Skip to content

ollydbg – Analyzer floating-point bug

April 29, 2007

Perhaps some of you already known, some may not. This bug is not yet widely known, so I blog it here much as documentation purpose.

This bug was originally found by the flatassembler community. Later then it made its way to the Themida developers, whom have included this anti-ollydbg trick in their protector.


A random discovery

Source Code + Exe

  1. SunBeam olly-ied the olly that ollied an Themida executable in order to bypass this bug in olly. =P

    Beside me sits two English Language paper with failure marks. =P

    Nice publication although fly and sho00o screwed it quite a long time ago in UnpackCN

  2. By the way, let’s exchange link.

  3. Wow, the English standard for Singapore must be extremely high. ๐Ÿ˜ฎ Hard to imagine someone like you could fail your English test. ๐Ÿ˜ก

    Well, this bug is found half a year ago, yet most people havent much aware about this bug. (not as much as the famous format-string vulnerability) That blog serves only to make people aware there is such bug exist, and less people shouting WTF when they olly-ed a Themida protected executable. ๐Ÿ˜›

    So did SunBeam managed to make a fix for that? As far as I know there isnt any public fix for that bug, or rather a “perfect” fix for it. Most of the fix screwed something else instead. ๐Ÿ˜ก

    PS: Added your link to blogroll ๐Ÿ˜‰

  4. Yeah. I fixed it for Themida. Patch the damn Olly analyzer to skip fld opcodes. There are 2 I believe that the analyzer uses. It’ll analyze the code fine, outlining the INT3s. Am talking about Themida ๐Ÿ˜‰

  5. Lol, skipping the FLD instruction isnt a solution IMHO. I was looking for “real” fix that handles the floating-point exception while ollydbg is able to correctly analyze any other FLD instruction.

    Btw SunBeam, do you have any blog or any way I can reach you? Nice and hard to meet someone who is really good. ^^

  6. Resurrecting this old thread since I just found it.
    The proper method to fix the problem is to change the FPU mask in OllyDbg to ignore the invalid operation exception.
    Change the dword at 0x4cc538 from 0x1332 to 0x1333.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: