Closed kangaroo closed 8 years ago
Hi,
Ponce indeed did not support auto tainting with wmain
programs. I just coded the part that should take care of that. I'VE NOT TESTED IT. Please do it and tell me if it works.
Regarding symbolizing memory, it should work even if the first byte of memory you want to make symbolic is a null byte. I've tested that and it works fine in IDA Pro 6.95
You can get the binaries with the new code handling unicode and wmain
functions in this commit: https://github.com/illera88/Ponce/commit/d7cee18ff688b5f3a8163585fd91a81d5751c9d0
Let me know if it works. Probably it needs some testing from my part. I'm happy to do so if you can't make it works.
Cheers
That looks pretty close to what I was cooking up, but it still crashes IDA:
[!] Error reading memory from 0 followed by [1] Error reading memory from 0xffffffffffffffff
Then a hard crash.
(edit -- working somewhat better in 32-bit mode)
I just compiled a simple binary that uses wmain:
int wmain(int argc, wchar_t *argv[], wchar_t *envp[])
{
if (argc < 2)
return 5;
if (argv[1][4] == 'G'){
puts("You win!!\n");
return 1;
}
puts("You lost!!!!\n");
return 0;
}
The problem is that the compiler creates both functions (or IDA identifies both) main
and wmain
. with the latest commit I've changed the logic so I first look for wmain and if it is not found I look for main.
Fixed, soon we will the latest builds with the new versions.
@kangaroo could you verify now it is working well?
Thank you for your time.
Its working better for me. I have some other issues, but I'll file and track those separately.
Thanks!
It seems the current Ponce doesn't understand wmain, or unicode argv. Additionally, it appears to crash IDA 6.9 when trying to even symbolicate unicode memory (read from 0x0).