radeco
radeco copied to clipboard
radareorg
esil is not parsed properly
parser.rs fails to parse esil expressions that contain DUP opcode:
0,zf,=,cf,401528,+,eax,+,0,cf,=,DUP,0xffffffff,<,?{,1,cf,=,},eax,=,=,0xffffffff,eax,&,!,?{,1,zf,=,}
Also expressions with 'ds' are not parsed:
esp,[4],ds,=,4,esp,+
What is ds? Why should be parsed?
On 19 May 2016, at 04:48, Paul [email protected] wrote:
parser.rs fails to parse esil expressions that contains DUP instruction: 0,zf,=,cf,401528,+,eax,+,0,cf,=,DUP,0xffffffff,<,?{,1,cf,=,},eax,=,=,0xffffffff,eax,&,!,?{,1,zf,=,}
Also expressions with 'ds' are not parsed: esp,[4],ds,=,4,esp,+
— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub
@radare Well, it was my first question that I asked in #radare xD One can get an expression containing 'ds' with this sample: malware_sample.zip - Password:infected
Which instiction produces ths esil?
On 19 May 2016, at 12:52, Paul [email protected] wrote:
@radare Well, it was my first question that I asked in #radare xD One can get 'ds' with this sample: malware_sample.zip - Password:infected
— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub
asm:
0x0042edc0 1e push ds
...
0x0042f5c4 1f pop ds
esil:
0x0042edc0 1e 4,esp,-=,ds,esp,=[4] ; esp=0xfffffffb -> 0xffffff00
...
0x0042f5c4 1f esp,[4],ds,=,4,esp,+=
ok its 16bit x86 code. this is ok, the problem is that ds register is not in the regprofile, just needs to fix that thing.
ds is the data segment register
On 19 May 2016, at 15:40, Paul [email protected] wrote:
asm:
0x0042edc0 1e push ds ... 0x0042f5c4 1f pop ds esil:
0x0042edc0 1e 4,esp,-=,ds,esp,=[4] ; esp=0xfffffffb -> 0xffffff00 ... 0x0042f5c4 1f esp,[4],ds,=,4,esp,+= — You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/radare/radeco/issues/14#issuecomment-220327202
@kriw @HMPerson1 @chinmaydd please check if still is applicable. If not - close.
