The first two days and the summary successfully solved a memory access error of an encrypted lock service program. For memory access errors, we have always thought that it is difficult to position, and if you have a good tracking, it is possible to solve. Here to describe the resolution process, I hope to handle some help from you later.
Hardware environment TEST (192.168.0.3), PIII 700, 512M, MORROWSOFT USB LOCK INSTALLED
Software Environment Windows 2000 Server, SQL Server 2000, LinkWorks 2.4 SP2, LinkProject 2.1, MRLOCK SERVER
BACKGROUND DESUTS During the 11th period, the encryption lock driver MrDriver.dll has been improved, and the problem cannot read and write the other party to share memory when the encrypted software and encryption lock service are activated and normal, respectively. In order to comply with the previous software, the version determination is added to the encryption lock service program MRLocks.exe, and the encryption lock driver used in the client connection is determined which way to communicate.
After updating the encryption lock service on the TEST machine and the encryption lock driver, it has run for two or three days, but suddenly there has been a memory access error (as shown), resulting in an abnormality of the encryption lock service, all encryption software is unable to connect The encryption lock dialog box pops up to the encryption lock. LinkWorks and LinkProjects have stopped running.
Error analysis, before we encountered this memory access error, it is difficult to locate, which generally determines the error location by writing the error log, popping the debug information dialog, etc., but this method is only applicable to the faster reproduction. error. After this time I encountered an encrypted lock service error, I wanted to reproduce until it didn't come out, indicating that this error will only appear under certain specific conditions, and we are now difficult to determine what operations have caused this error.
Preliminary Try Our Unique Information is an error address, seeing the error address from the picture, is "0x00405529", so I sprout the idea of finding the wrong location with the disassembly tool. I used to use Borland Turbo Debugger to crack some Delphi controls without source code, remove the annoying trial dialog, so I tried Turbo Debugger this time. After loading mrlocks.exe using TD32, enter the offset address "00405529", and the assembly code is positioned.
0040528 EF OUT DX, AX: 00405529 Ad Lodsd: 004052A 267676 JBE ES: MRLOCKS.004055A3
From this code and its context, we can't see any clues, but use Ultra Edit 32 to view mrlocks.exe, just searched for "EFAD" hexadecimal code, so let's try to take a section of the code. Comment compilation, see which code will not appear "EFAD" after comment. But now I discover, in fact, as long as the file with aspack is compressed, a "EFAD" will appear. This shows that the assembly that we see directly after opening the EXE file is wrong because it has been packaged by Aspack. To see the actual execution code, you must go to the EXE file to run the code that is loaded into the memory.
Try again from the Internet to retrieve an anti-assembly tool, download a more famous W32DASM. First run MRLOCKS.EXE, then run W32DASM, select "Process attached to an activity", attached to mrlocks.exe, W32DASM passed through a through analysis, and made MRLOCKS.EXE memory execution code. Execute the "Go to Address" command, enter an error offset address "00405529", W32DASM is positioned to the following code segment
: 004054BE nop: 004054BF nop: 004054C0 sub esp, 0000001C: 004054C3 mov dword ptr [esp], ecx: 004054C7 push ebx: 004054C8 mov ecx, dword ptr [esp 2C]: 004054CC push ebp: 004054CD push esi: 004054CE cmp ecx , 00000100: 004054D4 push edi: 004054D5 jg 004055BD: 004054DB lea eax, dword ptr [ecx 07]: 004054DE mov esi, dword ptr [esp 34]: 004054E2 cdq: 004054E3 and edx, 00000007: 004054E6 mov edi, 0043643C: 004054EB add eax, edx: 004054ED mov ebp, eax: 004054EF mov eax, ecx: 004054F1 shr ecx, 02: 004054F4 repz: 004054F5 movsd: 004054F6 mov ecx, eax: 004054F8 and ecx, 00000003: 004054FB sar ebp, 03: 004054FE repz : 004054FF Movsb: 00405500 SHL EBP, 03 (Source Code There is an operation here): 00405503 Call Msvcrt.rand (this API call is a great help): 00405509 MOV CL, Byte Ptr [0042DCA1]: 0040550F MOV EBX, DWORD PTR [ESP 30]: 00405513 CMP CL, 04 (here is the place where the software used by the software): 00405516 JNB 0040552D (if not It is below 4, that is, the latest driver, you should jump off): 0040518 MOV EDX, DWORD PTR [ESP 10]: 0040551C and EBX, 0000FFFF: 00405522 MOV ECX, DWORD PTR [EDX 4 * EBX 00000138] * : 00405529 MOV DWORD PTR [ECX], EAX (error point, this machine is the latest driver, the code should not come here): 0040552B JMP MRLOCKS.00405540: 0040552D MOV EDX, DWORD PTR [ESP 10] (>> = 4): 00405531 and EBX, 0000FFFF: 00405537 MOV ECX, DWORD PTR [EDX 4 * EBX 000002C8]: 0040553E MOV DWORD PTR [ECX], EAX: 00405540 MOV Al, Byte PTR [0042DCA1]: 00405545 MOV ECX, 00000006: 0040554A MOV ESI, 0044538C: 0040554F LEA EDI, DWORD PTR [ESP
14]: 00405553 cmp al, 04: 00405555 repz: 00405556 movsd: 00405557 jnb 00405568: 00405559 mov edx, dword ptr [edx 4 * ebx 00000138]: 00405560 mov eax, dword ptr [edx]: 00405562 mov dword ptr [ ESP 1D], ESP: 00405566 JMP MRLOCKS.00405575: 00405568 MOV ECX, DWORD PTR [EDX 4 * EBX 000002C8]: 0040556F MOV EDX, DWORD PTR [ECX]: 00405571 MOV DWORD PTR [ESP 1D], EDX : 00405575 lea eax, dword ptr [esp 14]: 00405579 push eax: 0040557A push ebp: 0040557B push 0043643C: 00405580 call mrlocks.004017B0: 00405585 mov al, byte ptr [0042DCA1]: 0040558A mov edx, dword ptr [esp 1C]: 0040558E add esp, 0000000C: 00405591 cmp al, 04: 00405593 mov ecx, ebp: 00405595 mov esi, 0043643C: 0040559A jnb 004055A5: 0040559C mov edi, dword ptr [edx 4 * ebx 00000138]: 004055A3 jmp mrlocks .004055AC: 004055A5 MOV EDI, DWORD PTR [EDX 4 * EBX 000002C8]: 00405AC MOV EAX, ECX: 004055AE Add EDI, 00000004: 004055B4 REP: 004055B5 MOVSD: 004055B6 MOV ecx, eax: 004055B8 and ecx, 00000003: 004055BB repz: 004055BC movsb: 004055BD pop edi: 004055BE pop esi: 004055BF pop ebp: 004055C0 pop ebx: 004055C1 add esp, 0000001C: 004055C4 ret 000C: 004055C7 nop: 004055C8 nop
The error positioning is analyzed after analyzing the code above, and finally it is moving the source code. The code of the error is MOV DWORD PTR [ECX], EAX, this is a memory operation, which is consistent with the error performance, but the program has so many memory pointer operations, but also more information to determine which function in this function . The call msvcrt.rand above the wrong point gave a lot, this is the RAND function in MSVCRT.DLL, search all the places where all calling RAND is in the source code, and then compare the context of each search result, soon, this code comes from Process the function of the encryption lock local connection. Because this function has a multiply 8 operation before RAND, it corresponds to the SHL EBP, 03. There is a version compared after the RAND. The latest driver version number is 4, just matches CMP CL, 04. If the software communicates with the encryption lock in the local connection, it will first determine if the local driven version number is less than 4. If it is not less than 4, JNB 0040552D, otherwise, use the old communication protocol, and execute this time to execute the error Code: 00405518 MOV EDX, DWORD PTR [ESP 10]: 0040551C and EBX, 0000FFFF: 00405522 MOV ECX, DWORD PTR [EDX 4 * EBX 00000138] *: 00405529 MOV DWORD PTR [ECX], EAX (error point, This machine uses the latest driver, the code should not come here): 0040552B jmp mrlocks.00405540
This is more prone to judge the problem. In the code of processing local connection plus lock, the software installed on Test is only LinProject to access the encryption lock in the local connection, and other software access to the encryption lock through the network, then the LinkProject service is activated. The fault. However, the mrdriver.dll on the Test machine is already the latest, so the result of the version of the CMP CL, 04 is definitely should not be less than 4. The actual situation is that the use of the latest driven local connections is processed by the service as a local connection using the old version, resulting in memory access errors. Then, it is definitely that the variable of the saving version number is indeed less than 4. Why will it be less than 4? So check the variable of the Save the version number, found that this variable is actually declared into a global variable. It is reasonable to save a private version variable in each encryption lock connection, so that how to communicate based on the driver version used by each connection. Since this variable is declared as a global common variable, this variable is rewritten as less than 4 when using the old version of the driver from other machines, and then the LinkProject service is activated, and the new version of this unit is driven with Encrypted lock service communication, and mrlocks.exe judges based on this global variable, and it is to use old-driven drive, so that the old version of the protocol is communicated, resulting in memory access errors.
After the problem is found, it is very simple to solve it. This version number is placed as a private variable to the class to process the encryption lock connection, so that each connection is used by the encryption lock service, it is used in the use of the encryption lock service. Your own version number does not affect each other, and it will not have something wrong.
Author: Sunzong Lin
