pgarba
Emu start failed after i use UniPE run PE file(32).
"Loading Address: CCCCCCCC" ? why "CCCCCCCC" in reg_eip and hook Segment occurred error ? please help me.
FS : 020C4000 Stack : 03FB0000 Stack Region : 03FB0000 - 040B0000 Loading Address: CCCCCCCC Image Size : CCCCCCCC Image Region : CCCCCCCC - 99999998
0xCCCCCCCC Missing memory at 0xCCCCCCCC, data size = 1, data value = 0x0 EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 ESI=00000000 EDI=00000000 EBP=00000000 ESP=040AFFE0 EIP=CCCCCCCC [37mo [37md [37mI [37ms [37mZ [37ma [37mP [37mc
[37mFailed on uc_emu_start() with error returned 8: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED) EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 ESI=00000000 EDI=00000000 EBP=00000000 ESP=040AFFE0 EIP=CCCCCCCC [37mo [37md [37mI [37ms [37mZ [37ma [37mP [37mc
Hi,
This is more a PoC and I didn't look into it for a long time. I can recommend you to use Qiling as they basically reimplemented this idea in a really nice Framework.
LakerMoon @.***> schrieb am Mi., 29. Dez. 2021, 10:37:
"Loading Address: CCCCCCCC" ? why "CCCCCCCC" in reg_eip and hook Segment occurred error ? please help me.
FS : 020C4000 Stack : 03FB0000 Stack Region : 03FB0000 - 040B0000 Loading Address: CCCCCCCC Image Size : CCCCCCCC Image Region : CCCCCCCC - 99999998
0xCCCCCCCC Missing memory at 0xCCCCCCCC, data size = 1, data value = 0x0 EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 ESI=00000000 EDI=00000000 EBP=00000000 ESP=040AFFE0 EIP=CCCCCCCC �[37mo �[37md �[37mI �[37ms �[37mZ �[37ma �[37mP �[37mc
�[37mFailed on uc_emu_start() with error returned 8: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED) EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 ESI=00000000 EDI=00000000 EBP=00000000 ESP=040AFFE0 EIP=CCCCCCCC �[37mo �[37md �[37mI �[37ms �[37mZ �[37ma �[37mP �[37mc
— Reply to this email directly, view it on GitHub https://github.com/pgarba/UniPE/issues/3, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACJFEXYT7TT3KUFSXVASTGLUTLJFVANCNFSM5K5TZZYA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you are subscribed to this thread.Message ID: @.***>
Hi, This is more a PoC and I didn't look into it for a long time. I can recommend you to use Qiling as they basically reimplemented this idea in a really nice Framework. LakerMoon @.> schrieb am Mi., 29. Dez. 2021, 10:37: … "Loading Address: CCCCCCCC" ? why "CCCCCCCC" in reg_eip and hook Segment occurred error ? please help me. FS : 020C4000 Stack : 03FB0000 Stack Region : 03FB0000 - 040B0000 Loading Address: CCCCCCCC Image Size : CCCCCCCC Image Region : CCCCCCCC - 99999998 0xCCCCCCCC Missing memory at 0xCCCCCCCC, data size = 1, data value = 0x0 EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 ESI=00000000 EDI=00000000 EBP=00000000 ESP=040AFFE0 EIP=CCCCCCCC �[37mo �[37md �[37mI �[37ms �[37mZ �[37ma �[37mP �[37mc �[37mFailed on uc_emu_start() with error returned 8: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED) EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 ESI=00000000 EDI=00000000 EBP=00000000 ESP=040AFFE0 EIP=CCCCCCCC �[37mo �[37md �[37mI �[37ms �[37mZ �[37ma �[37mP �[37mc — Reply to this email directly, view it on GitHub <#3>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACJFEXYT7TT3KUFSXVASTGLUTLJFVANCNFSM5K5TZZYA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you are subscribed to this thread.Message ID: @.>
emmm, I know it, I just write a poc and load pe is OK but emu start always occurred: READ on unmapped memory FETCH on unmapped memory
I can use it emulate a pe file. please, I just want to ask some questions:
- Does it have to map dll memory and parse imports Emulate a complete pe file, for example .exe?
- I noticed that the value of FS in the setup Segment Regs is the handle of the current thread. In other implementations of pe emulation, FS is a custom value. why?
- When I try to comment out the hook imports part and just simply emulate, why do I get an error?