reko

reko copied to clipboard

I am encountering a situation where a standard Microsoft DLL (C:\Windows\SysWOW64\imm32.dll) does not load normally. The loader maps the file into RAM but then DllMain() returns a failure code. Due to the method I'm using to load files and that imm32.dll is a critical path DLL for nearly all applications, I can't get VS to hook into the situation to try to sanely debug the issue. So static disassembly it is! It's been about a decade since I last tried a static binary decompiler, so I was kind of hoping that the state of the art had improved somewhat as decompilers for binaries were pretty pathetic a decade ago, producing complete gibberish except for the simplest of programs. Figured I would try Reko to decompile the DLL into something that might make more sense than a straight disassemble. It sort of works! I've read the guide for Reko but I'm not entirely sure that I'm using the software correctly.

At any rate, when running "Reconstruct data types" some errors and warnings are emitted, including a message to report the issue here:

Error,4F00344F,An error occurred while processing the statement branch (Mem288[eax_286 + 0x130<32>:byte] & 0x10<8>) != 0<8> l4F0066AE. Specified argument was out of the range of valid values.
Parameter name: bitSize 
Error,4F00CB7A,An error occurred while processing the statement eax_103 = WideCharToMultiByte(0<32>, 0<32>, fp - 0x110<32>, ecx_66 - (fp - 0x10E<32>) >> 1<32>, dwArg08, dwArg0C, 0<32>, fp - 0x168<32>). Not handling ptr32 and (union (int32 u1) (ptr32 u0)) yet 
Error,4F00CD3C,An error occurred while processing the statement eax_111 = WideCharToMultiByte(0<32>, 0<32>, fp - 0xAC<32>, ecx_114 - (fp - 0xAA<32>) >> 1<32>, dwArg08, dwArg0C, 0<32>, fp - 0x168<32>). Not handling ptr32 and (union (int32 u1) (ptr32 u0)) yet 
Warning,ImmSetHotKey,Structure analysis stopped making progress, quitting. Please report this issue at https://github.com/uxmal/reko
Warning,4F0010B8,Expected sizes of arrays to have been determined by now
Warning,4F0010F8,Expected sizes of arrays to have been determined by now
Warning,4F01A5E0,Expected sizes of arrays to have been determined by now
Warning,4F01A9E0,Expected sizes of arrays to have been determined by now

There are a ton of earlier warnings about being unable to resolve imported references and clicking "File -> Add binary file..." to try to add the relevant files does nothing? Looking around the issues, #804 seems relevant. I probably don't need to import the other files since the signatures are visible, but seeing a bunch of warnings implies that Reko was unable to do something it was expecting to be able to do and/or might be subsequently related to the latter messages.

Anywho, opening this issue since the software said to report. So there you go, it's now reported.

In case anyone is curious:

Relevant repo: https://github.com/cubiclesoft/createprocess-windows The /createtoken option starts a process as any user as a direct child of a non-elevated process of the current user. See issue 3 on the bug tracker for the gory details about 'imm32.dll'.

There are a ton of earlier warnings about being unable to resolve imported references

You can resolve import references by adding metafiles using File -> Add metadata file.... Metafiles can be *.xml in internal Reko format, preprocessed C header (*.inc) or windows module definition (*.def)

Structure analysis stopped making progress, quitting is non-fatal warning. It means structure analysis goes to infinite loop due to some reason. Maybe there is a bug at previous stages of Reko analysis. It would be nice if you attached decompiling *.dll. In spite of this warning it should be possible to see decompiled code of this procedure.