qiling
qiling copied to clipboard
Published
20 hours ago •
qilingframework
qilingframework
qiling not recognize CMOVZ series?
*Describe the bug qiling not recognize CMOVZ series?
Sample Code
__text:000000010127AED0 lea rdi, [rbp+var_54A0]
__text:000000010127AED7 mov [rbp+var_22E0], rdi
__text:000000010127AEDE mov rax, [rbp+var_22E0]
__text:000000010127AEE5 call sub_1012BD8F2
__text:000000010127AEEA lea rdi, [rbp+var_5488]
__text:000000010127AEF1 mov [rbp+var_22E8], rdi
__text:000000010127AEF8 mov rax, [rbp+var_22E8]
__text:000000010127B225 mov [rax+rdx], cl
__text:000000010127B228 inc rax
__text:000000010127B22B cmp rax, 4
__text:000000010127B22F mov ecx, 6EA755C0h
__text:000000010127B234 mov edx, 0C7FC21BEh
__text:000000010127B239 cmovz ecx, edx
__text:000000010127B23C mov [rbp+var_324], ecx
__text:000000010127B242 mov [rbp+var_1B20], rax
__text:000000010127B249 jmp loc_10127B0C8
Actual behavior
[INFO][qilingida:1393] A block with only one instruction which is `mov #imm, reg` at 0x10127b239.
[WARNING][qilingida:1371] The address 0x10127aeea where jmp_mbb goes isn't pre_dispatcher or dispatcher block!
[INFO][qilingida:1432] Switch the jmp_bb and next_bb and try again...
[WARNING][qilingida:1360] jmp_mbb at 0x10127b239 the opcode of last instruction mov #0xC7FC21BE.4 , ecx.4 isn't goto
[ERROR][qilingida:1436] Fail to identify microcode blocks at 0x10127b239
[WARNING][qilingida:1519] Fail to force execution by microcode at 0x10127b239, trying legacy approach
Traceback (most recent call last):
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 809, in activate
self.action_handler.ql_handle_menu_action(self.action_type)
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 2096, in ql_handle_menu_action
[x.handler() for x in self.menuitems if x.action == action]
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 2096, in <listcomp>
[x.handler() for x in self.menuitems if x.action == action]
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1840, in ql_deflat
if not self._search_path():
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1656, in _search_path
ql.run(begin=ql_bb_start_ea, end=0, count=0xFFF)
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core.py", line 572, in run
self.os.run()
File "C:\Program Files (x86)\Hex-Rays IDA Professionalpython-3\Lib\site-packages\qiling\os\macos\macos.py", line 207, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core.py", line 708, in emu_start
raise self._internal_exception
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\utils.py", line 37, in wrapper
return func(*args, **kw)
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core_hooks.py", line 91, in _hook_trace_cb
ret = hook.call(ql, addr, size)
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core_hooks_types.py", line 25, in call
return self.callback(ql, *args)
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1520, in _guide_hook
result = self._force_execution_by_parsing_assembly(ql, ida_addr)
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1469, in _force_execution_by_parsing_assembly
reg2_val = ql.arch.regs.__getattribute__(reg2)
AttributeError: 'QlRegisterManager' object has no attribute 'edx'
Can u try that in unicorn 2 rc7 ?
I already installed unicorn-2.0.0rc7 This error occur with this unicorn version
This doesn't look like a UC bug, neither Qiling's.
This is a qilingida bug, which seems to be left unmaintained for a long time..
But note it's weird that looking for edx fails, @elicn is ql.arch.regs.__getattribute__(reg2) usage supported?
No, it doesn't. It should have been __getattr__ or simply [].
idaqiling code needs a decent refactor, but I don't have an IDA license to test it.
No, it doesn't. It should have been
__getattr__or simply[].idaqilingcode needs a decent refactor, but I don't have an IDA license to test it.
I replaced the __getattribute__ with __getattr__ in qilingida.py
__text:000000010127B6E5 mov r12b, 1
__text:000000010127B6E8 test r12b, r14b
__text:000000010127B6EB cmovnz rbx, [rax+10h]
__text:000000010127B6F0 mov rdi, r15
__text:000000010127B6F3 call sub_101279ED2
[WARNING][qilingida:1384] next_mbb at 0x10127b6eb the opcode of first instruction ldx ds.2 , (rax.8{42}+ #0x10.8 ) , rbx.8 isn't mov
[INFO][qilingida:1432] Switch the jmp_bb and next_bb and try again...
[WARNING][qilingida:1360] jmp_mbb at 0x10127b6eb the opcode of last instruction ldx ds.2 , (rax.8{42}+ #0x10.8 ) , rbx.8 isn't goto
[ERROR][qilingida:1436] Fail to identify microcode blocks at 0x10127b6eb
[WARNING][qilingida:1521] Fail to force execution by microcode at 0x10127b6eb, trying legacy approach
Traceback (most recent call last):
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 809, in activate
self.action_handler.ql_handle_menu_action(self.action_type)
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 2098, in ql_handle_menu_action
[x.handler() for x in self.menuitems if x.action == action]
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 2098, in <listcomp>
[x.handler() for x in self.menuitems if x.action == action]
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1842, in ql_deflat
if not self._search_path():
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1658, in _search_path
ql.run(begin=ql_bb_start_ea, end=0, count=0xFFF)
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core.py", line 572, in run
self.os.run()
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\os\macos\macos.py", line 207, in run
self.ql.emu_start(self.ql.loader.entry_point, self.exit_point, self.ql.timeout, self.ql.count)
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core.py", line 708, in emu_start
raise self._internal_exception
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\utils.py", line 37, in wrapper
return func(*args, **kw)
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core_hooks.py", line 91, in _hook_trace_cb
ret = hook.call(ql, addr, size)
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\core_hooks_types.py", line 25, in call
return self.callback(ql, *args)
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1522, in _guide_hook
result = self._force_execution_by_parsing_assembly(ql, ida_addr)
File "C:/Program Files (x86)/Hex-Rays IDA Professional/plugins/qilingida.py", line 1470, in _force_execution_by_parsing_assembly
reg2_val = ql.arch.regs.__getattr__(reg2)
File "C:\Program Files (x86)\Hex-Rays IDA Professional\python-3\Lib\site-packages\qiling\arch\register.py", line 41, in __getattr__
return super().__getattribute__(name)
AttributeError: 'QlRegisterManager' object has no attribute '[rax+10h]'
This is essentially broken; the code cannot just parse that string as-is.
The code needs to break the memory dereference to its elements and calculate the result (similar to what we do in the trace extension).