unicorn icon indicating copy to clipboard operation
unicorn copied to clipboard

Published 20 hours ago verified publisher icon unicorn-engine

UC_HOOK_CODE shows wrong result (address)

Open schnabel0776 opened this issue 3 years ago • 2 comments

I'm trying to add UC_HOOK_CODE for logging all assembly code

def hook_code(self, uc, address, size, user_data):
    if hasattr(self, "f") == False:
        self.f = open("trace.txt", "w")
    insn = next(self.cs.disasm(self.uc.mem_read(address, size), address))
    self.f.write(f"{address:#010x}:\t{insn.mnemonic}\t{insn.op_str}\n")
...
...
self.cs = Cs(CS_ARCH_X86, CS_MODE_32)
self.cs.detail = True
self.uc = Uc(UC_ARCH_X86, UC_MODE_32)
...
self.uc.hook_add(UC_HOOK_CODE, self.hook_code)
self.uc.emu_start(self.entry_point, 0x8FFFFFFF)

result looks like this

0x00da78de:	jmp	0xd051a9
0x00d051a9:	push	ebp
0x00d051aa:	ret	
0x014d0e8f:	mov	eax, dword ptr [edi]

0x00d83c98:	add	edi, ecx
0x00d83c9a:	jmp	0xd9e20a
0x00d9e20a:	jmp	0xc8948f
0x0147dd75:	movzx	ax, byte ptr [esi]

In first case, address to come out after the ret command must be the value of the ebp register but, reading ebp and [esp] value at 0x00d051aa, it's not 0x014d0e8f, the values ​​below are normal 0x00d051aa ebp: 0x00d6831e 0x00d051aa [esp]: 0x00d6831e

I think emulation going fine, but only hook_code shows me wrong result

Is there any known issue or something i missed? (sorry for my bad english)

schnabel0776 avatar Jul 20 '22 08:07 schnabel0776

I can't understand exactly which address is wrong, maybe an assertion could be more clear?

wtdcode avatar Jul 23 '22 12:07 wtdcode

I can't understand exactly which address is wrong, maybe an assertion could be more clear?

In first case, ebp value is 0x00d6831e. So, address after ret instruction shoud be 0x00d6831e but 0x014d0e8f shows up In second case, after jmp 0xc8948f instruction, address of UC_HOOK_CODE is 0x0147dd75, not 0xc8948f

schnabel0776 avatar Jul 24 '22 22:07 schnabel0776

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.

github-actions[bot] avatar Sep 23 '22 05:09 github-actions[bot]

I can't understand exactly which address is wrong, maybe an assertion could be more clear?

In first case, ebp value is 0x00d6831e. So, address after ret instruction shoud be 0x00d6831e but 0x014d0e8f shows up In second case, after jmp 0xc8948f instruction, address of UC_HOOK_CODE is 0x0147dd75, not 0xc8948f

If possible, please provide the full reproduction sceript.

wtdcode avatar Sep 25 '22 16:09 wtdcode

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.

github-actions[bot] avatar Nov 25 '22 05:11 github-actions[bot]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.

github-actions[bot] avatar Feb 01 '23 05:02 github-actions[bot]