Closed MostafaSoliman closed 2 years ago
To be honest, I'm not sure what the start_code
address is actually used for. It is a very recent change that our qemu fork will dump the basic block addresses from libraries as well as the main binary. Here's the diff for that: https://github.com/shellphish/shellphish-qemu/commit/4aee5c2b54cdc33d7f7def8d899aaa9359b94cb2
The tracer_code_start
may be the code start in the dump. I'm not quite sure how this is calculated. Maybe from section headers?
Yes tracer_code_start
is the start_code
value from qemu trace file and from load_elf_image
function at elfload.c
in qemu 2.10.0
this value is (stored in info->start_code variable)
calculated from the header section, i think one need to debug qemu to see why it is saying that the binary start address is 0x0000004000001000
and not 0x0000004000000000
. I will give it a try when i have lower load.
I am adding the app i am tracing in case someone would like to try
test.zip
This issue has been marked as stale
because it has no recent activity. Please comment or add the pinned
tag to prevent this issue from being closed.
This issue has been closed due to inactivity.
Hello, I was trying to add another module similar to
qemu_runner
that supports windows using DynamoRIO then I notice something strange when i tested the tracer component in driller, the output of shellphish-qemu trace show the below.note that the entry BB address is
0000004000807210
with offset0x806210
this is not the same when i try to load the binary by angr it shows that the entry BB offset is0x01060
as shown.The only explanation is see is that QEMU is tracing all BB execution starting from the linux libs that are executed before calling the binary entry point, and what confirms that, is that i can see the entry offset down in the trace addresses
If this is the case then i don't understand why we consider that the
start_code
address0x0000004000001000
in the QEMU output is the new binary base address while it should be0x0000004000000000
in