Correction to my hideous analysis inside free :P
On 17/02/2013 03:07, Ben Davis wrote:
RTLMultiPool::SelectFree:
05C0AC34 push ecx
//This reads 0x05c29b97 into eax
05C0AC35 mov eax,dword ptr [esp+8]
//This reads an address from where eax points, and edx is 0
05C0AC39 mov edx,dword ptr [eax]
05C0AC3B push ebx
05C0AC3C push esi
//Looking at ecx+4 revealed the value 0x00000080 (128)
05C0AC3D cmp edx,dword ptr [ecx+4]
05C0AC40 ja RTLMultiPool::SelectFree+21h (5C0AC55h)
//So we get here
05C0AC42 lea ebx,[edx-1] //ebx = 0xffffffff
05C0AC45 shr ebx,3 //ebx = 0x1fffffff
05C0AC48 push eax
05C0AC49 mov esi,dword ptr [ecx] //esi = 0x0516000c
05C0AC4B mov ecx,dword ptr [esi+ebx*4] //crash!
I suppose esi + 0x1fffffff*4 is basically esi-4. But then we get:
No, I got confused here - the shift right is equivalent to division by
8, not by 4. So the address [esi + 0x1fffffff*4] is very likely to be
very wrong. This implies that edx being 0 is bad. I'd inclined to guess
at maybe a double freeing, or maybe freeing an address that isn't even a
heap address. It's also very interesting that the address we're trying
to free is completely unaligned (an odd number).
