Users on tuts4you quite often ask questions like "Can you identify which obfuscator was used". When I was analyzing one such assembly, my CFF Explorer started to act erratically. New tabs would not open and on exit CFF Explorer crashed with access violation.
That's weird, I said to myself and decided to figure out what's causing it.
Uninitialized buffers and unchecked return values
First bug is a classic. In pseudo-code it looks like this:
bool ReadResourceHeader(ManagedResource resource, ResourcesInfo *info)
DWORD MagicNumber = ReadDword();
if (MagicNumber != RESOURCES_MAGIC_NUMBER)
info.FieldX = xyz;
foreach (ManagedResource resource in exefile)
for (int i = 0; i < info.EntryCount; i++)
First issue is that nobody initialized ResourcesInfo structure, so all fields will initially contain random garbage. As soon as ReadResourceHeader fails to read or validate something, it returns, and lots of fields will still contain random garbage.
It wouldn't be a big problem, if Daniel checked the return value of the function. But his code just continues processing even if the data initialization failed. And, to make matters worse, it just hides all exceptions by putting try-except handlers around most of the code. No wonder CFF is occasionally acting weird! smile
This bug is quite hard to demonstrate, as it needs to have few lucky coincidences in the uninitialized data. But I'm sure that a skilled person would convert it into arbitrary code execution in no time. Not me, though... smile
Second bug is also a classic. In pseudo-code it looks like this:
ZeroMemory(Str, MAX_PATH * sizeof (WCHAR));
if (!DecodeInt(ptr, &NameSize, &ValueSize))
memcpy(Str, ptr, NameSize);
So, what's wrong here? Daniel takes a fixed-size buffer and initializes it with all zeros (unlike previous case). Then he reads size of data (NameSize). And then he copies NameSize bytes into a fixed-size buffer - without checking if that's gonna overflow or not.. Yikes!
Example file demonstrating this bug: https://www.mediafire.com/?x4idsa21toh0t36 (you need to click on Resource Editor -> .NET Resources to trigger the buggy code. Afterwards, CFF Explorer will start acting weird).
Just like in a previous case where I added support for ConfuserEx and undocumented fields, I had to make few binary patches to CFF Explorer.
Fixed exe file is here: Please get latest version from this post
Have fun and stay safe!