[tor-bugs] #10114 [Tor bundles/installation]: tbb-firefox.exe crashes on startup
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Nov 12 16:40:41 UTC 2013
#10114: tbb-firefox.exe crashes on startup
-------------------------------------+-------------------------------------
Reporter: Lehona | Owner: erinn
Type: defect | Status: new
Priority: normal | Milestone: TorBrowserBundle
Component: Tor | 2.3.x-stable
bundles/installation | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-------------------------------------+-------------------------------------
Comment (by cypherpunks):
Something in your box actively modifies code of functions in memory (or
files). That reminds API hooking.
Here affected code:
{{{
12AD: E92E450200 ;PR_OpenTCPSocket
12B2: E969450200 ;PR_NewTCPSocketPair ;Crash here!
}}}
''PR_OpenTCPSocket'' of ''nspr4.dll'' is known as usual target for hooking
by various malware/software. Usually it replaces a prologue of target
function with the ''JMP rel32'' (E9 op.code) so code of next function
shouldn't to be affected, except this case it seems. If ''JMP d,[addr]''
(FF25 op.code, 6 bytes) or something another used then code at 12B2 was
modified and crash as result.
Browser from tor-browser-2.3.25-8_en-US.exe was compiled with
optimizations so code of PR_OpenTCPSocket looks like:
{{{
4952: 6A01
4954: 6A02
4956: E815FFFFFF
495B: 83C40C
495E: C3
}}}
Enough space for any JMPs there, no another functions modified and no
crash.
No more reasonable explanations. Your box infected or some very weird
software used.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10114#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list