Page 1 of 1

I has found and fix the bug under win64 platform

Posted: Tue Dec 04, 2018 1:50 pm
by q675318
In madTools.pas fix "function MethodToProcedure" under win64;


var s1arr:array[0..79] of byte=($48,$81,$ec,$00,$00,$00,$00,
$48,$89,$84,$24,$00,$00,$00,$00,
$48,$8b,$84,$24,$00,$00,$00,$00,
$48,$89,$44,$24,$08,
$48,$8b,$84,$24,$00,$00,$00,$00,
$48,$89,$44,$24,$10,
$48,$8b,$84,$24,$00,$00,$00,$00,
$48,$89,$44,$24,$18,
$4c,$89,$4c,$24,$20,
$4d,$89,$c1,
$49,$89,$d0,
$48,$89,$ca,
$66,$0f,$6f,$da,
$66,$0f,$6f,$d1,
$66,$0f,$6f,$c8);
var s2arr:array[0..15] of byte=($48,$8b,$84,$24,0,0,0,0,
$48,$89,$84,$24,0,0,0,0);
var s22arr:array[0..54] of byte=($48,$8b,$84,$24,0,0,0,0,
$48,$b9,0,0,0,0,0,0,0,0,
$48,$89,$8c,$24,0,0,0,0,
$48,$b9,0,0,0,0,0,0,0,0,
$48,$89,$0c,$24,
$ff,$94,$24,0,0,0,0,
$48,$81,$c4,0,0,0,0,
$c3);

setlength(s1,80);
copymemory(Pansichar(s1),@s1arr[0],80);
.......

setlength(s2,16);
copymemory(Pansichar(s2),@s2arr[0],16);
.......
setlength(s2,55);
copymemory(Pansichar(s2),@s22arr[0],55);


then It's Work Ok!

Re: I has found and fix the bug under win64 platform

Posted: Sat Dec 08, 2018 10:37 am
by madshi
Hmmmm... It seems you just replaced the string constant with a byte array, is that correct? What was wrong with the string constant? Did you get a crash? Or did it not compile? Do you know why it was not working for you?

Thank you!

Re: I has found and fix the bug under win64 platform

Posted: Sat Dec 08, 2018 11:17 am
by madshi
P.S: So this fixes the problem you reported in this thread:

viewtopic.php?f=4&t=28641

Is that correct?

I wonder if it might have something to do with string locales. Could you compare the contents of "s1" and "s2" and "s2", using your "byte array" vs my "string constant"? There must be a difference in the resulting "s1" and "s2" variables, I think? Maybe because you're in a different country, Delphi somehow tries to "translate" the string constant in my code somehow, but it doesn't do that on my PC? That would explain why it seems to work for me, but fail for you.

If you check the "s2" variable, when using my original code, I think probably some of the chars/bytes will be damaged by Delphi somehow on your PC (but not on mine).

Re: I has found and fix the bug under win64 platform

Posted: Sat Dec 08, 2018 4:14 pm
by q675318
在 10.3中,字符串中间如果有#0这样的字符,可能会被编译器优化截断,导致了您在64位下的shellcode可能不准确!
In 10.3, if there is a character like #0 in the middle of the string, it may be optimally truncated by the compiler, resulting in your shellcode under 64 bits may not be accurate!

Re: I has found and fix the bug under win64 platform

Posted: Sat Dec 08, 2018 4:16 pm
by madshi
But then why does the madTools.dcu that I've compiled work? Is it different compiler settings, maybe?

Re: I has found and fix the bug under win64 platform

Posted: Sat Dec 08, 2018 4:19 pm
by q675318
madshi wrote:Hmmmm... It seems you just replaced the string constant with a byte array, is that correct? What was wrong with the string constant? Did you get a crash? Or did it not compile? Do you know why it was not working for you?

Thank you!
我用调试工具反汇编编译好的64位程序,发现MethodToProcedure 函数里的shellcode 有时候编译出来并不准确,感觉s1 这个字符串被优化掉了,换成字节模式后,多次测试是准确的!
I used debugging tools to disassemble the compiled 64-bit program, found that the methodtoprocedure function of the shellcode sometimes compiled is not accurate, feel S1 this string was optimized, replaced by byte mode, multiple tests are accurate! ...

Re: I has found and fix the bug under win64 platform

Posted: Sat Dec 08, 2018 4:20 pm
by q675318
madshi wrote:But then why does the madTools.dcu that I've compiled work? Is it different compiler settings, maybe?
具体原因我也不清楚,我另外一台机器编译就正常,有两台编译不正常,但是用字节模式,所有机器全部正常!
The specific reason I do not know, my other machine compilation is normal, there are two of the compilation is not normal, but in byte mode, all machines are normal!

Re: I has found and fix the bug under win64 platform

Posted: Sat Dec 08, 2018 4:24 pm
by madshi
Ok, I'll change the code in the next build, thanks. I just wish I could reproduce the problem... :sorry: