dudeme Posted November 12, 2019 Share Posted November 12, 2019 (edited) Hi, I made a simple x64dbg script that copies DWORD values from source to a destination buffer. The problem is that it crashes the debugger with EXCEPTION_ACCESS_VIOLATION. It doesn't happen all the times though, but it's pretty often. If I debug the script (using TABs) the crash does not occur. Increasing the size of the buffer seems to increase the probability of occuring the problem. Anybody else having the same problem? More infos below. Script: ; HOWTO: Open any target in the debugger, open this script, and run it. ; Repeat this process many times to ensure it's (not) working. ; I used cip as the src, but the problem happens with any other inputs too. src = cip size = 900 alloc size dest = $result offset = 0 LB_COPY: cmp offset, size jge LB_COPY_END [dest + offset] = [src + offset] add offset, 4 jmp LB_COPY LB_COPY_END: log "Finished free dest ret Exception info: Platform info: x64dbg (32bit), Windows 7 x64 Snapshot: snapshot_2019-11-11_22-25. The problem seems to be present in older versions too. EXCEPTION_DEBUG_INFO: Module Name: x32dbg.dll dwFirstChance: 1 ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION) ExceptionFlags: 00000000 ExceptionAddress: 722A4B65 x32dbg.722A4B65 (offset: 00074b65) NumberParameters: 2 ExceptionInformation[00]: 00000000 Read ExceptionInformation[01]: 0000000C Inaccessible Address First chance exception on 722A4B65 (C0000005, EXCEPTION_ACCESS_VIOLATION)! Disassembly code where the exception occurs: ; The exception occurs inside x32dbg.dll on the "rep movsd" instruction, which is located at the address 722A4B6 below: 722A4AC | 55 | push ebp | 722A4AC | 8BEC | mov ebp,esp | 722A4AC | 6A FF | push FFFFFFFF | 722A4AC | 68 A86E2F72 | push <x32dbg.sub_722F6EA8> | 722A4AC | 64:A1 00000000 | mov eax,dword ptr fs:[0] | 722A4AD | 50 | push eax | 722A4AD | 83EC 08 | sub esp,8 | 722A4AD | 53 | push ebx | 722A4AD | 56 | push esi | 722A4AD | 57 | push edi | 722A4AD | A1 74CC3672 | mov eax,dword ptr ds:[7236CC74] | 722A4AD | 33C5 | xor eax,ebp | 722A4AD | 50 | push eax | 722A4AD | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] | 722A4AE | 64:A3 00000000 | mov dword ptr fs:[0],eax | 722A4AE | 803D A1643872 00 | cmp byte ptr ds:[723864A1],0 | 722A4AE | 8B1D ACD12F72 | mov ebx,dword ptr ds:[<&GetCurrentThreadId>] | 722A4AF | 74 17 | je x32dbg.722A4B0E | 722A4AF | FFD3 | call ebx | 722A4AF | 3905 F0643872 | cmp dword ptr ds:[723864F0],eax | 722A4AF | 74 18 | je x32dbg.722A4B19 | 722A4B0 | 68 FC653872 | push x32dbg.723865FC | 722A4B0 | FF15 046A3872 | call dword ptr ds:[<&RtlAcquireSRWLockShared>] | 722A4B0 | EB 0B | jmp x32dbg.722A4B19 | 722A4B0 | 68 48673872 | push x32dbg.72386748 | 722A4B1 | FF15 A8D12F72 | call dword ptr ds:[<&RtlEnterCriticalSection>] | 722A4B1 | C645 F3 01 | mov byte ptr ss:[ebp-D],1 | 722A4B1 | 8B4D 0C | mov ecx,dword ptr ss:[ebp+C] | 722A4B2 | 8B55 08 | mov edx,dword ptr ss:[ebp+8] | 722A4B2 | C745 FC 00000000 | mov dword ptr ss:[ebp-4],0 | 722A4B2 | 85C9 | test ecx,ecx | 722A4B2 | 74 10 | je x32dbg.722A4B3E | 722A4B2 | 6905 585D3872 08010000 | imul eax,dword ptr ds:[72385D58],108 | 722A4B3 | 8901 | mov dword ptr ds:[ecx],eax | 722A4B3 | 85D2 | test edx,edx | 722A4B3 | 74 4D | je x32dbg.722A4B8B | 722A4B3 | A1 545D3872 | mov eax,dword ptr ds:[72385D54] | 722A4B4 | 8945 EC | mov dword ptr ss:[ebp-14],eax | 722A4B4 | 8B18 | mov ebx,dword ptr ds:[eax] | 722A4B4 | 3BD8 | cmp ebx,eax | 722A4B4 | 74 39 | je x32dbg.722A4B85 | 722A4B4 | 8D8A 00010000 | lea ecx,dword ptr ds:[edx+100] | 722A4B5 | 894D 0C | mov dword ptr ss:[ebp+C],ecx | 722A4B5 | 8D43 0C | lea eax,dword ptr ds:[ebx+C] | 722A4B5 | 8DB9 00FFFFFF | lea edi,dword ptr ds:[ecx-100] | 722A4B5 | 8BF0 | mov esi,eax | 722A4B6 | B9 42000000 | mov ecx,42 | 42:'B' 722A4B6 | F3:A5 | rep movsd | << Exception occurs here! >> 722A4B6 | 50 | push eax | 722A4B6 | E8 8373FFFF | call <x32dbg.sub_7229BEF0> | 722A4B6 | 8B4D 0C | mov ecx,dword ptr ss:[ebp+C] | 722A4B7 | 83C4 04 | add esp,4 | 722A4B7 | 0101 | add dword ptr ds:[ecx],eax | 722A4B7 | 81C1 08010000 | add ecx,108 | 722A4B7 | 8B1B | mov ebx,dword ptr ds:[ebx] | 722A4B7 | 894D 0C | mov dword ptr ss:[ebp+C],ecx | 722A4B8 | 3B5D EC | cmp ebx,dword ptr ss:[ebp-14] | 722A4B8 | 75 D0 | jne x32dbg.722A4B55 | 722A4B8 | 8B1D ACD12F72 | mov ebx,dword ptr ds:[<&GetCurrentThreadId>] | 722A4B8 | 803D A1643872 00 | cmp byte ptr ds:[723864A1],0 | 722A4B9 | C745 FC FFFFFFFF | mov dword ptr ss:[ebp-4],FFFFFFFF | 722A4B9 | 74 29 | je x32dbg.722A4BC4 | 722A4B9 | FFD3 | call ebx | 722A4B9 | 3905 F0643872 | cmp dword ptr ds:[723864F0],eax | 722A4BA | 74 2A | je x32dbg.722A4BCF | 722A4BA | 68 FC653872 | push x32dbg.723865FC | 722A4BA | FF15 0C6A3872 | call dword ptr ds:[<&RtlReleaseSRWLockShared>] | 722A4BB | B0 01 | mov al,1 | 722A4BB | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] | 722A4BB | 64:890D 00000000 | mov dword ptr fs:[0],ecx | 722A4BB | 59 | pop ecx | 722A4BB | 5F | pop edi | 722A4BB | 5E | pop esi | 722A4BB | 5B | pop ebx | 722A4BC | 8BE5 | mov esp,ebp | 722A4BC | 5D | pop ebp | 722A4BC | C3 | ret | 722A4BC | 68 48673872 | push x32dbg.72386748 | 722A4BC | FF15 A4D12F72 | call dword ptr ds:[<&RtlLeaveCriticalSection>] | 722A4BC | B0 01 | mov al,1 | 722A4BD | 8B4D F4 | mov ecx,dword ptr ss:[ebp-C] | 722A4BD | 64:890D 00000000 | mov dword ptr fs:[0],ecx | 722A4BD | 59 | pop ecx | 722A4BD | 5F | pop edi | 722A4BD | 5E | pop esi | 722A4BD | 5B | pop ebx | 722A4BD | 8BE5 | mov esp,ebp | 722A4BE | 5D | pop ebp | 722A4BE | C3 | ret | copy-crash-script.txt Edited November 12, 2019 by dudeme Link to comment
mrexodia Posted November 13, 2019 Share Posted November 13, 2019 Thanks for your great reproduction steps! The issue has been fixed and a new snapshot should be out soon. 1 1 Link to comment
dudeme Posted November 13, 2019 Author Share Posted November 13, 2019 mrexodia, thanks for fixing it and for making this wonderful tool! Now I'm using the new memcpy command! :) Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now