Jump to content
Tuts 4 You
Sign in to follow this  
dudeme

x64dbg crashing randomly when running a script

Recommended Posts

dudeme

Hi, I made a simple x64dbg script that copies DWORD values from source to a destination buffer. The problem is that it crashes the debugger with  EXCEPTION_ACCESS_VIOLATION. It doesn't happen all the times though, but it's pretty often.  If I debug the script (using TABs) the crash does not occur. Increasing the size of the buffer seems to increase the probability of occuring the problem.  Anybody else having the same problem? More infos below.

Script:

; HOWTO: Open any target in the debugger, open this script, and run it.
; Repeat this process many times to ensure it's (not) working.
; I used cip as the src, but the problem happens with any other inputs too.
src = cip
size = 900

alloc size
dest = $result

offset = 0
LB_COPY:
	cmp offset, size
	jge LB_COPY_END
	[dest + offset] = [src + offset]
	add offset, 4
	jmp LB_COPY
LB_COPY_END:
	log "Finished
	
free dest

ret

Exception info:

Platform info:
	x64dbg (32bit), Windows 7 x64
	Snapshot: snapshot_2019-11-11_22-25. The problem seems to be present in older versions too.

EXCEPTION_DEBUG_INFO:
			  Module Name: x32dbg.dll
           dwFirstChance: 1
           ExceptionCode: C0000005 (EXCEPTION_ACCESS_VIOLATION)
          ExceptionFlags: 00000000
        ExceptionAddress: 722A4B65 x32dbg.722A4B65 (offset: 00074b65)
        NumberParameters: 2
ExceptionInformation[00]: 00000000 Read
ExceptionInformation[01]: 0000000C Inaccessible Address
First chance exception on 722A4B65 (C0000005, EXCEPTION_ACCESS_VIOLATION)!

Disassembly code where the exception occurs:

; The exception occurs inside x32dbg.dll on the "rep movsd" instruction, which is located at the address 722A4B6 below:
722A4AC | 55                      | push ebp                                            |
722A4AC | 8BEC                    | mov ebp,esp                                         |
722A4AC | 6A FF                   | push FFFFFFFF                                       |
722A4AC | 68 A86E2F72             | push <x32dbg.sub_722F6EA8>                          |
722A4AC | 64:A1 00000000          | mov eax,dword ptr fs:[0]                            |
722A4AD | 50                      | push eax                                            |
722A4AD | 83EC 08                 | sub esp,8                                           |
722A4AD | 53                      | push ebx                                            |
722A4AD | 56                      | push esi                                            |
722A4AD | 57                      | push edi                                            |
722A4AD | A1 74CC3672             | mov eax,dword ptr ds:[7236CC74]                     |
722A4AD | 33C5                    | xor eax,ebp                                         |
722A4AD | 50                      | push eax                                            |
722A4AD | 8D45 F4                 | lea eax,dword ptr ss:[ebp-C]                        |
722A4AE | 64:A3 00000000          | mov dword ptr fs:[0],eax                            |
722A4AE | 803D A1643872 00        | cmp byte ptr ds:[723864A1],0                        |
722A4AE | 8B1D ACD12F72           | mov ebx,dword ptr ds:[<&GetCurrentThreadId>]        |
722A4AF | 74 17                   | je x32dbg.722A4B0E                                  |
722A4AF | FFD3                    | call ebx                                            |
722A4AF | 3905 F0643872           | cmp dword ptr ds:[723864F0],eax                     |
722A4AF | 74 18                   | je x32dbg.722A4B19                                  |
722A4B0 | 68 FC653872             | push x32dbg.723865FC                                |
722A4B0 | FF15 046A3872           | call dword ptr ds:[<&RtlAcquireSRWLockShared>]      |
722A4B0 | EB 0B                   | jmp x32dbg.722A4B19                                 |
722A4B0 | 68 48673872             | push x32dbg.72386748                                |
722A4B1 | FF15 A8D12F72           | call dword ptr ds:[<&RtlEnterCriticalSection>]      |
722A4B1 | C645 F3 01              | mov byte ptr ss:[ebp-D],1                           |
722A4B1 | 8B4D 0C                 | mov ecx,dword ptr ss:[ebp+C]                        |
722A4B2 | 8B55 08                 | mov edx,dword ptr ss:[ebp+8]                        |
722A4B2 | C745 FC 00000000        | mov dword ptr ss:[ebp-4],0                          |
722A4B2 | 85C9                    | test ecx,ecx                                        |
722A4B2 | 74 10                   | je x32dbg.722A4B3E                                  |
722A4B2 | 6905 585D3872 08010000  | imul eax,dword ptr ds:[72385D58],108                |
722A4B3 | 8901                    | mov dword ptr ds:[ecx],eax                          |
722A4B3 | 85D2                    | test edx,edx                                        |
722A4B3 | 74 4D                   | je x32dbg.722A4B8B                                  |
722A4B3 | A1 545D3872             | mov eax,dword ptr ds:[72385D54]                     |
722A4B4 | 8945 EC                 | mov dword ptr ss:[ebp-14],eax                       |
722A4B4 | 8B18                    | mov ebx,dword ptr ds:[eax]                          |
722A4B4 | 3BD8                    | cmp ebx,eax                                         |
722A4B4 | 74 39                   | je x32dbg.722A4B85                                  |
722A4B4 | 8D8A 00010000           | lea ecx,dword ptr ds:[edx+100]                      |
722A4B5 | 894D 0C                 | mov dword ptr ss:[ebp+C],ecx                        |
722A4B5 | 8D43 0C                 | lea eax,dword ptr ds:[ebx+C]                        |
722A4B5 | 8DB9 00FFFFFF           | lea edi,dword ptr ds:[ecx-100]                      |
722A4B5 | 8BF0                    | mov esi,eax                                         |
722A4B6 | B9 42000000             | mov ecx,42                                          | 42:'B'
722A4B6 | F3:A5                   | rep movsd                                           | << Exception occurs here! >>
722A4B6 | 50                      | push eax                                            |
722A4B6 | E8 8373FFFF             | call <x32dbg.sub_7229BEF0>                          |
722A4B6 | 8B4D 0C                 | mov ecx,dword ptr ss:[ebp+C]                        |
722A4B7 | 83C4 04                 | add esp,4                                           |
722A4B7 | 0101                    | add dword ptr ds:[ecx],eax                          |
722A4B7 | 81C1 08010000           | add ecx,108                                         |
722A4B7 | 8B1B                    | mov ebx,dword ptr ds:[ebx]                          |
722A4B7 | 894D 0C                 | mov dword ptr ss:[ebp+C],ecx                        |
722A4B8 | 3B5D EC                 | cmp ebx,dword ptr ss:[ebp-14]                       |
722A4B8 | 75 D0                   | jne x32dbg.722A4B55                                 |
722A4B8 | 8B1D ACD12F72           | mov ebx,dword ptr ds:[<&GetCurrentThreadId>]        |
722A4B8 | 803D A1643872 00        | cmp byte ptr ds:[723864A1],0                        |
722A4B9 | C745 FC FFFFFFFF        | mov dword ptr ss:[ebp-4],FFFFFFFF                   |
722A4B9 | 74 29                   | je x32dbg.722A4BC4                                  |
722A4B9 | FFD3                    | call ebx                                            |
722A4B9 | 3905 F0643872           | cmp dword ptr ds:[723864F0],eax                     |
722A4BA | 74 2A                   | je x32dbg.722A4BCF                                  |
722A4BA | 68 FC653872             | push x32dbg.723865FC                                |
722A4BA | FF15 0C6A3872           | call dword ptr ds:[<&RtlReleaseSRWLockShared>]      |
722A4BB | B0 01                   | mov al,1                                            |
722A4BB | 8B4D F4                 | mov ecx,dword ptr ss:[ebp-C]                        |
722A4BB | 64:890D 00000000        | mov dword ptr fs:[0],ecx                            |
722A4BB | 59                      | pop ecx                                             |
722A4BB | 5F                      | pop edi                                             |
722A4BB | 5E                      | pop esi                                             |
722A4BB | 5B                      | pop ebx                                             |
722A4BC | 8BE5                    | mov esp,ebp                                         |
722A4BC | 5D                      | pop ebp                                             |
722A4BC | C3                      | ret                                                 |
722A4BC | 68 48673872             | push x32dbg.72386748                                |
722A4BC | FF15 A4D12F72           | call dword ptr ds:[<&RtlLeaveCriticalSection>]      |
722A4BC | B0 01                   | mov al,1                                            |
722A4BD | 8B4D F4                 | mov ecx,dword ptr ss:[ebp-C]                        |
722A4BD | 64:890D 00000000        | mov dword ptr fs:[0],ecx                            |
722A4BD | 59                      | pop ecx                                             |
722A4BD | 5F                      | pop edi                                             |
722A4BD | 5E                      | pop esi                                             |
722A4BD | 5B                      | pop ebx                                             |
722A4BD | 8BE5                    | mov esp,ebp                                         |
722A4BE | 5D                      | pop ebp                                             |
722A4BE | C3                      | ret                                                 |

 

copy-crash-script.txt

Edited by dudeme (see edit history)

Share this post


Link to post
mrexodia

Thanks for your great reproduction steps! The issue has been fixed and a new snapshot should be out soon.

  • Like 1
  • Thanks 1

Share this post


Link to post
dudeme

mrexodia, thanks for fixing it and for making this wonderful tool! Now I'm using the new memcpy command! :)

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...