OllyDbg NumberOfSections Crash

[waliedassar]

In this post i will be discussing another bug that i found in OllyDbg. The idea came to my mind while debugging link.exe shipped with Microsoft Visual Studio 2008.

Debugging link.exe, i was amazed to see that the maximum number of sections that a PE file can hold is 0xFEFF sections (as assumed by link.exe) not 96 (0x60, hex). In the beginning, i thought that i have an old PE/COFF documentation or that it is a mistake since the documentation says "the Windows loader limits the number of sections to 96".

By creating a PE file with 97 sections, i found out that the 96-section limit applies to Windows XP but not to Windows 7, 64-bit.

I quickly asked myself "How will Olly Handle that?!!!".

Quickly opened Olly to debug another instance of it and went to the PE parsing code. See the image below.

As you can see in the image above, Olly takes 0x1FFF (8191, decimal) as the maximum number of sections. That's Cool!!

The C code looks something like this. See the image below.

As you can see, if we give it an executable with 0x2000 (8192, decimal) sections or more, Olly will crash.

Here you can find a Proof Of Concept.

http://ollytlscatch....000sections.exe

Material in this post has been tried on Windows 7, Wow64 and OllyDbg v1.10. I will be glad if someone gives it a shot on Windows 7, 32 bit or Windows Vista.

You can follow me on Twitter @waleedassar

[Ronar22]

Please leave olly alone it has suffered enough , Good Job .