IDR Assertion Failed: num

Assertion Failed: num < ModuleCount

Open thexkey opened this issue 5 years ago • 25 comments

I have attempted to decompile the EXE attached and when ever i attempt to open it it will show a message.

this is the message:

and this is the EXE i want to decompile.

MpFix_UnpackedUPX.zip

Dec 15 '18 04:12 thexkey

Same happens to me...

Dec 27 '18 16:12 Antelox

@samdisk11

I"m not able to reproduce the issue on your exe using the pre-built Idr.exe from this master branch. Analysis finished with 100% success.

what are your steps?

where did you get the KB for your Delphi ver? (kb2012.bin) it's not present in this repo

lets make sure we are using same bits:

1a2e033e43b9c04de754da799d1f359e *syskb2012.bin 9d6d3492a826bbee39a073ca28225e5d *kb2012.bin

PS same question to @Antelox please also upload your .exe for reproducing the case.

Jan 03 '19 21:01 greenozon

I used the files in the repo, extracted in a folder and executed the idr.exe binary. Opened a Delphi sample with the autodetect feature and during the loading the messagebox pops up.

Jan 04 '19 08:01 Antelox

If you are talking about MpFix_UnpackedUPX.exe then something is missed, cause repository does not contain KB for this specific autodetected Delphi version - kb2012.bin

So my assumption was some incompatible (broken) KB was used

Now, when you said a Delphi sample - what specific binary do you mean? where could I get it.

Jan 04 '19 12:01 greenozon

No I was not referring to that file. I was referring to a malware written in Delphi. BTW I have removed the folder with the files, downloaded the repo again and tried one more time. Now it works fine, so probably there were some issues with old KB files. For the time being I would consider this issue as solved. Should have more issues I will write a new comment or open a new one. Thanks for your time...

Jan 04 '19 13:01 Antelox

Great news! Thanks for clarification. Feel free to report as many issues as you could find (and more :) )

lets wait for final feedback from @samdisk11 as well

Jan 04 '19 13:01 greenozon

Спасибо, что разобрался. Кстати, вопрос, как лучше хранить на гите базы знаний, я попробовал скопировать туда несколько, но система стала намекать на другие способы хранения больших бинарных файлов. Не просветишь?

пт, 4 янв. 2019 г. в 16:25, Alex [email protected]:

Great news! Thanks for clarification. Feel free to report as many issues as you could find (and more :) )

lets wait for final feedback from @samdisk11 https://github.com/samdisk11 as well

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/crypto2011/IDR/issues/42#issuecomment-451442755, or mute the thread https://github.com/notifications/unsubscribe-auth/AQeMse3uBf39vGzU9WvWQuZgLv2kULbpks5u_1ZIgaJpZM4ZUkDH .

-- Best regards, crypto

Jan 05 '19 07:01 crypto2011

@crypto2011

Вижу пару вариантов с базами знаний KB

хранить их только в одном месте, например тут - https://github.com/crypto2011/KBBUILDER

дописать в readme.md репозитария IDR где их искать хорошо б хранить еталонный набор для всех версий Дельфи вместе с MD5 (sha)

хранить их в репозитарии IDR - но в сжатом виде, надо глянуть кто хорошо ужмет их 7зип, рар или др Ведь KB - редкоменяемая информация, а места занимает много, раз стянул и дальше пользуешся локальной копией
не хранить нигде, но написать как сделать самому

будет економия места

будет надо напрячся чтоб сделать БД и не факт что у всех будут нужные версий Дельфи..

пока такие идеи

Jan 05 '19 11:01 greenozon

sorry i was away from github as i was locked out of my account. now that im back i can help you solve this issue. i used these KB's to try to decompile/read the code. IDR-master.zip

Jan 05 '19 16:01 thexkey

these small syskb*.bin are OK but what is more important - kb2012.bin could you calc md5 and compare to what I posted before?

did you get that .bin from authoritative source?

Jan 05 '19 18:01 greenozon

I don't know Russian so here I'm using GTranslate. Are you speaking about how to store the KB files? What is the problem with uploading here on Github?

Jan 07 '19 15:01 Antelox

something like that author told that git does not like huge big binary files inside source repository and I was saying a couple of ideas how to handle this kind of issue :)

you ideas are welcomed as well :)

Jan 07 '19 18:01 greenozon

are you both using windows 10 64 bit? i am using that as my OS

Jan 08 '19 00:01 thexkey

Mine is W7 x64 I'll try to validate over W10x64 as well

Jan 08 '19 06:01 greenozon

@samdisk11 I'm not able to reproduce your issue @W10x64

asking old questions - where did you get the main KB file for your Delphi version (kb2012.bin) please provide either this file or md5 out of it

Jan 08 '19 07:01 greenozon

I'm using W7 x64 as well. For the KB files, perhaps Dropbox, Google Drive or any other cloud should be fine. You can keep updated into the cloud the KB files and putting a link to the IDR README.md file so that who wants, could download from there them...

Jan 08 '19 10:01 Antelox

I do not have my PC with me right now so please give me some time I'll get the files

Jan 09 '19 15:01 thexkey

I have succesfully decompiled file MpFix_UnpackedUPX.zip (IDR determined XE2)

Feb 02 '19 17:02 crypto2011

it seems im missing kb2012. even redownloading does not have it

Aug 16 '19 22:08 thexkey

@samdisk11 any updates on your case?

Oct 14 '19 08:10 greenozon

I meet this issue when I 'm analyzing BCompare4.3.3-24545 X32 in Win10 X64. Someone can have a try ? I get the bin file from this repo .