scemu
scemu copied to clipboard
Published
20 hours ago •
sha0coder
sha0coder
thread 'main' panicked at 'attempt to subtract with overflow', src\emu.rs:1512:40
trafficstars
C:\Users\Brandon\Desktop\scemu>cargo run -- --64bits -f C:\Users\Brandon\Desktop\redacted.exe
Finished dev [unoptimized + debuginfo] target(s) in 0.15s
Running `target\debug\scemu.exe --64bits -f C:\Users\Brandon\Desktop\redacted.exe`
use -vv to see the assembly code emulated, and -v to see the messages
initializing regs
loading memory maps
thread 'main' panicked at 'attempt to subtract with overflow', src\emu.rs:1512:40
stack backtrace:
0: 0x7ff708f0174f - std::backtrace_rs::backtrace::dbghelp::trace
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\..\..\backtrace\src\backtrace\dbghelp.rs:98
1: 0x7ff708f0174f - std::backtrace_rs::backtrace::trace_unsynchronized
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\..\..\backtrace\src\backtrace\mod.rs:66
2: 0x7ff708f0174f - std::sys_common::backtrace::_print_fmt
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\sys_common\backtrace.rs:66
3: 0x7ff708f0174f - std::sys_common::backtrace::_print::impl$0::fmt
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\sys_common\backtrace.rs:45
4: 0x7ff708f18fea - core::fmt::write
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\core\src\fmt\mod.rs:1194
5: 0x7ff708efbb79 - std::io::Write::write_fmt<std::sys::windows::stdio::Stderr>
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\io\mod.rs:1655
6: 0x7ff708f03a5b - std::sys_common::backtrace::_print
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\sys_common\backtrace.rs:48
7: 0x7ff708f03a5b - std::sys_common::backtrace::print
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\sys_common\backtrace.rs:35
8: 0x7ff708f03a5b - std::panicking::default_hook::closure$1
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panicking.rs:295
9: 0x7ff708f0364e - std::panicking::default_hook
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panicking.rs:314
10: 0x7ff708f04051 - std::panicking::rust_panic_with_hook
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panicking.rs:698
11: 0x7ff708f03ed2 - std::panicking::begin_panic_handler::closure$0
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panicking.rs:586
12: 0x7ff708f02057 - std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure_env$0,never$>
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\sys_common\backtrace.rs:138
13: 0x7ff708f03be9 - std::panicking::begin_panic_handler
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panicking.rs:584
14: 0x7ff708f21a05 - core::panicking::panic_fmt
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\core\src\panicking.rs:143
15: 0x7ff708f218ac - core::panicking::panic
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\core\src\panicking.rs:48
16: 0x7ff708b17a62 - scemu::emu::Emu::shld
at C:\Users\Brandon\Desktop\scemu\src\emu.rs:1512
17: 0x7ff708b0ee0a - scemu::emu::Emu::init_tests
at C:\Users\Brandon\Desktop\scemu\src\emu.rs:547
18: 0x7ff708b0cfdf - scemu::emu::Emu::init
at C:\Users\Brandon\Desktop\scemu\src\emu.rs:189
19: 0x7ff708acb51d - scemu::main
at C:\Users\Brandon\Desktop\scemu\src\main.rs:196
20: 0x7ff708a6542b - core::ops::function::FnOnce::call_once<void (*)(),tuple$<> >
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\library\core\src\ops\function.rs:227
21: 0x7ff708a5d43b - std::sys_common::backtrace::__rust_begin_short_backtrace<void (*)(),tuple$<> >
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\library\std\src\sys_common\backtrace.rs:122
22: 0x7ff708af39a1 - std::rt::lang_start::closure$0<tuple$<> >
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\library\std\src\rt.rs:145
23: 0x7ff708ef53ce - core::ops::function::impls::impl$2::call_once
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\library\core\src\ops\function.rs:259
24: 0x7ff708ef53ce - std::panicking::try::do_call
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panicking.rs:492
25: 0x7ff708ef53ce - std::panicking::try
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panicking.rs:456
26: 0x7ff708ef53ce - std::panic::catch_unwind
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panic.rs:137
27: 0x7ff708ef53ce - std::rt::lang_start_internal::closure$2
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\rt.rs:128
28: 0x7ff708ef53ce - std::panicking::try::do_call
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panicking.rs:492
29: 0x7ff708ef53ce - std::panicking::try
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panicking.rs:456
30: 0x7ff708ef53ce - std::panic::catch_unwind
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\panic.rs:137
31: 0x7ff708ef53ce - std::rt::lang_start_internal
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\/library\std\src\rt.rs:128
32: 0x7ff708af396f - std::rt::lang_start<tuple$<> >
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e\library\std\src\rt.rs:144
33: 0x7ff708acbcc6 - main
34: 0x7ff708f1fa1c - invoke_main
at D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
35: 0x7ff708f1fa1c - __scrt_common_main_seh
at D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
36: 0x7ff862b87034 - BaseThreadInitThunk
37: 0x7ff8643e2651 - RtlUserThreadStart
error: process didn't exit successfully: `target\debug\scemu.exe --64bits -f C:\Users\Brandon\Desktop\redacted.exe` (exit code: 101)
thanks a lot, this type of bugs is good to know.
for now 64bits only support shellcodes, 32bits support shellcodes and exe's.
btw this is an opportunity to fix a bug: what is causing this is a SHLD instruction where the counter (arg3) is bigger than the destination size.
Regarding the intel manual: if counter > size -> undefined behavior
in the practice what processor does is: if counter >= size -> counter -= size
the second error was: book says: bit(dest, i) <- bit(src, i - count + size) with unsigned vars this cause the error. i changed it to: bit(dest, i) <- bit(src, i + size - count) for avoiding negative values.
Sooo it's fixed, but vmprotect is not supported for now and only can emulate few hundreds of instructions.
regards.
I just want to add that cargo run -- is running debug build and debug builds will panic when math operators overflow.
@brandonros Try running a release build.
$ RUST_BACKTRACE=1 cargo run -- -f /Users/brandonros/Downloads/redacted.exe
Finished dev [unoptimized + debuginfo] target(s) in 0.02s
Running `target/debug/scemu -f /Users/brandonros/Downloads/redacted.exe`
use -vv to see the assembly code emulated, and -v to see the messages
initializing regs
loading memory maps
Loaded nsi.dll
4 sections base addr 0x776c0000
created pe32 map for section `.text` at 0x776c1000 size: 5624
created pe32 map for section `.data` at 0x776c3000 size: 16
created pe32 map for section `.rsrc` at 0x776c4000 size: 1008
/!\ warning: raw sz:8704 off:8192 sz:512 off+sz:8704
created pe32 map for section `.reloc` at 0x776c5000 size: 88
the apiname function not found
thread 'main' panicked at 'attempt to subtract with overflow', src/emu.rs:1668:44
stack backtrace:
0: rust_begin_unwind
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:584:5
1: core::panicking::panic_fmt
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/panicking.rs:143:14
2: core::panicking::panic
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/panicking.rs:48:5
3: scemu::emu::Emu::shld
at ./src/emu.rs:1668:44
4: scemu::emu::Emu::init_tests
at ./src/emu.rs:581:17
5: scemu::emu::Emu::init
at ./src/emu.rs:211:9
6: scemu::main
at ./src/main.rs:196:5
7: core::ops::function::FnOnce::call_once
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
in release mode
initializing regs
loading memory maps
Loaded nsi.dll
4 sections base addr 0x776c0000
created pe32 map for section `.text` at 0x776c1000 size: 5624
created pe32 map for section `.data` at 0x776c3000 size: 16
created pe32 map for section `.rsrc` at 0x776c4000 size: 1008
/!\ warning: raw sz:8704 off:8192 sz:512 off+sz:8704
created pe32 map for section `.reloc` at 0x776c5000 size: 88
the apiname function not found
memory test Ok.
PE32 header detected.
no import directory at va 0x0
IAT Bound started ...
IAT Bound.
Loaded /Users/brandonros/Downloads/redacted.exe
11 sections base addr 0x1
/!\ warning: raw sz:34786304 off:116 sz:2019914798 off+sz:2019914914
created pe32 map for section `` at 0x1 size: 0
entry point at 0x4901723 0x4901722
/!\ warning: raw sz:34786304 off:24948 sz:1633972782 off+sz:1633997730
created pe32 map for section `` at 0x60000021 size: 0
/!\ warning: raw sz:34786304 off:97 sz:1952539694 off+sz:1952539791
created pe32 map for section `` at 0x40000041 size: 0
/!\ warning: raw sz:34786304 off:24948 sz:1633972270 off+sz:1633997218
created pe32 map for section `` at 0xc0000041 size: 0
/!\ warning: raw sz:34786304 off:1684108389 sz:1836347694 off+sz:3520456083
thread 'main' panicked at 'slice index starts at 1684108389 but ends at 34786303', library/core/src/slice/index.rs:92:5
stack backtrace:
0: rust_begin_unwind
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/std/src/panicking.rs:584:5
1: core::panicking::panic_fmt
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/panicking.rs:143:14
2: core::slice::index::slice_index_order_fail_rt
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/slice/index.rs:92:5
3: core::ops::function::FnOnce::call_once
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/ops/function.rs:227:5
4: core::intrinsics::const_eval_select
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/intrinsics.rs:2361:5
5: core::slice::index::slice_index_order_fail
at /rustc/fe5b13d681f25ee6474be29d748c65adcd91f69e/library/core/src/slice/index.rs:87:14
6: scemu::emu::pe32::PE32::get_section_ptr
7: scemu::emu::Emu::load_pe32
8: scemu::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.