Can anyone tell me why and how to fix this issue ? I’m using Windbg 10.0.19401.685 and its decoding 0x8b byte as 0x3f (?). As a result the disassembly is incorrect. I’m trying to inject shell code via python pykd extension as it passes my shell code to my vulnerable console application which is essentially a simple and short C program containing the strcpy routine. I’m just learning how to overflow a buffer and execute my payload. The payload contains several 0x8b bytes and all of them have been decoded as a 0x3f. This happens with the latest version of Windbg as well. I’m not sure but this may have something to do with UTF-8 and ASCII/character representation. I would be happy to post the shell code and the Windbg output showing that the disassembly is incorrect,
Any ideas ? Thank you.
You need to show us a screenshot. If you’re talking about the ASCII view in the “db” command, it shows everything outside of the first 128 characters as a dot (“.”). If you’re talking about the actual data bytes, then the problem is almost certainly that your Python code is incorrectly encoding the \x8b byte. “?” is what you get when you do a Unicode-to-ASCII conversion where there is no direct ASCII equivalent. U+008B does not have a mapping in the standard Windows code page.
So, windbg is showing you YOUR bug, not a bug in windbg.
Thanks for the explanation Tim, I finally managed to get a chance to get back to Windbg. Here is the output you asked for.
Hello, as per what Tim has said the problem is with the encoding as my shell code is passed to the console application via python script as a string and therefore the encoding schemes apply. In either case Windows-1252 (CP-1252) or UTF-8 is not what I want. I need the bytes to be represented as raw hex bytes.
The Windows shells handle Unicode very, very poorly. You can use “chcp 65001” to change your shell to use UTF-8 by default. That causes some obscure problems but is generally better than CP-1252.
Thank you I’ll give that a try. But I’m leaning towards redoing my python script. I appreciate the response.
