-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The problem just now is that shemusimulate is an analog function, not a disassembly function #48
Comments
I didn't describe the problem clearly? |
The shellcode I tested is mainly 50000 lines of various algorithms, and the simulation has been very correct. Today, I turned off the optimization, but it was wrong. I found that the instruction operation is a little different, which is compared with x64dbg |
1 similar comment
The shellcode I tested is mainly 50000 lines of various algorithms, and the simulation has been very correct. Today, I turned off the optimization, but it was wrong. I found that the instruction operation is a little different, which is compared with x64dbg |
Well, no, you didn't describe any problem at all.
Now, let's take it step by step:
|
shellcode Correct return 1 Error engineering file bdshemu.c Error function ShemuEmulate Error instruction movsx eax, byte ptr ds:[rax] The cause of the error is only updated al my fix
"\x48\x83\xEC\x18\xC6\x04\x24\x30\xC6\x44\x24\x01\x00\x48\x8D\x04\x24\x48\x89\x44\x24\x08\xC7\x44\x24\x04\x00\x00\x00\x00\xEB\x17\x48\x8B\x44\x24\x08\x48\xFF\xC0\x48\x89\x44\x24\x08\x8B\x44\x24\x04\xFF\xC0\x89\x44\x24\x04\x48\x8B\x44\x24\x08\x0F\xBE\x00\x85\xC0\x74\x02\xEB\xDB\x8B\x44\x24\x04\x48\x83\xC4\x18\xC3" |
1 similar comment
shellcode Correct return 1 Error engineering file bdshemu.c Error function ShemuEmulate Error instruction movsx eax, byte ptr ds:[rax] The cause of the error is only updated al my fix
"\x48\x83\xEC\x18\xC6\x04\x24\x30\xC6\x44\x24\x01\x00\x48\x8D\x04\x24\x48\x89\x44\x24\x08\xC7\x44\x24\x04\x00\x00\x00\x00\xEB\x17\x48\x8B\x44\x24\x08\x48\xFF\xC0\x48\x89\x44\x24\x08\x8B\x44\x24\x04\xFF\xC0\x89\x44\x24\x04\x48\x8B\x44\x24\x08\x0F\xBE\x00\x85\xC0\x74\x02\xEB\xDB\x8B\x44\x24\x04\x48\x83\xC4\x18\xC3" |
This is much better and clear now, and I understand the issue. The problem is that the MOVSX and MOVZX are sometimes emulated wrongly, and they incorrectly update the destination register. I confirm this, as I was able to reproduce this issue, and a fix will soon be pushed. Thank you for reporting this! |
Fixed an emulation bug for MOVZX and MOVSX instructions (#48) New shellcode flag - call tot Wow32 reserved. New shellcode flag - heaven's gate. New shellcode flag - stack-pivot. Moved bdshemu tests in a password protected zip file, so it doesn't trigger AV detections.
The issue should now be fixed in the latest commit - f605066. Please check it out, and confirm that the problem is fixed. |
ok ok ok ok ok perfect Emulating: 0x000000018002f141 MOVSX eax, byte ptr [rax] RAX = 0x0000000000000030 RCX = 0x0000000000000000 RDX = 0x0000000000000000 RBX = 0x0000000000000000 |
In this case, I will close the issue. Other problems can be treated in separate issues. |
。。。。
The text was updated successfully, but these errors were encountered: