qiling
qiling copied to clipboard
qilingframework
Packed x86 PE file (compiled Debug) cannot execute to OEP
Packed x86 PE file (compiled Debug) cannot execute to OEP, it stoped and exited when it called GetProcAddress() in pack code.
Unicorn called ExitProcess() when it get address of function in "vcruntime140d.dll".
Info: [=] Initiate stack address at 0xfffdd000 [=] Loading rootfs/x86_windows/bin/testPE32_2upx.exe to 0x400000 [=] PE entry point at 0x421300 [=] TEB addr is 0x6000 [=] PEB addr is 0x6044 [=] Loading rootfs/x86_windows\Windows\System32\ntdll.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\ntdll.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\ntdll.dll [=] Loading rootfs/x86_windows\Windows\System32\kernel32.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\kernel32.dll [=] Loading rootfs/x86_windows\Windows\System32\ucrtbased.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\ucrtbased.dll [=] Loading rootfs/x86_windows\Windows\System32\vcruntime140d.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\vcruntime140d.dll [=] LoadLibraryA(lpLibFileName = "KERNEL32.DLL") = 0x6b800000 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "HeapAlloc") = 0x6b89be35 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "IsDebuggerPresent") = 0x6b8220d0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "RaiseException") = 0x6b8205b0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "MultiByteToWideChar") = 0x6b81df80 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "WideCharToMultiByte") = 0x6b81dff0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "QueryPerformanceCounter") = 0x6b81df40 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentProcessId") = 0x6b822e90 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetSystemTimeAsFileTime") = 0x6b81f390 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "TerminateProcess") = 0x6b819910 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentProcess") = 0x6b822e80 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetProcAddress") = 0x6b81f550 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "FreeLibrary") = 0x6b820ae0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "VirtualQuery") = 0x6b81f570 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetProcessHeap") = 0x6b81f380 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "HeapFree") = 0x6b81df60 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentThreadId") = 0x6b81df10 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetLastError") = 0x6b81e010 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetModuleHandleW") = 0x6b820e50 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "IsProcessorFeaturePresent") = 0x6b820b70 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetStartupInfoW") = 0x6b821550 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "SetUnhandledExceptionFilter") = 0x6b821720 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "UnhandledExceptionFilter") = 0x6b835c40 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "InitializeSListHead") = 0x6b89c1f4 [=] LoadLibraryA(lpLibFileName = "ucrtbased.dll") = 0x10000000 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "strcat_s") = 0x100bd8f0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "__stdio_common_vsprintf_s") = 0x100b1e70 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "__p__commode") = 0x1008ddd0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_initialize_onexit_table") = 0x10074b10 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_register_onexit_function") = 0x10074b90 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_execute_onexit_table") = 0x10074ad0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_crt_atexit") = 0x10074aa0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_crt_at_quick_exit") = 0x10074a70 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_controlfp_s") = 0x100d6cf0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "terminate") = 0x1006c850 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_wmakepath_s") = 0x100fca70 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_wsplitpath_s") = 0x100ff6e0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "wcscpy_s") = 0x100c7a30 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "strcpy_s") = 0x100be1a0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_set_new_mode") = 0x100558b0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_configthreadlocale") = 0x100628d0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_register_thread_local_exe_atexit_callback") = 0x10074190 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_c_exit") = 0x10074140 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_cexit") = 0x10074170 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "__p___argv") = 0x1006d930 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "__p___argc") = 0x1006d920 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_set_fmode") = 0x1010df70 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_exit") = 0x100740f0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "exit") = 0x100741e0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_initterm_e") = 0x100742b0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_initterm") = 0x10074240 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_get_initial_narrow_environment") = 0x10019260 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_initialize_narrow_environment") = 0x100191d0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_configure_narrow_argv") = 0x1006f060 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "__setusermatherr") = 0x100ea840 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_set_app_type") = 0x10057890 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_seh_filter_exe") = 0x1006a840 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_CrtDbgReportW") = 0x10068760 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_CrtDbgReport") = 0x100686e0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "__stdio_common_vfprintf") = 0x100b1b30 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "__acrt_iob_func") = 0x100b84f0 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_seh_filter_dll") = 0x1006a800 [=] LoadLibraryA(lpLibFileName = "VCRUNTIME140D.dll") = 0x101c7000 [=] GetProcAddress(hModule = 0x101c7000, lpProcName = "__vcrt_GetModuleFileNameW") = 0x101d3440 [=] GetProcAddress(hModule = 0x101c7000, lpProcName = "_except_handler4_common") = 0x0 [=] ExitProcess(uExitCode = 0)
Hi. Can you please elaborate what should be the expected behavior? Is it posible to share the exeutable here for us to test?
Hi. Can you please elaborate what should be the expected behavior? Is it posible to share the exeutable here for us to test?
It executed test.exe (release) and executed succeedlly:
PS D:\Code\qiling-master\qiling-master\examples> python .\crackme_x86_windows_setcallback.py [=] Initiate stack address at 0xfffdd000 [=] Loading rootfs/x86_windows/bin/Upxtest.exe to 0x400000 [=] PE entry point at 0x407e50 [=] TEB addr is 0x6000 [=] PEB addr is 0x6044 [=] Loading rootfs/x86_windows\Windows\System32\ntdll.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\ntdll.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\ntdll.dll [=] Loading rootfs/x86_windows\Windows\System32\kernel32.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\kernel32.dll [=] Loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-heap-l1-1-0.dll [=] Loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-locale-l1-1-0.dll [=] Loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-math-l1-1-0.dll [=] Loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-runtime-l1-1-0.dll [=] Loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll ... [!] Warnings while loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll: [!] - SizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8. [!] - AddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x0 [=] Done with loading rootfs/x86_windows\Windows\System32\api-ms-win-crt-stdio-l1-1-0.dll [=] Loading rootfs/x86_windows\Windows\System32\vcruntime140.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\vcruntime140.dll [=] LoadLibraryA(lpLibFileName = "KERNEL32.DLL") = 0x6b800000 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "LoadLibraryA") = 0x6b820bd0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetProcAddress") = 0x6b81f550 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "IsDebuggerPresent") = 0x6b8220d0 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "InitializeSListHead") = 0x6b89c1f4 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetSystemTimeAsFileTime") = 0x6b81f390 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentThreadId") = 0x6b81df10 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentProcessId") = 0x6b822e90 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "QueryPerformanceCounter") = 0x6b81df40 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "IsProcessorFeaturePresent") = 0x6b820b70 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "TerminateProcess") = 0x6b819910 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetCurrentProcess") = 0x6b822e80 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "SetUnhandledExceptionFilter") = 0x6b821720 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "UnhandledExceptionFilter") = 0x6b835c40 [=] GetProcAddress(hModule = 0x6b800000, lpProcName = "GetModuleHandleW") = 0x6b820e50 [=] LoadLibraryA(lpLibFileName = "api-ms-win-crt-heap-l1-1-0.dll") = 0x10000000 [=] GetProcAddress(hModule = 0x10000000, lpProcName = "_set_new_mode") = 0x100015d5 [=] LoadLibraryA(lpLibFileName = "api-ms-win-crt-locale-l1-1-0.dll") = 0x10010000 [=] GetProcAddress(hModule = 0x10010000, lpProcName = "_configthreadlocale") = 0x100113f3 [=] LoadLibraryA(lpLibFileName = "api-ms-win-crt-math-l1-1-0.dll") = 0x10020000 [=] GetProcAddress(hModule = 0x10020000, lpProcName = "__setusermatherr") = 0x100223ca [=] LoadLibraryA(lpLibFileName = "api-ms-win-crt-runtime-l1-1-0.dll") = 0x10030000 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_configure_narrow_argv") = 0x100318e8 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "__p___argc") = 0x10031654 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_initialize_onexit_table") = 0x10031e13 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_exit") = 0x10031aaf [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_c_exit") = 0x1003188e [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_crt_atexit") = 0x100319d7 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_controlfp_s") = 0x10031986 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "terminate") = 0x100325e2 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "exit") = 0x100323c1 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_initterm_e") = 0x10031ea1 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_register_thread_local_exe_atexit_callback") = 0x10031ffa [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_cexit") = 0x100318a6 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "__p___argv") = 0x10031673 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_set_app_type") = 0x100320e4 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_seh_filter_exe") = 0x1003208c [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_initterm") = 0x10031e82 [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_get_initial_narrow_environment") = 0x10031b5e [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_register_onexit_function") = 0x10031fac [=] GetProcAddress(hModule = 0x10030000, lpProcName = "_initialize_narrow_environment") = 0x10031dd2 [=] LoadLibraryA(lpLibFileName = "api-ms-win-crt-stdio-l1-1-0.dll") = 0x10040000 [=] GetProcAddress(hModule = 0x10040000, lpProcName = "__stdio_common_vfprintf") = 0x10041831 [=] GetProcAddress(hModule = 0x10040000, lpProcName = "__p__commode") = 0x100417e4 [=] GetProcAddress(hModule = 0x10040000, lpProcName = "_set_fmode") = 0x100423f7 [=] GetProcAddress(hModule = 0x10040000, lpProcName = "__acrt_iob_func") = 0x100417be [=] LoadLibraryA(lpLibFileName = "VCRUNTIME140.dll") = 0x10050000 [=] GetProcAddress(hModule = 0x10050000, lpProcName = "memset") = 0x100538a0 [=] GetProcAddress(hModule = 0x10050000, lpProcName = "__current_exception_context") = 0x100562f0 [=] GetProcAddress(hModule = 0x10050000, lpProcName = "__current_exception") = 0x100562e0 [=] GetProcAddress(hModule = 0x10050000, lpProcName = "_except_handler4_common") = 0x10053ff0 [=] VirtualProtect(lpAddress = 0x400000, dwSize = 0x1000, flNewProtect = 0x4, lpflOldProtect = 0xffffcfdc) = 0x1 [=] VirtualProtect(lpAddress = 0x400000, dwSize = 0x1000, flNewProtect = 0, lpflOldProtect = 0xffffcfdc) = 0x1 [=] GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xffffcfe0) [=] GetCurrentThreadId() = 0x0 [=] GetCurrentProcessId() = 0x7cc [=] QueryPerformanceCounter(lpPerformanceCount = 0xffffcfd8) = 0x0 [=] IsProcessorFeaturePresent(ProcessorFeature = 0xa) = 0x1 [=] _initterm_e(pfbegin = 0x4020e0, pfend = 0x4020ec) = 0x0 [=] _initterm(pfbegin = 0x4020d4, pfend = 0x4020dc) [=] _get_initial_narrow_environment() = 0x0 [=] __p___argv() = 0x5000b23 [=] __p___argc() = 0x5000b27 [=] Loading rootfs/x86_windows\Windows\System32\ucrtbased.dll ... [=] Done with loading rootfs/x86_windows\Windows\System32\ucrtbased.dll [=] LoadLibraryA(lpLibFileName = "ucrtbased.dll") = 0x10070000 [=] GetProcAddress(hModule = 0x10070000, lpProcName = "strcpy_s") = 0x1012e1a0 [=] __acrt_iob_func(idx = 0x1) = 0x0 funcA OK! [=] __stdio_common_vfprintf(_Options = 0, _Stream = 0, _Format = "funcA OK!\n", _Locale = 0, _ArgList = 0xffffcfb8) = 0xa [=] GetModuleHandleW(lpModuleName = 0) = 0x400000 [=] exit(status = 0)
How can i send my test file to you?
@LakerMoon, I am not sure whether there is still a problem here.. If there is a problem, you can share a link to the program in subject and I'll try to debug this. If there is no problem, kindly close this issue.
@LakerMoon, I am not sure whether there is still a problem here.. If there is a problem, you can share a link to the program in subject and I'll try to debug this. If there is no problem, kindly close this issue.
my program: [ testPE32upx.exe ] Link:https://cowtransfer.com/s/ee1ceef40dbf46
It looks like the packed binary does run, even though it fails afterwards - probably for another reason:
Please checkout dev branch and see if it works for you; it will take about a minute for the binary to unpack.
It looks like the packed binary does run, even though it fails afterwards - probably for another reason:
devbranch and see if it works for you; it will take about a minute for the binary to unpack.
I use dev branch to have a try.
I use dev branch and run packed binary. It doesn't work and exitprocess before it run oep.
Close for now.
We updated the codebase for Qiling and Unicorn since this issue being posted.
Feel free to try the latest version.
