when Dealing with a LEA instructions [EBX*4+6575A4] will hold the memory address of the element shown in the pane, in our case 00403009 which equals 4206601 in decimal .
;So when trying to detect which register is dealed with (at 004309DA) , the debugger will face an address that is out of memory range (inexistant) 4206601*4+5ED248 in my case.
;And it will simply CRASH.

;Best Regards,
;Souhail Hammou.