search

SkyLined / BugId

Detect, analyze and uniquely identify crashes in Windows applications
https://bugid.skylined.nl
Other
499 stars 90 forks source link

Unrecognised instruction disassembly line #110

Closed zeltrax00 closed 1 year ago

zeltrax00 commented 1 year ago

I don't know what it is, but it says that I can create a new issue here 

┌───[ Warning ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ You are running Python 3.9.7, which is outdated.
│ Please update Python to the latest version!
└───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
┌───[ Software license warning ]────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ ▲ You have no license for BugId and your trial period will expire on December 28th, 2022
│ ▲ You have no license for mBugId and your trial period will expire on December 28th, 2022
└───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
→ Command line: D:\Projects\winafl\build32\bin\x86\Harness.exe R:\winafl-out\XXXX\fuzzer01\crashes\id_000004_00_EXCEPTION_ACCESS_VIOLATION
+ Main process 35172/0x8964 (Harness.exe, x86, IL:2): Attached (Harness.exe R:\winafl-out\XXXX\fuzzer01\crashes\id_000004_00_EXCEPTION_ACCESS_VIOLATION).
┌───[ Fatal builtins.AssertionError Exception in thread 30888/0x78A8 (cThread#14D015D6100{main = __fRun, #30888, running}) ]────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ Unrecognised instruction disassembly line:
│ b'XXXX+0x2ca34:'
│ 
│ Local variables:
│   aoInstructions = []#14D01687640
│   asbDisassemblyOutput = [<instance builtins:bytes "b'XXXX+0x2ca34:'">#14D01695360, <instance builtins:bytes "b'05d5ca34 8b7e6c          mov     edi,dword ptr [esi+6Ch]'">#14D016A5F90]#14D016AB940
│   ob0InstructionMatch = None
│   ob0InvalidInstructionMatch = None
│   oProcess = <mBugId.cProcess.cProcess.cProcess object at 0x0000014D0167E8E0>#14D0167E8E0
│   sbCommand = <instance builtins:bytes "b'u 0x5D5CA34 L1'">#14D01695C90
│   sbComment = <instance builtins:bytes "b'Disassemble instruction at 0x5D5`CA34'">#14D0166A940
│   sbDisassemblyOutputLine = <instance builtins:bytes "b'XXXX+0x2ca34:'">#14D01695360
│ 
│ Stack for thread 30888/0x78A8 (cThread#14D015D6100{main = __fRun, #30888, running}):
│ ─┐ __fRun @ D:\Projects\BugId\modules\mBugId\cCdbWrapper\cCdbWrapper_cHelperThread.py:66
│  │ 65:      try:
│  │ 66:        oSelf.__fActivity(*oSelf.__axActivityArguments);
│  ├─┐ cCdbWrapper_fCdbStdInOutHelperThread @ D:\Projects\BugId\modules\mBugId\cCdbWrapper\cCdbWrapper_fCdbStdInOutHelperThread.py:54
│  ╷ │ 53:    oCdbWrapper.fbFireCallbacks("Log message", "Main loop #%d" % uMainLoopCounter);
│  ╷ │ 54:    (bEventIsFatal, bEventHasBeenHandled) = oCdbWrapper.ftbHandleLastCdbEvent(asbOutputWhileRunningApplication);
│  ╷ ├─┐ cCdbWrapper_ftbHandleLastCdbEvent @ D:\Projects\BugId\modules\mBugId\cCdbWrapper\cCdbWrapper_ftbHandleLastCdbEvent.py:219
│  ╷ ╷ │ 218:  ### Report bug and see if the collateral bug handler can ignore it #################################################
│  ╷ ╷ │ 219:  o0BugReport.fReport();
│  ╷ ╷ ├─┐ cBugReport?.fReport @ D:\Projects\BugId\modules\mBugId\cBugReport\cBugReport.py:202
│  ╷ ╷ ╷ │ 201:      if oSelf.__o0Exception and oSelf.__o0Exception.uCode in auExceptionCodesThatHappenAtTheInstructionThatTriggeredThem:
│  ╷ ╷ ╷ │ 202:        o0Instruction = oSelf.__oProcess.fo0GetInstructionForAddress(u0InstructionPointerValue);
│  ╷ ╷ ╷ ├─┐ cProcess?.fo0GetInstructionForAddress @ D:\Projects\BugId\modules\mBugId\cProcess\cProcess.py:261
│  ╷ ╷ ╷ ╷ │ 260:  def fo0GetInstructionForAddress(oSelf, uAddress):
│  ╷ ╷ ╷ ╷ │ 261:    return fo0GetInstructionForProcessAndAddress(
│  ╷ ╷ ╷ ╷ ├─┐ fo0GetInstructionForProcessAndAddress @ D:\Projects\BugId\modules\mBugId\mDisassembler\fo0GetInstructionForProcessAndAddress.py:14
│  ╷ ╷ ╷ ╷ ╷ │ 13:  });
│  ╷ ╷ ╷ ╷ ╷ │ 14:  o0Disassembly = fo0GetDisassemblyForProcessAndCdbCommand(
│  ╷ ╷ ╷ ╷ ╷ ├─┐ fo0GetDisassemblyForProcessAndCdbCommand @ D:\Projects\BugId\modules\mBugId\mDisassembler\fo0GetDisassemblyForProcessAndCdbCommand.py:93
│  ╷ ╷ ╷ ╷ ╷ ╷ │ 92:        ob0InstructionMatch = grbInstructionDisassemblyLine.match(sbDisassemblyOutputLine);
│  ╷ ╷ ╷ ╷ ╷ ╷ │ 93:        assert ob0InstructionMatch, \
│  ╒═══════════╛ ▲ Assertion failed: "Unrecognised instruction disassembly line:\r\nb'XXXX+0x2ca34:'"
│  │ __fRun @ D:\Projects\BugId\modules\mBugId\cCdbWrapper\cCdbWrapper_cHelperThread.py:74
│  │ 73:        cException, oException, oTraceBack = sys.exc_info();
│  │ 74:        if not oSelf.__oCdbWrapper.fbFireCallbacks("Internal exception", oSelf.__oThread, oException, oTraceBack):
│ ═╛ ▲ Application terminated because exception was not handled.
└───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Please report the above details at the below web-page so it can be addressed:
    https://github.com/SkyLined/BugId/issues/new
If you do not have a github account, or you want to report this issue
privately, you can also send an email to:
    BugId@skylined.nl

In your report, please copy ALL the information about the exception reported
above, as well as the stack trace and BugId version information. This makes
it easier to determine the cause of this issue and makes for faster fixes.

If you can reproduce the issue, it would help a lot if you can run BugId in
verbose mode by adding the --verbose command-line argument.
as in: BugId -v Harness.exe --isa=x86 --report=report_crashes -- R:\winafl-out\XXXX\fuzzer01\crashes\id_000004_00_EXCEPTION_ACCESS_VIOLATION

  ____________________________________________________________________________
                              __
   ││▌║█▐▐║▌▌█│║║│      _,siSP**YSis,_       ╒╦╦══╦╗             ╒╦╦╕    ╔╦╕
   ││▌║█▐▐║▌▌█│║║│    ,SP*'`    . `'*YS,      ║╠══╬╣ ╔╗ ╔╗ ╔╦═╦╗  ║║  ╔╦═╬╣
   ╵2808197631337╵   dS'  _    |    _ 'Sb    ╘╩╩══╩╝ ╚╩═╩╝ ╚╩═╬╣ ╘╩╩╛ ╚╩═╩╝
                    dP     \,-` `-<` `  Y;                 ╚╩═╩╝    ╮╷╭
      ╮╷╭          ,S`  \+' \      \    `Sissssssssssssssssssss,   :O()    ╲ö╱
     :O()          (S   (   | --====)   :SSSSSSSSSSSSSSSSSSSSSSD    ╯╵╰    ─O─
      ╯╵╰  ╮╷╭     'S,  /+, /      /    ,S?********************'           ╱O╲
           ()O:     Yb    _/'-_ _-<._.  dP
           ╯╵╰       YS,       |      ,SP         https://bugid.skylined.nl
  ____________________`Sbs,_    ' _,sdS`______________________________________
                        `'*YSissiSY*'`
                              ``
┌───[ Version information ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ ▲ BugId version: 2022-10-10 16:26 (in trial period).
│ ▲ mBugId version: 2022-10-11 12:44 (in trial period).
│ √ mConsole version: 2022-10-11 12:43.
│ √ mDateTime version: 2022-10-11 12:43.
│ √ mDebugOutput version: 2022-10-11 12:44.
│ √ mFileSystemItem version: 2022-10-11 12:43.
│ √ mHumanReadable version: 2022-10-11 12:43.
│ √ mMultiThreading version: 2022-10-11 12:43.
│ √ mNotProvided version: 2022-10-11 12:43.
│ √ mProductDetails version: 2022-10-11 12:44.
│ √ mRegistry version: 2022-10-11 12:43.
│ √ mWindowsAPI version: 2022-10-11 12:44.
│ √ mWindowsSDK version: 2022-10-11 12:43.
│ • Windows version: Windows 10 Pro release 2009, build 19045 x64.
│ • Python version: 3.9.7 x64.
│ • cdb.exe (x86) version: 10.0.19041.685.
│ • cdb.exe (x64) version: 10.0.19041.685.
└───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Thank you in advance for helping to improve BugId!
√ A copy of the error report can be found in D:\Projects\BugId\Internal error reports\2022-11-29 15։24։50.725336 BugId error report #14.txt.
SkyLined commented 1 year ago

Thank you for the report. I'll have a look and see if this is a problem I can fix.

SkyLined commented 1 year ago

@zeltrax00 I cannot reproduce. It appears you replace the original Symbol in XXXX+0x2ca34: with XXXX. If I understand correctly, the cause of the issue is that this Symbol is not handled correctly. In order for me to fix this, I will need to know what the original symbol looks like.

If you do not want to paste the Symbol publicly here on Github, you can email it to me at BugId@skylined.nl.

zeltrax00 commented 1 year ago

It is just a DLL from my friend's project, if you need to check I will send the binary package to your email.

SkyLined commented 1 year ago

I am sure you understand that I will not run arbitrary binaries sent to me by people I do not know out of safety concerns.

If you can just tell me if you replaced the XXXX in the output and what the original value was, that would be more helpful.

zeltrax00 commented 1 year ago

XXXX = BkZlib. It is my friend's custom DLL. I don't know what information you can get from that

SkyLined commented 1 year ago

The root cause is that the real symbol follows a pattern I am not handling correctly. I cannot fix this unless I know what that symbol looks like.

The problem is caused by a line in disassembly generated by cdb.exe. In your initial report it says that line was b'XXXX+0x2ca34:'. This looks like a line containing a symbol, which the code should handle in line 90. The code grbSymbolLine.match(sbDisassemblyOutputLine) should match, so the code inside the if statement on line 91 and following should not be executed. This means that an exception on line 93 is impossible if the symbol was b'XXXX+0x2ca34:'. The symbol cannot be b'BkZlib+0x2ca34:' either; that would also match on line 90 and never execute line 93.

Please provide the original, unaltered bug report created by BugId. It has all the information I need to fix this.

zeltrax00 commented 1 year ago

@SkyLined This is the original bug report 2022-11-29 15։24։50.725336 BugId error report #14.txt

SkyLined commented 1 year ago

Thank you. It appears that this is something I already fixed: https://github.com/SkyLined/mBugId/commit/504bd2924ef685e3192de4409f5a6d1c97e07327

To get this fix, you can either get the latest version of BugId/mBugId through git, download the latest version of fo0GetDisassemblyForProcessAndCdbCommand.py into the folder modules\mBugId\mDisassembler, or wait for the next release.

I did indeed not need to know the full symbol; that was a red herring. I was looking at the latest code, which does not have this issue, which is why I could not understand how you were seeing this assertion. I thought you were obfuscating some complex symbol which cause an issue in the latest code, which is why I asked for the full symbol.

zeltrax00 commented 1 year ago

Thank you, I use the lastest version of mBugId then the problem is gone

SkyLined commented 1 year ago

Thank you again for the report and confirming the issue is fixed!