search

david942j / crabstone

crabstone is a Ruby binding to the capstone disassembly library by Nguyen Anh Quynh
Other
19 stars 3 forks source link

Unexpected behaviour on Windows 10 #18

Open lem0nify opened 2 years ago

lem0nify commented 2 years ago

OS version: Windows 10 Pro x64 21H1 build 19043.1415 Ruby version: 3.0.3p157 (2021-11-24 revision 3fb7d2cadc) [x64-mingw32] Ruby-FFI version: 1.15.4 Crabstone version: 4.0.3 (but the same problems appear with 4.0.2 also) Capstone library version: 4.0.2-win64

Problem 1

I'm trying to run code from the example given in the repo README:

require 'crabstone'

include Crabstone

arm = (
  "\xED\xFF\xFF\xEB\x04\xe0\x2d\xe5\x00\x00\x00\x00\xe0\x83\x22" <<
  "\xe5\xf1\x02\x03\x0e\x00\x00\xa0\xe3\x02\x30\xc1\xe7\x00\x00\x53\xe3"
)

begin

  cs = Disassembler.new(ARCH_ARM, MODE_ARM)
  puts "Hello from Capstone v #{cs.version.join('.')}!"
  puts "Disasm:"

  begin
    cs.disasm(arm, 0x1000).each {|i|
      printf("0x%x:\t%s\t\t%s\n",i.address, i.mnemonic, i.op_str)
    }
  rescue
    fail "Disassembly error: #{$!}"
  ensure
    cs.close
  end

rescue
  fail "Unable to open engine: #{$!}"
end

and see the following error message:

C:/Ruby30-x64/lib/ruby/gems/3.0.0/gems/ffi-1.15.4-x64-mingw32/lib/ffi/library.rb:273:in `attach_function': Function 'memcpy' not found in [capstone] (FFI::NotFoundError)
        from C:/Ruby30-x64/lib/ruby/gems/3.0.0/gems/crabstone-4.0.3/lib/crabstone/binding.rb:38:in `<module:Binding>'
        from C:/Ruby30-x64/lib/ruby/gems/3.0.0/gems/crabstone-4.0.3/lib/crabstone/binding.rb:7:in `<module:Crabstone>'
        from C:/Ruby30-x64/lib/ruby/gems/3.0.0/gems/crabstone-4.0.3/lib/crabstone/binding.rb:6:in `<top (required)>'
        from C:/Ruby30-x64/lib/ruby/gems/3.0.0/gems/crabstone-4.0.3/lib/crabstone/disassembler.rb:5:in `require'
        from C:/Ruby30-x64/lib/ruby/gems/3.0.0/gems/crabstone-4.0.3/lib/crabstone/disassembler.rb:5:in `<top (required)>'
        from C:/Ruby30-x64/lib/ruby/gems/3.0.0/gems/crabstone-4.0.3/lib/crabstone.rb:11:in `require'
        from C:/Ruby30-x64/lib/ruby/gems/3.0.0/gems/crabstone-4.0.3/lib/crabstone.rb:11:in `<top (required)>'
        from ./up.rb:5:in `require'
        from ./up.rb:5:in `<main>'

Problem 2

I've added ffi_lib 'msvcrt' manually into the Crabstone::Binding module, file crabstone/binding.rb right before these imports:

    attach_function :memcpy, %i[pointer pointer size_t], :pointer
    attach_function :malloc, [:size_t], :pointer
    attach_function :free, [:pointer], :void

and now it doesn't display any errors but also doesn't work:

C:\Users\l3m0n\code\ruby\unpacker>ruby up.rb
Hello from Capstone v 4.0!
Disasm:

C:\Users\l3m0n\code\ruby\unpacker>

If I add puts 1 and puts 2 before and after vs.disasm call, like this:

    puts 1
    cs.disasm(arm, 0x1000).each {|i|
      printf("0x%x:\t%s\t\t%s\n",i.address, i.mnemonic, i.op_str)
    }
    puts 2

I see only one output:

C:\Users\l3m0n\code\ruby\unpacker>ruby up.rb
Hello from Capstone v 4.0!
Disasm:
1

C:\Users\l3m0n\code\ruby\unpacker>

Seems like it just silently crashes in cs.disasm call without any error message.

david942j commented 2 years ago

Hi @lem0nify , since I don't have Windows environment for testing, could you try using a debugger with the stack backtrace to see where the crash point is?