MS08067 patch comparison and analysis results

Author:Friddy

MS08-067: vulnerabilities in Server services may allow remote code execution
Http://www.microsoft.com/china/technet/security/bulletin/MS08-067.mspx
This update is important. It can be said that it is similar to the shock wave of the current year. In the morning, I analyzed the patch before and after, and found that the modified function result of Microsoft was as follows:

Functions with buffer overflow:
Signed int _ stdcall sub_5FDDA180 (int a1, wchar_t * a2, int a3, int a4, int a5)
{
Wchar_t * v5; // ebx @ 1
Size_t v6; // edi @ 1
Int v7; // esi @ 1
Int v8; // edi @ 3
Signed int result; // eax @ 4
Wchar_t * v10; // eax @ 5
Unsigned int v11; // eax @ 10
Size_t v12; // eax @ 14
_ Int16 v13; // ax @ 16
Size_t v14; // eax @ 3
Int v15; // [sp + 428 h] [bp-4h] @ 1
Wchar_t * v16; // [sp + 10 h] [bp-41Ch] @ 1
Int v17; // [sp + Ch] [bp-420h] @ 1
Wchar_t v18; // [sp + 14 h] [bp-418h] @ 2

V5 = a2;
V15 = dword_5FE1E18C;
V7 = a1;
V16 = (wchar_t *) a3;
V6 = 0;
V17 = a5;
If (a1 & * (_ WORD *) a1)
{
V12 = wcslen (const wchar_t *) a1 );
V6 = v12;
If (v12)
{
If (v12> 0x208)
Return 123;
Wcscpy (& v18, (const wchar_t *) v7 );
V13 = LOWORD (& v16) [v6 + 1]);
If (v13! = 92)
{
If (v13! = 47)
{
Wcscat (& v18, & word_5FDECBD4 );
++ V6;
}
}
If (* v5 = 92 | * v5 = 47)
++ V5;
}
}
Else
{
V18 = 0;
}
V14 = wcslen (v5 );
V8 = v14 + v6;
If (v8 <v14)
Return 123;
If (unsigned int) v8> 0x207)
Return 123;
Wcscat (& v18, v5 );
V10 = & v18;
If (v18)
{
Do
{
If (* v10 = 47)
* V10 = 92;
++ V10;
}
While (* v10 );
}
If (! Sub_5FDD9F7A (& v18 )&&! Sub_5FDDA26B (int) & v18) // This function has been modified
Return 123;
V11 = 2 * wcslen (& v18) + 2;
If (v11> a4)
{
If (v17)
* (_ DWORD *) v17 = v11;
Result = 2123;
}
Else
{
Wcscpy (v16, & v18); // Buffer Overflow
Result = 0;
}
Return result;
}

Modified functions:
// ----- (5FDDA26B )--------------------------------------------------------
Signed int _ stdcall sub_5FDDA26B (int a1)
{
Wchar_t v1; // ax @ 1
Int v2; // ecx @ 1
Int v3; // ebx @ 1
Int v4; // edi @ 1
Int v5; // esi @ 3
Int v6; // eax @ 10
_ Int16 v7; // dx @ 10
_ Int16 v8; // bx @ 11
_ Int16 v10; // dx @ 17
Int v11; // ecx @ 18
_ Int16 v12; // ax @ 19
Int v13; // eax @ 34
Wchar_t * v14; // ecx @ 41
Char v15; // zf @ 1
Int v16; // [sp + Ch] [bp-4h] @ 1

V2 = a1;
V1 = * (_ WORD *) a1;
V3 = 0;
V4 = 0;
V15 = * (_ WORD *) a1 = 92;
V16 = 0;
If (v15 | v1 = 47)
{
V10 = * (_ WORD *) (a1 + 2 );
If (v10 = 92 | v10 = 47)
{
V11 = a1 + 4;
While (1)
{
V12 = * (_ WORD *) v11;
If (* (_ WORD *) v11 = 92)
Break;
If (v12 = 47)
Break;
If (! V12)
Return 0;
V11 + = 2;
}
If (! * (_ WORD *) v11 | (v2 = v11 + 2, v1 = * (_ WORD *) v2, a1 = v2, v1 = 92) | v1 = 47)
Return 0;
}
}
V5 = v2;
If (! V1)
Return 1;
While (1)
{
If (v1 = 92)
{
If (v3 = v5-2)
Return 0;
V4 = v3;
V16 = v5;
Goto LABEL_6;
}
If (v1! = 46 | v3! = V5-2 & v5! = V2)
Goto LABEL_6;
V6 = v5 + 2;
V7 = * (_ WORD *) (v5 + 2 );
If (v7 = 46)
{
V8 = * (_ WORD *) (v5 + 4 );
If (v8 = 92 |! V8)
{
If (! V4)
Return 0;
Wcscpy (wchar_t *) v4, (const wchar_t *) (v5 + 4); // Buffer Overflow may occur.
If (! V8)
Return 1;
V16 = v4;
V5 = v4;
V13 = v4-2;
While (* (_ WORD *) v13! = 92 & v13! = A1)
V13-= 2;
V2 = a1;
V4 = v13 &-(* (_ WORD *) v13 = 92 );
}
Goto LABEL_6;
}
If (v7! = 92)
Break;
If (v3)
{
V14 = (wchar_t *) v3;
}
Else
{
V6 = v5 + 4;
V14 = (wchar_t *) v5;
}
Wcscpy (v14, (const wchar_t *) v6); // Buffer Overflow may occur.
V2 = a1;
LABEL_7:
V1 = * (_ WORD *) v5;
If (! * (_ WORD *) v5)
Return 1;
V3 = v16;
}
If (v7)
{
LABEL_6:
V5 + = 2;
Goto LABEL_7;
}
If (v3)
V5 = v3;
* (_ WORD *) v5 = 0;
Return 1;
}