Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The problem just now is that shemusimulate is an analog function, not a disassembly function #48

Closed
icyfox168168 opened this issue Aug 10, 2021 · 10 comments
Closed

The problem just now is that shemusimulate is an analog function, not a disassembly function #48

icyfox168168 opened this issue Aug 10, 2021 · 10 comments

Comments

@icyfox168168
Copy link

。。。。
@icyfox168168
Copy link
Author

I didn't describe the problem clearly?

@icyfox168168
Copy link
Author

The shellcode I tested is mainly 50000 lines of various algorithms, and the simulation has been very correct. Today, I turned off the optimization, but it was wrong. I found that the instruction operation is a little different, which is compared with x64dbg

1 similar comment
@icyfox168168
Copy link
Author

The shellcode I tested is mainly 50000 lines of various algorithms, and the simulation has been very correct. Today, I turned off the optimization, but it was wrong. I found that the instruction operation is a little different, which is compared with x64dbg

@vlutas
Copy link
Collaborator

vlutas commented Aug 10, 2021
edited
Loading

Well, no, you didn't describe any problem at all.
When reporting issues, please make sure you follows some basic good-practice guidelines:

  • state clearly what the issue is;
  • state clearly how it can be reproduced, or even better, supply a clear test-case/steps of reproduction;
  • state clearly what project and/or component is affected;

Now, let's take it step by step:

  • What project did you found an issue in? The decoder? The emulator?
  • What instruction(s) did you see mis-behaving?
  • Can you provide an example of input that offers the wrong output? Can you also provide what the expected, correct output would be?

@icyfox168168
Copy link
Author

shellcode

Correct return 1

Error engineering file bdshemu.c

Error function ShemuEmulate

Error instruction movsx eax, byte ptr ds:[rax]

The cause of the error is only updated al

my fix

    case ND_INS_MOV:
    case ND_INS_MOVZX:
        GET_OP(Context, 1, &src);
        if (src.Size == 1)
        {
            //src.Value.Qwords[0] = 0x00000000000000FF & src.Value.Qwords[0];
        }
        SET_OP(Context, 0, &src);
        break;

    case ND_INS_MOVSX:
    case ND_INS_MOVSXD:
        GET_OP(Context, 1, &src);
        GET_OP(Context, 0, &dst);

        dst.Value.Qwords[0] = ND_SIGN_EX(src.Size, src.Value.Qwords[0]);

        if (src.Size == 1)
        {
            //dst.Value.Qwords[0] = 0x00000000000000FF & dst.Value.Qwords[0];
        }

        SET_OP(Context, 0, &dst);
        break;

"\x48\x83\xEC\x18\xC6\x04\x24\x30\xC6\x44\x24\x01\x00\x48\x8D\x04\x24\x48\x89\x44\x24\x08\xC7\x44\x24\x04\x00\x00\x00\x00\xEB\x17\x48\x8B\x44\x24\x08\x48\xFF\xC0\x48\x89\x44\x24\x08\x8B\x44\x24\x04\xFF\xC0\x89\x44\x24\x04\x48\x8B\x44\x24\x08\x0F\xBE\x00\x85\xC0\x74\x02\xEB\xDB\x8B\x44\x24\x04\x48\x83\xC4\x18\xC3"

1 similar comment
@icyfox168168
Copy link
Author

shellcode

Correct return 1

Error engineering file bdshemu.c

Error function ShemuEmulate

Error instruction movsx eax, byte ptr ds:[rax]

The cause of the error is only updated al

my fix

    case ND_INS_MOV:
    case ND_INS_MOVZX:
        GET_OP(Context, 1, &src);
        if (src.Size == 1)
        {
            //src.Value.Qwords[0] = 0x00000000000000FF & src.Value.Qwords[0];
        }
        SET_OP(Context, 0, &src);
        break;

    case ND_INS_MOVSX:
    case ND_INS_MOVSXD:
        GET_OP(Context, 1, &src);
        GET_OP(Context, 0, &dst);

        dst.Value.Qwords[0] = ND_SIGN_EX(src.Size, src.Value.Qwords[0]);

        if (src.Size == 1)
        {
            //dst.Value.Qwords[0] = 0x00000000000000FF & dst.Value.Qwords[0];
        }

        SET_OP(Context, 0, &dst);
        break;

"\x48\x83\xEC\x18\xC6\x04\x24\x30\xC6\x44\x24\x01\x00\x48\x8D\x04\x24\x48\x89\x44\x24\x08\xC7\x44\x24\x04\x00\x00\x00\x00\xEB\x17\x48\x8B\x44\x24\x08\x48\xFF\xC0\x48\x89\x44\x24\x08\x8B\x44\x24\x04\xFF\xC0\x89\x44\x24\x04\x48\x8B\x44\x24\x08\x0F\xBE\x00\x85\xC0\x74\x02\xEB\xDB\x8B\x44\x24\x04\x48\x83\xC4\x18\xC3"

@vlutas
Copy link
Collaborator

vlutas commented Aug 10, 2021

This is much better and clear now, and I understand the issue. The problem is that the MOVSX and MOVZX are sometimes emulated wrongly, and they incorrectly update the destination register. I confirm this, as I was able to reproduce this issue, and a fix will soon be pushed.

Thank you for reporting this!

vlutas added a commit that referenced this issue Aug 10, 2021
@vlutas
Multiple improvements in bdshemu
f605066 
Fixed an emulation bug for MOVZX and MOVSX instructions (#48)
New shellcode flag - call tot Wow32 reserved.
New shellcode flag - heaven's gate.
New shellcode flag - stack-pivot.
Moved bdshemu tests in a password protected zip file, so it doesn't trigger AV detections.
@vlutas
Copy link
Collaborator

vlutas commented Aug 10, 2021

The issue should now be fixed in the latest commit - f605066. Please check it out, and confirm that the problem is fixed.
Thanks!

@icyfox168168
Copy link
Author

ok ok ok ok ok perfect

Emulating: 0x000000018002f141 MOVSX eax, byte ptr [rax]

RAX = 0x0000000000000030 RCX = 0x0000000000000000 RDX = 0x0000000000000000 RBX = 0x0000000000000000

@vlutas
Copy link
Collaborator

vlutas commented Aug 10, 2021

In this case, I will close the issue. Other problems can be treated in separate issues.
Thanks!

@vlutas vlutas closed this as completed Aug 10, 2021
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vlutas @icyfox168168