radare2 icon indicating copy to clipboard operation
radare2 copied to clipboard

Published 20 hours ago verified publisher icon radareorg

Wrong 'aeip' result on 16bit x86

Open saruman9 opened this issue 6 years ago • 4 comments

I have a binary file - firmware of 16bit x86 intel microcontroller. I set map of file:

:> om 3 0x3000:0x0000 0xb7890 0x0

Next step - emulation:

:> aei
:> aeim
:> s 0x3000:0x0000
:> aeip
:> ar
ip = 0x00000000
ax = 0x00000000
bx = 0x00000000
cx = 0x00000000
dx = 0x00000000
sp = 0x00008000
bp = 0x00008000
si = 0x00000000
di = 0x00000000
flags = 0x00000000
:> ? cs
0 0x0 00 0 0000:0000 0 "\0" 00000000 0.0 0.000000f 0.000000

But cs register setup in 0x0 and ip register setup 0x0 too instead cs = 0x3000, ip = 0x0000. I tried to setup registers manually, but nothing.

Second problem is wrong interpretation of lcall instruction, for example lcall 0x3000:0x1d6 will jump to 0x0000:0x1d6 instead 0x3000:0x1d6.

saruman9 avatar Sep 27 '17 14:09 saruman9

For the latter problem - it's a regression, happening from time to time, thank you.

Please provide the sample file for debugging.

XVilka avatar Sep 28 '17 03:09 XVilka

I can't provide file, which shown for example, but I found another file with the same issues. ami_bios.zip

Emulation:

[f000:fff0]> om*
om 3 0xf0000 0x10000 0x70000
[f000:fff0]> aei
[f000:fff0]> aeim
[f000:fff0]> aeip
[f000:fff0]> ar
ip = 0x0000fff0
ax = 0x00000000
bx = 0x00000000
cx = 0x00000000
dx = 0x00000000
sp = 0x00008000
bp = 0x00008000
si = 0x00000000
di = 0x00000000
flags = 0x00000000
[f000:fff0]> ? cs
0 0x0 00 0 0000:0000 0 "\0" 00000000 0.0 0.000000f 0.000000

Long call:

        |   f000:5c42      9a5b040080     lcall 0x8000:0x45b           ;[1]

After pressing 1:

            0000:8000      ff             invalid
            0000:8001      ff             invalid
            0000:8002      ff             invalid

saruman9 avatar Sep 28 '17 07:09 saruman9

Hi! A lot has changed since you opened this issue. Could you please double-check whether the problem is still there? If not, please close this issues, otherwise just leave a comment here. Thanks again for opening this.

ret2libc avatar Jun 23 '20 12:06 ret2libc

The issue is still taking place:

[f000:fff0]> aei; aeim; aeip; ar; ?v cs
ip = 0x0000fff0
ax = 0x00000000
bx = 0x00000000
cx = 0x00000000
dx = 0x00000000
sp = 0x00008000
bp = 0x00008000
si = 0x00000000
di = 0x00000000
flags = 0x00000000
0x0

But second issue (wrong interpretation of lcall instruction) was resolved.

Version of r2: 7575d05252d051adbb0a62134ad7c21bbb9311ef

saruman9 avatar Jun 23 '20 13:06 saruman9