Ticket #294 (Fixed)Sat Jul 16 23:47:19 UTC 2011
VProtect 4.04 null pointer bug
| Reported by: | Jeffrey Lee (213) | Severity: | Major |
| Part: | RISC OS: Module | Release: | |
| Milestone: | Status | Fixed |
Details by Jeffrey Lee (213):
While trying to get the boot sequence to work with my zero page relocation, I’ve found what looks like a pretty serious bug in VProtect. Starting a offset &1D30 is a function that gets called during initialisation that looks like it’s meant to enumerate all the modules and examine them (presumably checking for known viruses). However the R0 parameter to OS_Module isn’t being preserved/restored properly, so the second time round the loop OS_Module will get called with R0=1, R1=1, causing it to try loading a module with a filename pointer of 0×1. This seems to silently fail on current OS versions (presumably generating an error and prematurely terminating the module enumeration), but on my zero page relocated kernel I get a nice data abort deep inside FileSwitch.
Changing the code at &1DBC and &1DC0 to load R0 instead of R4 makes the crash go away, although I haven’t stepped through the code to make sure that the value it loads is still correct (i.e. &C, as stored by the code at &1D38)
Changelog:
Modified by Sprow (202) Tue, September 20 2011 - 08:01:41 GMT
Seems !Killer (the paid for cleanser half of VProtect) is no longer being developed or sold, therefore VProtect itself is a bit pointless isn’t it?
Options are
a) Try to contact the author to get hold of the sources
b) Patch the binary as you describe
c) Ditch it
Modified by Sprow (202) Sun, September 16 2012 - 11:33:12 GMT
- Status changed from Open to Fixed
I’ve gone with ©, ditch it. VProtect has been removed from the disc image.
