Menu

#236 PE Analyzer - Duplicate disassembly of .text section

Fixed
nobody
PEAnalyzer (10)
Medium
Defect
2024-06-13
2024-06-09
Rohitab Batra
No

In some files, PE Analyzer disassembles the .text section twice. However, there are minor differences between the two versions. For example, in the first version, the labels for exported names are missing, while they are present in the second version.

Here is a screenshot showing the issue. In the middle of the screenshot, you can see where the first .text section ends, and the duplicate .text section starts. The addresses are the same.

PE Analyzer - Duplicate Disassembly Issue

I've attached a sample DLL that you can use to reproduce the issue.

2 Attachments
PE-Analyzer-Duplicate-Disassembly-Issue.png
patch25d.dll.zip

Discussion

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-06-10
    • status: New --> Accepted
     

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-06-11

    3.10.13

     

  • Rohitab Batra

    Rohitab Batra - 2024-06-11

    Unfortunately, the issue is not resolved. Even though the .text section header is now only shown once, other parts of the section are still disassembled twice. See address 6a901dd4.

    The Module Entry Point and all exported functions are still disassembled twice. See CreatePatchApplicationInstance for an example.

    About halfway down the file, the coloring stops. With the sample file I provided, lines starting from18320 are not colored. See the second disassembly of address 6a904c8e.

    Addresses between 6a901d93 and 6a901daf are not disassembled. The line immediately after 6a901d93 shows garbage characters for the address.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-06-12

    3.10.14

     

  • Rohitab Batra

    Rohitab Batra - 2024-06-12

    All issues are resolved. Thank you.

     

  • VictorVG

    VictorVG - 2024-06-12

    SVN r547 - crash if call plug-in and press F6. AV then read/write random address outside the boundaries of the process. (?). Minidump, crashlog and VC++ decode log attached. V3.10.13 (SVN r536) in this case does not fall, the call of the plugin SVN r547 is 100% crash's in

    Exception: 0xC0000005 - STATUS_ACCESS_VIOLATION
    Details: Memory at 00000000 could not be written

     

    Last edit: VictorVG 2024-06-12
    Thumbnail
    20240612_072327.png
    svn_r547_crash.7z

  • Rohitab Batra

    Rohitab Batra - 2024-06-12

    Yes, both 3.10.13 and 3.10.14 are crashing. You can reproduce the crash by disassembling PEAnalyzer.dllusing 3.10.14.

     

  • VictorVG

    VictorVG - 2024-06-12

    In to SVN r547 diff:

    --- ./PEAnalyzer/mem_blocks.cpp r546
+++ ./PEAnalyzer/mem_blocks.cpp r547
@@ -283,6 +283,8 @@
        throw pe_exception(L"No Memory");
        //return 0;
    }
+   block->n_lines = 0;
+   block->line_offsets[0] = 0;

    blocks.push_back(block);
    ++n_blocks;
     

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-06-12

    3.10.15

     

  • VictorVG

    VictorVG - 2024-06-12

    v3.10.15, SVN r548 is OK!

    Check - choice random binary, call plugin, press F6, white then done - not crash, operation is success, Colorer is colorize output, check duplicate text - duplicate not found.

    Success. Big thanks!

    edit: fix typo

     

    Last edit: VictorVG 2024-06-12

  • Rohitab Batra

    Rohitab Batra - 2024-06-12

    Looks good; it's not crashing anymore.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-06-13
    • status: Accepted --> Fixed
     

Anonymous
Anonymous

Add attachments
Cancel