qiling icon indicating copy to clipboard operation
qiling copied to clipboard

Published 20 hours ago verified publisher icon qilingframework

problem with emulating FreeBSD binary

Open dodaeche opened this issue 4 years ago • 13 comments

Sorry. this is not a bug report, just a question about errors on emulating with qiling. I'm new to qiling framework and have a trouble emulating FreeBSD ELF(64bit) binary which just printf("hello world\n").

First, for the sake of convenience, I used sshfs for mounting to make rootfs.

$ mkdir ./freebsd_fs
$ sshfs root@my_freebsd64:/ ./freebsd_fs

Next, I ran qltool to emulate target binary.

$ qltool run -f ./freebsd_fs/tmp/hw64 --rootfs ./freebsd_fs

I have expected hello, world but I could not get that message. Below is the output of qltool. What's the problem? I want to get hello, world with qiling.

$ qltool run -f ./freebsd_fs/tmp/hw64 --rootfs ./freebsd_fs 
[x] [os.py:95]	

[x] [os.py:101]	ah	:	 0x0
[x] [os.py:101]	al	:	 0x0
[x] [os.py:101]	ch	:	 0x0
[x] [os.py:101]	cl	:	 0x41
[x] [os.py:101]	dh	:	 0x0
[x] [os.py:101]	dl	:	 0x41
[x] [os.py:101]	bh	:	 0x4b
[x] [os.py:101]	bl	:	 0xde
[x] [os.py:101]	ax	:	 0x0
[x] [os.py:101]	cx	:	 0x41
[x] [os.py:101]	dx	:	 0x41
[x] [os.py:101]	bx	:	 0x4bde
[x] [os.py:101]	sp	:	 0xe370
[x] [os.py:101]	bp	:	 0xee78
[x] [os.py:101]	si	:	 0x4bde
[x] [os.py:101]	di	:	 0x1
[x] [os.py:101]	ip	:	 0x0
[x] [os.py:101]	eax	:	 0x0
[x] [os.py:101]	ecx	:	 0x41
[x] [os.py:101]	edx	:	 0x41
[x] [os.py:101]	ebx	:	 0x604bde
[x] [os.py:101]	esp	:	 0xffffe370
[x] [os.py:101]	ebp	:	 0xffffee78
[x] [os.py:101]	esi	:	 0x604bde
[x] [os.py:101]	edi	:	 0x1
[x] [os.py:101]	eip	:	 0x0
[x] [os.py:101]	rax	:	 0x0
[x] [os.py:101]	rbx	:	 0x800604bde
[x] [os.py:101]	rcx	:	 0x41
[x] [os.py:101]	rdx	:	 0x41
[x] [os.py:101]	rsi	:	 0x800604bde
[x] [os.py:101]	rdi	:	 0x1
[x] [os.py:101]	rbp	:	 0x7fffffffee78
[x] [os.py:101]	rsp	:	 0x7fffffffe370
[x] [os.py:101]	r8	:	 0xfefefefefefefeff
[x] [os.py:101]	r9	:	 0x8080808080808080
[x] [os.py:101]	r10	:	 0x0
[x] [os.py:101]	r11	:	 0x0
[x] [os.py:101]	r12	:	 0x7ffffffde000
[x] [os.py:101]	r13	:	 0x7fffffffee90
[x] [os.py:101]	r14	:	 0x7ffffffde000
[x] [os.py:101]	r15	:	 0x0
[x] [os.py:101]	rip	:	 0x0
[x] [os.py:101]	cr0	:	 0x11
[x] [os.py:101]	cr1	:	 0x0
[x] [os.py:101]	cr2	:	 0x0
[x] [os.py:101]	cr3	:	 0x0
[x] [os.py:101]	cr4	:	 0x0
[x] [os.py:101]	cr5	:	 0x0
[x] [os.py:101]	cr6	:	 0x0
[x] [os.py:101]	cr7	:	 0x0
[x] [os.py:101]	cr8	:	 0x0
[x] [os.py:101]	cr9	:	 0x0
[x] [os.py:101]	cr10	:	 0x0
[x] [os.py:101]	cr11	:	 0x0
[x] [os.py:101]	cr12	:	 0x0
[x] [os.py:101]	cr13	:	 0x0
[x] [os.py:101]	cr14	:	 0x0
[x] [os.py:101]	cr15	:	 0x0
[x] [os.py:101]	st0	:	 0x0
[x] [os.py:101]	st1	:	 0x0
[x] [os.py:101]	st2	:	 0x0
[x] [os.py:101]	st3	:	 0x0
[x] [os.py:101]	st4	:	 0x0
[x] [os.py:101]	st5	:	 0x0
[x] [os.py:101]	st6	:	 0x0
[x] [os.py:101]	st7	:	 0x0
[x] [os.py:101]	ef	:	 0x14
[x] [os.py:101]	cs	:	 0x1b
[x] [os.py:101]	ss	:	 0x28
[x] [os.py:101]	ds	:	 0x28
[x] [os.py:101]	es	:	 0x28
[x] [os.py:101]	fs	:	 0x0
[x] [os.py:101]	gs	:	 0x0
[x] [os.py:101]	r8b	:	 0xff
[x] [os.py:101]	r9b	:	 0x80
[x] [os.py:101]	r10b	:	 0x0
[x] [os.py:101]	r11b	:	 0x0
[x] [os.py:101]	r12b	:	 0x0
[x] [os.py:101]	r13b	:	 0x90
[x] [os.py:101]	r14b	:	 0x0
[x] [os.py:101]	r15b	:	 0x0
[x] [os.py:101]	r8w	:	 0xfeff
[x] [os.py:101]	r9w	:	 0x8080
[x] [os.py:101]	r10w	:	 0x0
[x] [os.py:101]	r11w	:	 0x0
[x] [os.py:101]	r12w	:	 0xe000
[x] [os.py:101]	r13w	:	 0xee90
[x] [os.py:101]	r14w	:	 0xe000
[x] [os.py:101]	r15w	:	 0x0
[x] [os.py:101]	r8d	:	 0xfefefeff
[x] [os.py:101]	r9d	:	 0x80808080
[x] [os.py:101]	r10d	:	 0x0
[x] [os.py:101]	r11d	:	 0x0
[x] [os.py:101]	r12d	:	 0xfffde000
[x] [os.py:101]	r13d	:	 0xffffee90
[x] [os.py:101]	r14d	:	 0xfffde000
[x] [os.py:101]	r15d	:	 0x0
[x] [os.py:103]	

[x] [os.py:104]	PC = 0x0
[x] [os.py:108]	 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64+0x0)
[=] [memory.py:133]	[+] Start      End        Perm.  Path
[=] [memory.py:139]	[+] 00030000 - 00031000 - rwx    [GDT] (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=] [memory.py:139]	[+] 00400000 - 00401000 - r-x    /home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=] [memory.py:139]	[+] 00600000 - 00601000 - rw-    /home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=] [memory.py:139]	[+] 00601000 - 00603000 - rwx    [hook_mem]
[=] [memory.py:139]	[+] 800600000 - 800628000 - rwx    /home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/libexec/ld-elf.so.1
[=] [memory.py:139]	[+] 7ffffffde000 - 7ffffffff000 - rwx    [stack]
[x] [os.py:120]	Error: PC(0x0) Unreachable
Traceback (most recent call last):
  File "/home/pdpd/.local/bin/qltool", line 299, in <module>
    ql.run(timeout=timeout)
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling/core.py", line 765, in run
    self.os.run()
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling/os/freebsd/freebsd.py", line 40, in run
    self.ql.emu_start(self.ql.loader.entry_point, self.ql.loader.elf_entry, self.ql.timeout)
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling/core.py", line 994, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "/home/pdpd/.local/lib/python3.8/site-packages/unicorn/unicorn.py", line 317, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
$

dodaeche avatar Feb 26 '21 11:02 dodaeche

Hi, thanks for your interest. Where does your rootfs come from?

wtdcode avatar Feb 26 '21 11:02 wtdcode

hi, as you can see above, I used sshfs to mount remote FreeBSD server(my_freebsd64, IP 192.168.152.3)

sshfs root@my_freebsd64:/ ./freebsd_fs

With this way, I could skip copy all .so files to local Linux machine where qiling is running.

But, I also copied .so files to Linux and tried. qltool still made same errors.. thanks.

dodaeche avatar Feb 27 '21 10:02 dodaeche

What’s your freebsd, ld, libc version? We need to reproduce this locally.

From: dodaeche [email protected] Sent: Saturday, February 27, 2021 6:43:57 PM To: qilingframework/qiling [email protected] Cc: lazymio [email protected]; Comment [email protected] Subject: Re: [qilingframework/qiling] problem with emulating FreeBSD binary (#708)

hi, as you can see above, I used sshfs to mount remote FreeBSD server(my_freebsd64, IP 192.168.152.3) sshfs root@my_freebsd64:/ ./freebsd_fs With this way, I could skip copy all .so files to local Linux machine where qiling is running.

But, I also copied .so files to Linux and tried. qltool still made same errors.. thanks.

― You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/qilingframework/qiling/issues/708#issuecomment-787052555, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHJULOZ3GNLIXCE2CSBAEMDTBDEG3ANCNFSM4YII3MOA.

wtdcode avatar Feb 27 '21 10:02 wtdcode

My FreeBSD is installed from official website, FreeBSD-12.2-RELEASE-amd64-dvd1.iso.

pdpd ~ # uname -a
FreeBSD pdpd 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC  amd64

pdpd tmp # ld --version
LLD 10.0.1 (FreeBSD llvmorg-10.0.1-0-gef32c611aa2-1200012) (compatible with GNU linkers)
pdpd tmp # 

pdpd tmp # pkg info | grep glib
glib-2.66.7,1                  Some useful routines of C programming (current stable version)
pdpd tmp #

thanks.

dodaeche avatar Feb 27 '21 12:02 dodaeche

Hmmm, could you post your ld and libc of the rootfs you specify?

wtdcode avatar Mar 01 '21 07:03 wtdcode

are you trying to emulate a freebsd binary? or emulate a linux binary in freebsd

xwings avatar Mar 01 '21 08:03 xwings

@wtdcode I attached ld, libc, ld-elf.so.1, hw64(compile with gcc -o hw64 hw.c -no-pie on freebsd) emu_files.zip

@xwings hi, I want to emulate freebsd binary on linux. I ran again with bundled rootfs in qiling and got same error from qltool.

On Linux:
$ qltool run -f ./freebsd_fs/tmp/hw64 --rootfs ./rootfs/x8664_freebsd
...
[x] [os.py:104]	PC = 0x0
[x] [os.py:108]	 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64+0x0)
[=] [memory.py:133]	[+] Start      End        Perm.  Path
[=] [memory.py:139]	[+] 00030000 - 00031000 - rwx    [GDT] (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=] [memory.py:139]	[+] 00400000 - 00401000 - r-x    /home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=] [memory.py:139]	[+] 00600000 - 00601000 - rw-    /home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=] [memory.py:139]	[+] 00601000 - 00603000 - rwx    [hook_mem]
[=] [memory.py:139]	[+] 800600000 - 800624000 - rwx    /home/pdpd/Desktop/work/fuzz/qiling_ex/rootfs/x8664_freebsd/libexec/ld-elf.so.1
[=] [memory.py:139]	[+] 7ffffffde000 - 7ffffffff000 - rwx    [stack]
[x] [os.py:120]	Error: PC(0x0) Unreachable

Correct me if I miss something.. Thanks.

dodaeche avatar Mar 01 '21 12:03 dodaeche

FreeBSD is not done yet. Feel free to complete it. :)

xwings avatar Mar 02 '21 08:03 xwings

Pushed a fix 14504f1a, but the lib you provided may be wrong as the ouput on my machine is:

ld-elf.so.1: /lib/libc.so.7: invalid file format

Could you try again with the latest code?

wtdcode avatar Mar 03 '21 09:03 wtdcode

thanks @wtdcode. I installed that version and tried again.

  1. Test with remote FreeBSD rootfs
pdpd@ubuntu:~/Desktop/work/fuzz/qiling_ex$ qltool run -f ./freebsd_fs/tmp/hw64 --rootfs ./freebsd_fs/
[!]	0x7ffff7df2458: syscall ql_syscall___sysctl number = 0xca(202) not implemented
[=]	0x7ffff7df2518: mmap2(addr=0x0, length=0x20000, prot=0x3, flags=0x1002, fd=0xffffffff, pgoffset=0x0)
[=]	0x7ffff7df23f8: mprotect(start=0x7ffff7df9000, len=0x1000, prot=0x1)
[=]	0x7ffff7df2478: issetugid()
[=]	0x7ffff7df24b8: getcwd(buff=0x7fffffffe378, buffsize=0x400)
[!]	0x7ffff7df2458: syscall ql_syscall___sysctl number = 0xca(202) not implemented
[!]	0x7ffff7df2328: syscall ql_syscall_nosys number = 0x0(0) not implemented
[!]	0x7ffff7df2458: syscall ql_syscall___sysctl number = 0xca(202) not implemented
[!]	0x7ffff7df2328: syscall ql_syscall_nosys number = 0x0(0) not implemented
[=]	0x7ffff7df27b8: openat(fd=0xffffff9c, path=0x7ffff7dd9407, flags=0x100000, mode=0x0)
[!]	0x7ffff7df2458: syscall ql_syscall___sysctl number = 0xca(202) not implemented
[!]	0x7ffff7df2328: syscall ql_syscall_nosys number = 0x0(0) not implemented
[=]	0x7ffff7df2838: read(fd=0x3, buf=0x7fffb7ddb000, len=0x0)
[=]	0x7ffff7df2678: close(fd=0x3)
[=]	0x7ffff7df27b8: openat(fd=0xffffff9c, path=0x7ffff7dd9883, flags=0x100000, mode=0x0)
[=]	0x7ffff7df2838: read(fd=0x3, buf=0x7ffff7dfbe68, len=0x80)
[=]	0x7ffff7df2678: close(fd=0x3)
[=]	0x7ffff7df27b8: openat(fd=0xffffff9c, path=0x7fffb7ddd000, flags=0x300000, mode=0x0)
[=]	0x7ffff7df27b8: openat(fd=0xffffff9c, path=0x7fffb7ddd000, flags=0x300000, mode=0x0)
[!]	0x7ffff7df2458: syscall ql_syscall___sysctl number = 0xca(202) not implemented
[!]	0x7ffff7df2328: syscall ql_syscall_nosys number = 0x0(0) not implemented
[=]	0x7ffff7df2678: close(fd=0x3)
[=]	0x7ffff7df2a38: write(fd=0x2, buf=0x7ffff7dd8a4b, count=0xd)
ld-elf.so.1: [=]	0x7ffff7df2a38: write(fd=0x2, buf=0x7ffff7dfb6c0, count=0x23)
/lib/libc.so.7: invalid file format[=]	0x7ffff7df2a38: write(fd=0x2, buf=0x7fffffffe347, count=0x1)
[=]	0x7ffff7df2558: exit(code=0x1)
[x]	ah	:	 0x0
...
[x]	PC = 0x400470
[x]	 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64+0x400470)
[=]	[+] Start      End        Perm.  Path
[=]	[+] 00030000 - 00031000 - rwx    [GDT] (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=]	[+] 00400000 - 00401000 - r-x    /home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=]	[+] 00600000 - 00601000 - rw-    /home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=]	[+] 00601000 - 00603000 - rwx    [hook_mem]
[=]	[+] 7fffb7dd6000 - 7fffb7df6000 - rwx    [syscall_mmap2]
[=]	[+] 7ffff7dd5000 - 7ffff7dfd000 - rwx    /home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/libexec/ld-elf.so.1
[=]	[+] 7ffffffde000 - 7ffffffff000 - rwx    [stack]
[x]	['0x55', '0x48', '0x89', '0xe5', '0x41', '0x57', '0x41', '0x56']
[=]	

[=]	0x0000000000400470 {/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64 + 0x000470}   55 48 89 e5 41 57 41 56 41 55 41 54 53 50 49 89 fe 4c 8b 3f 49 63 c7 4c 8d 24 c7 49 83 c4 10 48 83 3d a9 06 20 00 00 75 07 4c 89 25 a0 06 20 00 49 83 c6 08 45 85 ff 7e 08 49 8b 06 48 85 c0 75 push rbp
> mov rbp, rsp
> push r15
> push r14
> push r13
> push r12
> push rbx
> push rax
> mov r14, rdi
> mov r15, qword ptr [rdi]
> movsxd rax, r15d
> lea r12, [rdi + rax*8]
> add r12, 0x10
> cmp qword ptr [rip + 0x2006a9], 0
> jne 0x4004a0
> mov qword ptr [rip + 0x2006a0], r12
> add r14, 8
> test r15d, r15d
> jle 0x4004b1
> mov rax, qword ptr [r14]
> test rax, rax
Traceback (most recent call last):
  File "/home/pdpd/.local/bin/qltool", line 4, in <module>
    __import__('pkg_resources').run_script('qiling==1.2.3.dev0', 'qltool')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 667, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1463, in run_script
    exec(code, namespace, namespace)
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling-1.2.3.dev0-py3.8.egg/EGG-INFO/scripts/qltool", line 300, in <module>
    ql.run(timeout=timeout)
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling-1.2.3.dev0-py3.8.egg/qiling/core.py", line 756, in run
    self.os.run()
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling-1.2.3.dev0-py3.8.egg/qiling/os/freebsd/freebsd.py", line 45, in run
    self.ql.emu_start(self.ql.loader.elf_entry, self.exit_point, self.ql.timeout, self.ql.count)
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling-1.2.3.dev0-py3.8.egg/qiling/core.py", line 897, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "/home/pdpd/.local/lib/python3.8/site-packages/unicorn-1.0.2-py3.8-linux-x86_64.egg/unicorn/unicorn.py", line 318, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)
pdpd@ubuntu:~/Desktop/work/fuzz/qiling_ex$
  1. Test with bundled
pdpd@ubuntu:~/Desktop/work/fuzz/qiling_ex$ qltool run -f ./freebsd_fs/tmp/hw64 --rootfs /tmp/qiling/examples/rootfs/x8664_freebsd/
[!]	0x7ffff7def848: syscall ql_syscall___sysctl number = 0xca(202) not implemented
[=]	0x7ffff7def908: mmap2(addr=0x0, length=0x20000, prot=0x3, flags=0x1002, fd=0xffffffff, pgoffset=0x0)
[=]	0x7ffff7def868: issetugid()
[=]	0x7ffff7def8a8: getcwd(buff=0x7fffffffe378, buffsize=0x400)
[!]	0x7ffff7def848: syscall ql_syscall___sysctl number = 0xca(202) not implemented
[!]	0x7ffff7def738: syscall ql_syscall_nosys number = 0x0(0) not implemented
[!]	0x7ffff7def848: syscall ql_syscall___sysctl number = 0xca(202) not implemented
[!]	0x7ffff7def738: syscall ql_syscall_nosys number = 0x0(0) not implemented
[=]	0x7ffff7defba8: openat(fd=0xffffff9c, path=0x7ffff7dd66a3, flags=0x100000, mode=0x0)
[=]	0x7ffff7defba8: openat(fd=0xffffff9c, path=0x7ffff7dd698d, flags=0x100000, mode=0x0)
[=]	0x7ffff7defba8: openat(fd=0xffffff9c, path=0x7fffb7ddb000, flags=0x300000, mode=0x0)
[=]	0x7ffff7defba8: openat(fd=0xffffff9c, path=0x7fffb7ddb000, flags=0x300000, mode=0x0)
[!]	0x7ffff7def848: syscall ql_syscall___sysctl number = 0xca(202) not implemented
[!]	0x7ffff7def738: syscall ql_syscall_nosys number = 0x0(0) not implemented
[=]	0x7ffff7defa68: close(fd=0x3)
[=]	0x7ffff7defe28: write(fd=0x2, buf=0x7ffff7dd5e82, count=0xd)
ld-elf.so.1: [=]	0x7ffff7defe28: write(fd=0x2, buf=0x7ffff7df8400, count=0x23)
/lib/libc.so.7: invalid file format[=]	0x7ffff7defe28: write(fd=0x2, buf=0x7fffffffe347, count=0x1)
[=]	0x7ffff7def948: exit(code=0x1)
...
[x]	PC = 0x400470
[x]	 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64+0x400470)
[=]	[+] Start      End        Perm.  Path
[=]	[+] 00030000 - 00031000 - rwx    [GDT] (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=]	[+] 00400000 - 00401000 - r-x    /home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=]	[+] 00600000 - 00601000 - rw-    /home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64 (/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64)
[=]	[+] 00601000 - 00603000 - rwx    [hook_mem]
[=]	[+] 7fffb7dd6000 - 7fffb7df6000 - rwx    [syscall_mmap2]
[=]	[+] 7ffff7dd5000 - 7ffff7df9000 - rwx    /tmp/qiling/examples/rootfs/x8664_freebsd/libexec/ld-elf.so.1
[=]	[+] 7ffffffde000 - 7ffffffff000 - rwx    [stack]
[x]	['0x55', '0x48', '0x89', '0xe5', '0x41', '0x57', '0x41', '0x56']
[=]	

[=]	0x0000000000400470 {/home/pdpd/Desktop/work/fuzz/qiling_ex/freebsd_fs/tmp/hw64 + 0x000470}   55 48 89 e5 41 57 41 56 41 55 41 54 53 50 49 89 fe 4c 8b 3f 49 63 c7 4c 8d 24 c7 49 83 c4 10 48 83 3d a9 06 20 00 00 75 07 4c 89 25 a0 06 20 00 49 83 c6 08 45 85 ff 7e 08 49 8b 06 48 85 c0 75 push rbp
> mov rbp, rsp
> push r15
> push r14
> push r13
> push r12
> push rbx
> push rax
> mov r14, rdi
> mov r15, qword ptr [rdi]
> movsxd rax, r15d
> lea r12, [rdi + rax*8]
> add r12, 0x10
> cmp qword ptr [rip + 0x2006a9], 0
> jne 0x4004a0
> mov qword ptr [rip + 0x2006a0], r12
> add r14, 8
> test r15d, r15d
> jle 0x4004b1
> mov rax, qword ptr [r14]
> test rax, rax
Traceback (most recent call last):
  File "/home/pdpd/.local/bin/qltool", line 4, in <module>
    __import__('pkg_resources').run_script('qiling==1.2.3.dev0', 'qltool')
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 667, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/usr/lib/python3/dist-packages/pkg_resources/__init__.py", line 1463, in run_script
    exec(code, namespace, namespace)
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling-1.2.3.dev0-py3.8.egg/EGG-INFO/scripts/qltool", line 300, in <module>
    ql.run(timeout=timeout)
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling-1.2.3.dev0-py3.8.egg/qiling/core.py", line 756, in run
    self.os.run()
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling-1.2.3.dev0-py3.8.egg/qiling/os/freebsd/freebsd.py", line 45, in run
    self.ql.emu_start(self.ql.loader.elf_entry, self.exit_point, self.ql.timeout, self.ql.count)
  File "/home/pdpd/.local/lib/python3.8/site-packages/qiling-1.2.3.dev0-py3.8.egg/qiling/core.py", line 897, in emu_start
    self.uc.emu_start(begin, end, timeout, count)
  File "/home/pdpd/.local/lib/python3.8/site-packages/unicorn-1.0.2-py3.8-linux-x86_64.egg/unicorn/unicorn.py", line 318, in emu_start
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)
pdpd@ubuntu:~/Desktop/work/fuzz/qiling_ex$

Both 2 cases print same error. But now PC register points to 0x400470.

And this is md5 hash of libc.so.7 from my FreeBSD machine.

pdpd tmp # uname -a
FreeBSD pdpd 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC  amd64
pdpd tmp # md5 /lib/libc.so.7 
MD5 (/lib/libc.so.7) = 402cfd504c6034f383fad6924e4dc1fb
pdpd tmp #

thanks for your appreciation.

dodaeche avatar Mar 04 '21 13:03 dodaeche

hmmm, at least we are getting the same error. I will investigate it tomorrow.

wtdcode avatar Mar 04 '21 13:03 wtdcode

The implementation of freebsd syscall has some problems. Working on it.

wtdcode avatar Mar 09 '21 10:03 wtdcode

@wtdcode really thanks. I'm waiting for it.

dodaeche avatar Mar 09 '21 11:03 dodaeche

Will you be able to try the latest version of Qiling and see if you still face same issue. There is lots of rework since 2021. Feel free to open a new issue if you have any similar problem.

xwings avatar Oct 06 '22 03:10 xwings