gef-extras icon indicating copy to clipboard operation
gef-extras copied to clipboard
verified publisher icon hugsy

Trying to run unicorn-emulate with an ARM64 binary causes a syntax error

Open Emiluren opened this issue 3 years ago • 4 comments

  • [x] Did you use the latest version of GEF from dev branch?
  • [x] Is your bug specific to GEF (not GDB)? - Try to reproduce it running gdb -nx
  • [x] Did you search through the documentation first?
  • [x] Did you check issues (including the closed ones) - and the PR?

Step 1: Describe your environment

  • Operating System / Distribution: Arch linux
  • Architecture: x64 (using aarch64-linux-gnu-gdb)
  • GEF version: [2830670] (btw, the version command gives the hash for my dotfiles repo since I have that cloned in ~)

Step 2: Describe your problem

I tried to run unicorn-emulate with a program compiled for ARM64 but ran into a syntax error in a generated file.

For a minimal test case I used this program compiled with aarch64-linux-gnu-gcc.

int main(){ return 0; }

I then ran aarch64-linux-gnu-gdb a.out followed by target sim, load, starti and emu.

Observed Results

Running emu gave me this error:

gef➤  emu
[+] Starting emulation: 0x0  →  0x4
[!] Command 'unicorn-emulate' failed to execute properly, reason: Command '[PosixPath('/usr/bin/python3'), '/tmp/gef-uc-4hoxcpjm.py']' returned non-zero exit status 1.

I then tried running the generated file outside gdb and got this error message:

% python3 /tmp/gef-uc-815xbo0q.py
  File "/tmp/gef-uc-815xbo0q.py", line 18
    cs = capstone.Cs(capstone.CS_ARCH_ARM64, capstone.0|capstone.CS_MODE_LITTLE_ENDIAN)
                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: invalid syntax. Perhaps you forgot a comma?

I noticed that the 0 comes from gef_to_cs_arch returning "0" as the mode in the case of ARM64. Should this perhaps be "CS_MODE_ARM" instead.

Emiluren avatar Aug 30 '22 10:08 Emiluren

This is caused by this line.

That "0" should be something else, but I am not sure what. If it's supposed to be a string 0, then we should change it to '"0"'. Could you please try that?

Grazfather avatar Aug 30 '22 13:08 Grazfather

(You could also try "CS_MODE_ARM". That looks correct.)

If you test and make a PR we could merge it in.

Grazfather avatar Aug 30 '22 13:08 Grazfather

Well I tried "CS_MODE_ARM" and it worked for a while but somehow gef_to_cs_arch started returning "0" again at some point.

I have no idea why but it seems like the old version of get_to_cs_arch got loaded and I couldn't figure out where it came from. I added prints but they were never executed (also suggesting the old version was used), but changes in other parts of the same file did have an effect. I feel like my python installation is cursed...

Emiluren avatar Aug 30 '22 13:08 Emiluren

Yeah I would guess that it's somehow importing an old version of the file.

Grazfather avatar Aug 30 '22 14:08 Grazfather