| View previous topic :: View next topic |
| Author |
Message |
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
 Posted: Sat Feb 13, 2016 11:48 pm Post subject: Checking Null Pointer |
 |
|
I need to perform a compare inside of a pointer tree, but the target process keeps crashing due to some of the addresses not containing data. I've tried comparing to 0, doing test register,register as well as calling isbadreadptr, but nothing is working. Aside from manually filtering out most of the junk, is there another workaround that I am not aware of?
Thanks.
|
|
| Back to top |
|
 |
Daijobu
Master Cheater
 Reputation: 13
Joined: 05 Feb 2013
Posts: 301
Location: the Netherlands
|
| Posted: Sun Feb 14, 2016 2:48 pm Post subject: |
|
|
A shot in the dark, mainly because I'm not a programmer; would LUA be an option? Then again, you probably already passed that point.
*runs away* 
_________________
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Feb 14, 2016 3:48 pm Post subject: |
|
|
Thanks for responding, Daijobu.
No, I'm pretty stupid regarding any topics concerning LUA. I would imagine that if I cannot accomplish what I need using assembly, in this particular case, then any attempts to use LUA may be pointless...but I'm not certain of that. Please correct me if I am wrong.
I am open to any suggestions.
Thanks.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sun Feb 14, 2016 5:21 pm Post subject: |
|
|
When IsBadReadPtr returns 0, why does your program crash?
(When you have [Base+1234] you're feeding Base+1234 to IsBadReadPtr not just Base, right?)
Anyway one thing you could try is using VirtualQuery and checking protection (maybe state & type too) of the bytes you want to read.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Feb 14, 2016 6:17 pm Post subject: |
|
|
Hi, Gniarf. Thanks for chiming in.
| Gniarf wrote: | | When IsBadReadPtr returns 0, why does your program crash? |
-Not sure. Maybe a target-specific problem?
| Gniarf wrote: | | (When you have [Base+1234] you're feeding Base+1234 to IsBadReadPtr not just Base, right?) |
-Yes. Although I initially started out with something similar to this, I have tried many different things and checked everything over several times.
I can filter out the problem addresses, manually, which is what I have done. But I was curious about whether or not a better solution existed.
Regarding VirtualQuery and checking protection, I'll have to research what the calling procedures are for that and how to implement it, as I've never used that before. I may reserve that for a future script if I can't get my own filters to work. Thanks for the tip! 
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Feb 14, 2016 7:50 pm Post subject: |
|
|
| Gniarf wrote: | | If you stick a debugger to your program, does the crash happen inside IsBadReadPtr or in your code as if IsBadReadPtr "lied" to you? |
-The problem is that everything is going through and nothing is getting filtered out...so everything jumps to invalid data.
| Gniarf wrote: | | In terms of filters the only generic reliable ones I know for pointers are "you are junk if you are < 0x1000 or not a multiple of 4". |
-I filtered everything out using one of the register values.
| Gniarf wrote: | | Depending on the length of your pointer... |
-It's only one level deep. I've tried checking for valid data at [register+offset], and again, at [[register+offset]+offset].
I've tried many different variations, to no avail. This is my most recent attempt:
| Code: | pushfd
pushad
push 4
lea ebx,[eax+0c]
push ebx
call isbadreadptr
cmp ebx,0
jne @f
popad
popfd
pushfd
pushad
push 4
mov ebx,[eax+0c]
lea ebx,[ebx+1c]
push ebx
call isbadreadptr
cmp ebx,0
jne @f
popad
popfd
jmp cheats
@@:
popad
popfd
mov edx,[eax+04]
mov esi,[esp+14]
jmp return |
Thanks.
EDIT:
Never mind. Ugh...I figured out my mistake. I had to change the register to eax. The problem was, I tried it that way before, but I wasn't checking the second offset and ended up changing the register, not thinking about it.
Sorry everyone. Thank you all for your help.
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Mon Feb 15, 2016 1:14 pm Post subject: |
|
|
| ++METHOS wrote: | | I had to change the register to eax. The problem was, I tried it that way before, but I wasn't checking the second offset and ended up changing the register, not thinking about it. |
Dunno about that but what I see is that you're not checking the return value from IsBadReadPtr. Return value is in eax, you're checking ebx, is it what you meant by "I had to change the register to eax" ?
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Mon Feb 15, 2016 1:33 pm Post subject: |
|
|
| Yes. I changed it a while back when I was testing and forgot about it.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
