pgoodman
commented
4 years ago OK I think the issue is that remill has the variables names MM0 through MM7. I will do some testing, might be that I need to rename them MMX0 through MMX7.
Open AnFunctionArray opened 4 years ago
pgoodman
commented
4 years ago OK I think the issue is that remill has the variables names MM0 through MM7. I will do some testing, might be that I need to rename them MMX0 through MMX7.
pgoodman
commented
4 years ago I don't have that much RAM :-/ Can you send me the copy and paste disassembly or bytes of _x3d_D3DXQuaternionToAxisAngle__YGXPBUD3DXQUATERNION__PAUD3DXVECTOR3__PAM_Z? I.e. the code at 64a4f2 in your binary.
AnFunctionArray
commented
4 years ago You can go ahead and download the file yourself it's in this archive (https://www.tombraiderchronicles.com/cgi-bin/dl09/dl.pl?me_angelofdarkness_pcupdate2) - the file name is TRAOD_P4.exe I believe - just use IDA.
pgoodman
commented
4 years ago Forgive my ignorance, but how do I find that specific TRAOD_P4.exe in the downloaded file? I found and downloaded a same-named file off of Google, but the address 0x64a4f2 was in the middle of an instruction in a function.
AnFunctionArray
commented
4 years ago Use 7zip and open as archive. It may also be TRAOD.exe keep in mind thanks.
On Fri, Jan 10, 2020, 4:56 PM Peter Goodman notifications@github.com wrote:
Forgive my ignorance, but how do I find that specific TRAOD_P4.exe in the downloaded file? I found and downloaded a same-named file off of Google, but the address 0x64a4f2 was in the middle of an instruction in a function.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/lifting-bits/mcsema/issues/608?email_source=notifications&email_token=AD7VRWT5MKSEYPEYB5Z6SALQ5CECDA5CNFSM4JP6KDU2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIUFCXA#issuecomment-573067612, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD7VRWTAI4EUFAI6OBGK6HDQ5CECDANCNFSM4JP6KDUQ .
pgoodman
commented
4 years ago So I've been fixing various things, but I am unable to replicate this specific problem. I did find a host of other issues. My best guess is that your version of Remill or McSema is very out of date. Fixes are in #624 . I've also made some Remill changes that add support various 3DNow instructions used by your binary, but there remain many unsupported instructions. Those changes are not yet merged.
pgoodman
commented
4 years ago By the way, your log seems to have much less variety in missing semantics; have you implemented semantics on your own?
pgoodman
commented
4 years ago ping @bsld
sab24
commented
4 years ago @pgoodman I have the same issue. I followed the instructions on the readme page in root, so I should have the newest version. git log shows:
c:\Users\Sab24\Downloads\remill\tools\mcsema>git log
commit e626fb86e1fb69245266efec713dba772942c388 (grafted, HEAD -> master, origin/master, origin/HEAD)
Author: Youssef <34326+ysf@users.noreply.github.com>
Date: Wed Apr 15 04:58:07 2020 +0200
adjusted readme to retdec update (#643)
according to https://engineering.avast.io/retdec-v4-0-is-out/mcsema-lift-5.0 --os windows --arch x86_avx --cfg fa.cfg --output fa.bcE0415 18:04:41.993916 15324 Function.cpp:376] Adding missing block 9dd64a in function sub_9dd640 as a tail call to __remill_error
E0415 18:04:42.088660 15324 Function.cpp:376] Adding missing block ac65d2 in function sub_ac65cc as a tail call to sub_ac65d2
E0415 18:04:42.144505 15324 Function.cpp:353] Cannot find target of instruction at 602349; the static target 60234c is not associated with a lifted subroutine, and it does not have a known call target.
F0415 18:04:42.150470 15324 Util.cpp:150] Check failed: allow_failure Could not find variable MMX2 in function sub_b059e0
*** Check failure stack trace: ***
@ 00007FF63496028B (unknown)
@ 00007FF63497D1CC (unknown)
@ 00007FF634A14928 (unknown)
@ 00007FF634A164C4 (unknown)
@ 00007FF634A11B6C (unknown)
@ 00007FF63494E461 (unknown)
@ 00007FF634949A04 (unknown)
@ 00007FF634947CB8 (unknown)
@ 00007FF634946190 (unknown)
@ 00007FF6349583AE (unknown)
@ 00007FF63495AA0A (unknown)
@ 00007FF6352CC6F8 (unknown)
@ 00007FFB5C377BD4 BaseThreadInitThunk
@ 00007FFB5DCACED1 RtlUserThreadStartWhat is the commit hash of your version of remill?
sab24
commented
4 years ago That's eae68217c43f2e99a657c75ae36d40af740cc20e from 10th of February
commit eae68217c43f2e99a657c75ae36d40af740cc20e (HEAD -> production)
Author: Aiethel <xkorenc1@fi.muni.cz>
Date: Mon Feb 10 18:36:44 2020 +0100
Annotate semantics (#401)
* Annotate semantics functions with their own metadata kind.
* Remove forgotten Mips entry in enum.I think it's because I disassembled with --arch x86 instead of --arch x86_avx
pgoodman
commented
4 years ago That shouldn't make a difference. Can you do this...
Right here: https://github.com/lifting-bits/mcsema/blob/master/mcsema/BC/Instruction.cpp#L130
Can you add:
LOG(ERROR) << inst.Serialize();
You'll get a lot of output logged, but that last line of output should be super useful and tell me what the problematic instruction is.
sab24
commented
4 years ago Done, I get
(READ_OP (DWORD_PTR (ADD (REG_32 SS_BASE) (REG_32 EBP) (SIGNED_IMM_32 -0x28)))))
E0415 18:25:07.242838 22108 Instruction.cpp:130] (X86 b06290 2 (BYTES 03 d0) ADD_GPRv_GPRv_03_32 (WRITE_OP (REG_32 EDX)) (READ_OP (REG_32 EDX)) (READ_OP (REG_32 EAX)))
E0415 18:25:07.242838 22108 Instruction.cpp:130] (X86 b06292 2 (BYTES 03 c8) ADD_GPRv_GPRv_03_32 (WRITE_OP (REG_32 ECX)) (READ_OP (REG_32 ECX)) (READ_OP (REG_32 EAX)))
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b06294 3 (BYTES 8b 45 e0) MOV_GPRv_MEMv_32 (WRITE_OP (REG_32 EAX)) (READ_OP (DWORD_PTR (ADD (REG_32 SS_BASE) (REG_32 EBP) (SIGNED_IMM_32 -0x20)))))
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b06297 3 (BYTES 89 7d fc) MOV_MEMv_GPRv_32 (WRITE_OP (DWORD_PTR (ADD (REG_32 SS_BASE) (REG_32 EBP) (SIGNED_IMM_32 -0x4)))) (READ_OP (REG_32 EDI)))
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b0629a 1 (BYTES 48) DEC_GPRv_48_32 (WRITE_OP (REG_32 EAX)) (READ_OP (REG_32 EAX)))
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b0629b 3 (BYTES 89 75 f0) MOV_MEMv_GPRv_32 (WRITE_OP (DWORD_PTR (ADD (REG_32 SS_BASE) (REG_32 EBP) (SIGNED_IMM_32 -0x10)))) (READ_OP (REG_32 ESI)))
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b0629e 3 (BYTES 89 55 ec) MOV_MEMv_GPRv_32 (WRITE_OP (DWORD_PTR (ADD (REG_32 SS_BASE) (REG_32 EBP) (SIGNED_IMM_32 -0x14)))) (READ_OP (REG_32 EDX)))
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b062a1 3 (BYTES 89 4d e8) MOV_MEMv_GPRv_32 (WRITE_OP (DWORD_PTR (ADD (REG_32 SS_BASE) (REG_32 EBP) (SIGNED_IMM_32 -0x18)))) (READ_OP (REG_32 ECX)))
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b062a4 3 (BYTES 89 45 e0) MOV_MEMv_GPRv_32 (WRITE_OP (DWORD_PTR (ADD (REG_32 SS_BASE) (REG_32 EBP) (SIGNED_IMM_32 -0x20)))) (READ_OP (REG_32 EAX)))
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b062a7 6 (BYTES 0f 85 b4 f7 ff ff) JNZ_RELBRz_32 (WRITE_OP (REG_8 BRANCH_TAKEN)) (READ_OP (DWORD_PTR (ADD (REG_32 PC) (SIGNED_IMM_32 -0x846)))) (READ_OP (DWORD_PTR (ADD (REG_32 PC) (SIGNED_IMM_32 0x6)))))
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b062b3 1 (BYTES 90) NOP_90)
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b062b4 1 (BYTES 90) NOP_90)
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b062b5 1 (BYTES 90) NOP_90)
E0415 18:25:07.243862 22108 Instruction.cpp:130] (X86 b062b6 1 (BYTES 90) NOP_90)
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b062b7 1 (BYTES 90) NOP_90)
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b062b8 1 (BYTES 90) NOP_90)
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b062b9 1 (BYTES 90) NOP_90)
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b062ba 1 (BYTES 90) NOP_90)
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b062bb 1 (BYTES 90) NOP_90)
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b062bc 1 (BYTES 90) NOP_90)
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b062bd 1 (BYTES 90) NOP_90)
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b062be 1 (BYTES 90) NOP_90)
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b062bf 1 (BYTES 90) NOP_90)
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b05a6b 3 (BYTES 8b 7d f8) MOV_GPRv_MEMv_32 (WRITE_OP (REG_32 EDI)) (READ_OP (DWORD_PTR (ADD (REG_32 SS_BASE) (REG_32 EBP) (SIGNED_IMM_32 -0x8)))))
E0415 18:25:07.244861 22108 Instruction.cpp:130] (X86 b05a6e 4 (BYTES 0f 6f 14 0f) MOVQ_MMXq_MEMq_0F6F (WRITE_OP (REG_64 MMX2)) (READ_OP (DWORD_PTR (ADD (REG_32 DS_BASE) (REG_32 EDI) (MUL (REG_32 ECX) (IMM_32 0x1))))))
F0415 18:25:07.244861 22108 Util.cpp:150] Check failed: allow_failure Could not find variable MMX2 in function sub_b059e0
*** Check failure stack trace: ***
@ 00007FF7CFF4041B (unknown)
@ 00007FF7CFF5D35C (unknown)
@ 00007FF7CFFF4AB8 (unknown)
@ 00007FF7CFFF6654 (unknown)
@ 00007FF7CFFF1CFC (unknown)
@ 00007FF7CFF2E506 (unknown)
@ 00007FF7CFF29A04 (unknown)
@ 00007FF7CFF27CB8 (unknown)
@ 00007FF7CFF26190 (unknown)
@ 00007FF7CFF3853E (unknown)
@ 00007FF7CFF3AB9A (unknown)
@ 00007FF7D08AC888 (unknown)
@ 00007FFB5C377BD4 BaseThreadInitThunk
@ 00007FFB5DCACED1 RtlUserThreadStart
My XED gives me different results:
(X86 0 (BYTES 0f 6f 14 0f) MOVQ_MMXq_MEMq_0F6F (WRITE_OP (REG_64 MM2)) (READ_OP (DWORD_PTR (ADD (REG_32 DS_BASE) (REG_32 EDI) (MUL (REG_32 ECX) (IMM_32 0x1))))))I think you have two options:
1) Build cxx-common from scratch (long)
2) Copy these [1] and then paste them, and add an X into each of the variable names. Then make -j8 from inside your build dir.
[1] https://github.com/lifting-bits/remill/blob/master/remill/Arch/X86/Runtime/BasicBlock.cpp#L318-L325
sab24
commented
4 years ago I choose option 1 and will report back in some time.
sab24
commented
4 years ago Some compilation issues with llvm 10.0, is it not supported yet?
<command line>(6): note: previous definition is here
In file included from <built-in>:368:
<command line>(10): warning : '_CRT_SECURE_NO_DEPRECATE' macro redefined [-Wmacro-redefined] [C:\Users\sab24\Downloads\re
mill\remill_build3\remill.vcxproj]
<command line>(6): note: previous definition is here
C:\Users\sab24\Downloads\remill\remill\Arch\Arch.cpp(221): warning : 'if' initialization statements are a C++17 extension
[-Wc++17-extensions] [C:\Users\sab24\Downloads\remill\remill_build3\remill.vcxproj]
C:\Users\sab24\Downloads\remill\remill\Arch\Arch.cpp(247): warning : returning address of local temporary object [-Wretur
n-stack-address] [C:\Users\sab24\Downloads\remill\remill_build3\remill.vcxproj]
remill.vcxproj -> C:\Users\sab24\Downloads\remill\remill_build3\Release\remill.lib
Running C++ protocol buffer compiler on C:/Users/sab24/Downloads/remill/tools/mcsema/mcsema/CFG/CFG.proto
Building Custom Rule C:/Users/sab24/Downloads/remill/tools/mcsema/CMakeLists.txt
In file included from <built-in>:368:
<command line>(16): warning : '_CRT_SECURE_NO_DEPRECATE' macro redefined [-Wmacro-redefined] [C:\Users\sab24\Downloads\re
mill\remill_build3\tools\mcsema\mcsema-lift-10.0.vcxproj]
<command line>(6): note: previous definition is here
In file included from <built-in>:368:
<command line>(16): warning : '_CRT_SECURE_NO_DEPRECATE' macro redefined [-Wmacro-redefined] [C:\Users\sab24\Downloads\re
mill\remill_build3\tools\mcsema\mcsema-lift-10.0.vcxproj]
<command line>(6): note: previous definition is here
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\ABI.cpp(771): error : no viable overloaded '=' [C:\Users\sab24\Dow
nloads\remill\remill_build3\tools\mcsema\mcsema-lift-10.0.vcxproj]
C:\TrailOfBits\libraries\llvm\include\llvm/Support/TypeSize.h(50): note: candidate function (the implicit copy assign
ment operator) not viable: no known conversion from 'const unsigned long long' to 'const llvm::TypeSize' for 1st argu
ment
C:\TrailOfBits\libraries\llvm\include\llvm/Support/TypeSize.h(50): note: candidate function (the implicit move assign
ment operator) not viable: no known conversion from 'const unsigned long long' to 'llvm::TypeSize' for 1st argument
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\ABI.cpp(1040): error : no viable overloaded '=' [C:\Users\sab24\Do
wnloads\remill\remill_build3\tools\mcsema\mcsema-lift-10.0.vcxproj]
C:\TrailOfBits\libraries\llvm\include\llvm/Support/TypeSize.h(50): note: candidate function (the implicit copy assign
ment operator) not viable: no known conversion from 'const unsigned long long' to 'const llvm::TypeSize' for 1st argu
ment
C:\TrailOfBits\libraries\llvm\include\llvm/Support/TypeSize.h(50): note: candidate function (the implicit move assign
ment operator) not viable: no known conversion from 'const unsigned long long' to 'llvm::TypeSize' for 1st argument
Building Custom Rule C:/Users/sab24/Downloads/remill/tools/lift/CMakeLists.txt
In file included from <built-in>:368:
<command line>(15): warning : '_CRT_SECURE_NO_DEPRECATE' macro redefined [-Wmacro-redefined] [C:\Users\sab24\Downloads\re
mill\remill_build3\tools\lift\remill-lift-10.0.vcxproj]
<command line>(6): note: previous definition is here
remill-lift-10.0.vcxproj -> C:\Users\sab24\Downloads\remill\remill_build3\tools\lift\Release\remill-lift-10.0.exechanged the code to:
alloc_size = llvm::TypeSize(std::max<uint64_t>(alloc_size, addr_size), true);Where true stands for scalable. Seems to compile.
sab24
commented
4 years ago same error when recompiling with llvm 10.0
(READ_OP (DWORD_PTR (ADD (REG_32 SS_BASE) (REG_32 EBP) (SIGNED_IMM_32 -0x8)))))
E0417 11:25:21.563992 4364 Instruction.cpp:130] (X86 b05a6e 4 (BYTES 0f 6f 14 0f) MOVQ_MMXq_MEMq_0F6F (WRITE_OP (REG_64 MMX2)) (READ_OP (DWORD_PTR (ADD (REG_32 DS_BASE) (REG_32 EDI) (MUL (REG_32 ECX) (IMM_32 0x1))))))
F0417 11:25:21.563992 4364 Util.cpp:150] Check failed: allow_failure Could not find variable MMX2 in function sub_b059e0
*** Check failure stack trace: ***
@ 00007FF6FDF2041B (unknown)
@ 00007FF6FDF3D35C (unknown)
@ 00007FF6FDFD4AB8 (unknown)
@ 00007FF6FDFD6654 (unknown)
@ 00007FF6FDFD1CFC (unknown)
@ 00007FF6FDF0E506 (unknown)
@ 00007FF6FDF09A04 (unknown)
@ 00007FF6FDF07CB8 (unknown)
@ 00007FF6FDF06190 (unknown)
@ 00007FF6FDF1853E (unknown)
@ 00007FF6FDF1AB9A (unknown)
@ 00007FF6FE88C888 (unknown)
@ 00007FFFD1B07BD4 BaseThreadInitThunk
@ 00007FFFD31ACED1 RtlUserThreadStartIt works now. Only still having problems with compiling. I have
remill-clang-10.0: error: linker command failed with exit code 1561 (use -v to see invocation)Somehow the mcsema_rt64-5.0.lib and mcsema_rt32-5.0.lib 's are not built. remill/tools/mcsema/CMakeLists.txt:184 has
if("${CMAKE_HOST_SYSTEM_PROCESSOR}" STREQUAL "x86_64" AND MCSEMA_ENABLE_RUNTIME)but the system on windows has AMD64. Uncommenting this and enabling building this library gives a lot of errors:
Microsoft (R) Build Engine version 16.5.0+d4cbfca49 for .NET Framework
Copyright (C) Microsoft Corporation. All rights reserved.
remill.vcxproj -> C:\Users\sab24\Downloads\remill\build5\Release\remill.lib
mcsema-lift-10.0.vcxproj -> C:\Users\sab24\Downloads\remill\build5\tools\mcsema\Release\mcsema-lift-10.0.exe
In file included from <built-in>:368:
<command line>(10): warning : '_CRT_SECURE_NO_DEPRECATE' macro redefined [-Wmacro-redefined] [C:\Users\sab24\Downloads
\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-amd64.vcxproj]
<command line>(6): note: previous definition is here
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(68): error : use of undec
lared identifier 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-
runtime-amd64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(115): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(116): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(121): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(122): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(123): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(124): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(125): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(126): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(128): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(129): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(130): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(131): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(132): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(133): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(134): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(135): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(138): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
C:\Users\sab24\Downloads\remill\tools\mcsema\mcsema\Arch\X86\Runtime\print_PE_64_windows.cpp(139): error : unknown typ
e name 'RegState' [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-am
d64.vcxproj]
CL : fatal error : too many errors emitted, stopping now [-ferror-limit=] [C:\Users\sab24\Downloads\remill\build5\tool
s\mcsema\mcsema\Arch\X86\Runtime\mcsema-print-runtime-amd64.vcxproj]
mcsema-print-runtime-x86.vcxproj -> C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\Rele
ase\mcsema-print-runtime-x86.exe
Generating 32-bit Windows PE runtime...
Building 32-bit runtime
clang++ : warning : argument unused during compilation: '-shared' [-Wunused-command-line-argument] [C:\Users\sab24\Dow
nloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
In file included from C:/Users/Sab/Downloads/remill/tools/mcsema/mcsema/Arch/X86/Runtime/Runtime.cpp:26:
In file included from C:/Users/Sab/Downloads/remill\remill/Arch/X86/Runtime/State.h:38:
In file included from C:/Users/Sab/Downloads/remill\remill/Arch/Runtime/Types.h:20:
In file included from C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\incl
ude\functional:6:
In file included from C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\incl
ude\exception:8:
In file included from C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\incl
ude\type_traits:6:
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xstddef(338,2): erro
r G90440305: 'auto' return without trailing return type; deduced return types are a C++14 extension [C:\Users\sab24\Do
wnloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
auto _Unfancy(_Ptrty _Ptr)
^
In file included from C:/Users/Sab/Downloads/remill/tools/mcsema/mcsema/Arch/X86/Runtime/Runtime.cpp:26:
In file included from C:/Users/Sab/Downloads/remill\remill/Arch/X86/Runtime/State.h:38:
In file included from C:/Users/Sab/Downloads/remill\remill/Arch/Runtime/Types.h:20:
In file included from C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\incl
ude\functional:7:
In file included from C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\incl
ude\tuple:8:
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(363,13): er
ror G549FDB67: deduced return types are a C++14 extension [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema\
Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr decltype(auto) operator()(_Args&&... _Vals)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(601,17): er
ror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\t
ools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr void _Adl_verify_range1(const _Iter& _First, const _Sentinel& _Last, true_type)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(608,17): er
ror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\t
ools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr void _Adl_verify_range1(const _Iter&, const _Sentinel&, false_type)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(614,17): er
ror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\t
ools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr void _Adl_verify_range(const _Iter& _First, const _Sentinel& _Last)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(641,23): er
ror G90440305: 'auto' return without trailing return type; deduced return types are a C++14 extension [C:\Users\sab24\
Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
_NODISCARD constexpr auto _Get_unwrapped(const _Iter& _It)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(692,23): er
ror G90440305: 'auto' return without trailing return type; deduced return types are a C++14 extension [C:\Users\sab24\
Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
_NODISCARD constexpr auto _Get_unwrapped_unverified(const _Iter& _It)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(759,23): er
ror G90440305: 'auto' return without trailing return type; deduced return types are a C++14 extension [C:\Users\sab24\
Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
_NODISCARD constexpr auto _Get_unwrapped_n(const _Iter& _It, const _Diff _Off)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(779,23): er
ror G90440305: 'auto' return without trailing return type; deduced return types are a C++14 extension [C:\Users\sab24\
Downloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
_NODISCARD constexpr auto _Get_unwrapped_n(const _Iter& _It, _Diff)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(855,17): er
ror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\t
ools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr void _Seek_wrapped(_Iter& _It, const _UIter& _UIt)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(863,17): er
ror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\t
ools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr void _Seek_wrapped(_Iter& _It, const _UIter& _UIt)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(870,17): er
ror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\t
ools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr void _Seek_wrapped(_Ty *& _It, _Ty * const _UIt)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(973,2): err
or G90440305: 'auto' return without trailing return type; deduced return types are a C++14 extension [C:\Users\sab24\D
ownloads\remill\build5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
auto _Idl_distance(const _Iter& _First, const _Iter& _Last)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(1289,12): e
rror G549FDB67: deduced return types are a C++14 extension [C:\Users\sab24\Downloads\remill\build5\tools\mcsema\mcsema
\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr decltype(auto) _Operator_arrow(_Iterator&& _Target, false_type)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(1404,18): e
rror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\
tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr void _Verify_offset(const difference_type _Off) const
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(1421,18): e
rror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\
tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr void _Seek_to(const reverse_iterator<_Src>& _It)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(1432,17): e
rror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\
tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr void _Verify_range(const reverse_iterator<_BidIt>& _First, const reverse_iterator<_BidIt2>& _Las
t)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(1844,17): e
rror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\
tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
constexpr void _Seek_to(pointer _It)
^
C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include\xutility(2260,25): e
rror G2221FED8: constexpr function's return type 'void' is not a literal type [C:\Users\sab24\Downloads\remill\build5\
tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
friend constexpr void _Verify_range(const move_iterator& _First, const move_iterator<_Iter2>& _Las
t)
^
CUSTOMBUILD : fatal error : too many errors emitted, stopping now [-ferror-limit=] [C:\Users\sab24\Downloads\remill\bu
ild5\tools\mcsema\mcsema\Arch\X86\Runtime\mcsema_rt32-10.0.vcxproj]
20 errors generated.
remill-lift-10.0.vcxproj -> C:\Users\sab24\Downloads\remill\build5\tools\lift\Release\remill-lift-10.0.exe
C:\Users\sab24\Downloads\remill\build5>I get
error LNK2001: unresolved external symbol ___mcsema_attach_callbut the mcsema libraries don't compile on windows? Also this file has not been changed for three years, is there an alternative?
sab24
commented
4 years ago Also do I need to link to remill? It is compiled to 64 bit but this application I am trying to recompile uses 32bit
Creating library f.lib and object f.exp
f.o : error LNK2019: unresolved external symbol ___remill_missing_block referenced in function _sub_b294e0
f.o : error LNK2019: unresolved external symbol ___remill_atomic_begin referenced in function _sub_bc0008
f.o : error LNK2019: unresolved external symbol ___remill_atomic_end referenced in function _sub_bc0008
f.o : error LNK2019: unresolved external symbol ___remill_function_call referenced in function _sub_bc0008
f.o : error LNK2019: unresolved external symbol ___remill_jump referenced in function _sub_bc0008
f.o : error LNK2019: unresolved external symbol ___remill_fpu_exception_test_and_clear referenced in function _sub_69f4d0
f.o : error LNK2019: unresolved external symbol ___remill_error referenced in function _sub_720010
f.o : error LNK2019: unresolved external symbol ___remill_async_hyper_call referenced in function _sub_695a40
f.o : error LNK2019: unresolved external symbol ___remill_compare_exchange_memory_32 referenced in function _sub_7474b0
f.o : error LNK2019: unresolved external symbol ___remill_sync_hyper_call referenced in function _sub_af7ff0
f.o : error LNK2019: unresolved external symbol ___remill_compare_exchange_memory_64 referenced in function _sub_55c410
f.o : error LNK2001: unresolved external symbol ___mcsema_attach_call
libcmt.lib(exe_winmain.obj) : error LNK2019: unresolved external symbol _WinMain@16 referenced in function "int __cdecl __scrt_common_main_seh(void)" (?__scrt_common_main_seh@@YAHXZ)
f.o.exe : fatal error LNK1120: 13 unresolved externals
clang: error: linker command failed with exit code 1120 (use -v to see invocation) Recompiled everything to 32 bit, makes no difference. It turns out that in the remill.lib there are no definitions to the symbols:
| |||| || 0x00001ca6 .string "__remill_atomic_begin" ; len=22 ; [35] -r-- section size 22 named .rdata_35
| |||||| ;-- str.remill_atomic_end:
| |||||| ;-- section..rdata_36:
| |||||| ;-- ??_C@_0BE@LEIBMLCO@__remill_atomic_end?$AA@:So they are just empty. Enabling Windows runtime library turns out to be impossible as the code is unmaintained for three years. Also the newer version only supports linux, as the arch/os directory only contains linux.
pgoodman
commented
4 years ago Yeah, we don't have a runtime made for windows just yet. One can be made by copying the definitions of those missing functions from remill/tests/X86/Run.cpp.
sab24
commented
4 years ago @pgoodman
I tried to add the code to remill/remill/BC/IntrinsicTable.cpp:
namespace remill {
namespace {
// Find a specific function.
static llvm::Function *FindIntrinsic(llvm::Module *module,
const char *name) {
auto function = FindFunction(module, name);
CHECK(nullptr != function)
<< "Unable to find intrinsic: " << name;
// We don't want calls to memory intrinsics to be duplicated because then
// they might have the wrong side effects!
function->addFnAttr(llvm::Attribute::NoDuplicate);
InitFunctionAttributes(function);
function->setLinkage(llvm::GlobalValue::ExternalLinkage);
function->removeFnAttr(llvm::Attribute::AlwaysInline);
function->removeFnAttr(llvm::Attribute::InlineHint);
function->addFnAttr(llvm::Attribute::OptimizeNone);
function->addFnAttr(llvm::Attribute::NoInline);
return function;
}
// Find a specific function.
static llvm::Function *FindPureIntrinsic(llvm::Module *module,
const char *name) {
auto function = FindIntrinsic(module, name);
// We want memory intrinsics to be marked as not accessing memory so that
// they don't interfere with dead store elimination.
function->addFnAttr(llvm::Attribute::ReadNone);
return function;
}
} // namespace
IntrinsicTable::IntrinsicTable(llvm::Module *module)
: error(FindIntrinsic(module, "__remill_error")),
// Control-flow.
function_call(FindIntrinsic(module, "__remill_function_call")),
function_return(FindIntrinsic(
module, "__remill_function_return")),
jump(FindIntrinsic(module, "__remill_jump")),
missing_block(FindIntrinsic(module, "__remill_missing_block")),
// OS interaction.
async_hyper_call(FindIntrinsic(
module, "__remill_async_hyper_call")),
sync_hyper_call(FindIntrinsic(
module, "__remill_sync_hyper_call")),
// Memory access.
read_memory_8(FindPureIntrinsic(module, "__remill_read_memory_8")),
read_memory_16(FindPureIntrinsic(module, "__remill_read_memory_16")),
read_memory_32(FindPureIntrinsic(module, "__remill_read_memory_32")),
read_memory_64(FindPureIntrinsic(module, "__remill_read_memory_64")),
write_memory_8(FindPureIntrinsic(module, "__remill_write_memory_8")),
write_memory_16(FindPureIntrinsic(module, "__remill_write_memory_16")),
write_memory_32(FindPureIntrinsic(module, "__remill_write_memory_32")),
write_memory_64(FindPureIntrinsic(module, "__remill_write_memory_64")),
read_memory_f32(FindPureIntrinsic(module, "__remill_read_memory_f32")),
read_memory_f64(FindPureIntrinsic(module, "__remill_read_memory_f64")),
read_memory_f80(FindPureIntrinsic(module, "__remill_read_memory_f80")),
write_memory_f32(FindPureIntrinsic(module, "__remill_write_memory_f32")),
write_memory_f64(FindPureIntrinsic(module, "__remill_write_memory_f64")),
write_memory_f80(FindPureIntrinsic(
module, "__remill_write_memory_f80")),
// Memory barriers.
barrier_load_load(FindPureIntrinsic(
module, "__remill_barrier_load_load")),
barrier_load_store(FindPureIntrinsic(
module, "__remill_barrier_load_store")),
barrier_store_load(FindPureIntrinsic(
module, "__remill_barrier_store_load")),
barrier_store_store(FindPureIntrinsic(
module, "__remill_barrier_store_store")),
atomic_begin(FindPureIntrinsic(module, "__remill_atomic_begin")),
atomic_end(FindPureIntrinsic(module, "__remill_atomic_end")),
// // Optimization guides.
// //
// // Note: NOT pure! This is a total hack: we call an unpure function
// // within a pure one so that it is not optimized out!
// defer_inlining(FindIntrinsic(module, "__remill_defer_inlining")),
// Optimization enablers.
undefined_8(FindPureIntrinsic(module, "__remill_undefined_8")),
undefined_16(FindPureIntrinsic(module, "__remill_undefined_16")),
undefined_32(FindPureIntrinsic(module, "__remill_undefined_32")),
undefined_64(FindPureIntrinsic(module, "__remill_undefined_64")),
undefined_f32(FindPureIntrinsic(module, "__remill_undefined_f32")),
undefined_f64(FindPureIntrinsic(module, "__remill_undefined_f64")) {
// Make sure to set the correct attributes on this to make sure that
// it's never optimized away.
(void) FindIntrinsic(module, "__remill_intrinsics");
}
struct Memory;
Memory* IntrinsicTable::__remill_atomic_begin(Memory *) { return nullptr; }
Memory* IntrinsicTable::__remill_atomic_end(Memory *) { return nullptr; }
Memory* IntrinsicTable::__remill_sync_hyper_call(
State &state, Memory *mem, SyncHyperCall::Name call) {
auto eax = state.gpr.rax.dword;
auto ebx = state.gpr.rbx.dword;
auto ecx = state.gpr.rcx.dword;
auto edx = state.gpr.rdx.dword;
switch (call) {
case SyncHyperCall::kX86CPUID:
state.gpr.rax.aword = 0;
state.gpr.rbx.aword = 0;
state.gpr.rcx.aword = 0;
state.gpr.rdx.aword = 0;
asm volatile(
"cpuid"
: "=a"(state.gpr.rax.dword),
"=b"(state.gpr.rbx.dword),
"=c"(state.gpr.rcx.dword),
"=d"(state.gpr.rdx.dword)
: "a"(eax),
"b"(ebx),
"c"(ecx),
"d"(edx)
);
break;
case SyncHyperCall::kX86ReadTSC:
state.gpr.rax.aword = 0;
state.gpr.rdx.aword = 0;
asm volatile(
"rdtsc"
: "=a"(state.gpr.rax.dword),
"=d"(state.gpr.rdx.dword)
);
break;
case SyncHyperCall::kX86ReadTSCP:
state.gpr.rax.aword = 0;
state.gpr.rcx.aword = 0;
state.gpr.rdx.aword = 0;
asm volatile(
"rdtscp"
: "=a"(state.gpr.rax.dword),
"=c"(state.gpr.rcx.dword),
"=d"(state.gpr.rdx.dword)
);
break;
default:
__builtin_unreachable();
}
return mem;
}
Memory* IntrinsicTable::__remill_async_hyper_call(X86State &, addr_t, Memory *) {
abort();
}
Memory* IntrinsicTable::__remill_depizza(){
}
Memory* IntrinsicTable::__remill_compare_exchange_memory_32(
Memory *memory, addr_t addr, uint32_t &expected, uint32_t desired) {
expected = __sync_val_compare_and_swap(
reinterpret_cast<uint32_t *>(addr), expected, desired);
return memory;
}
Memory* IntrinsicTable::__remill_compare_exchange_memory_64(
Memory *memory, addr_t addr, uint64_t &expected, uint64_t desired) {
expected = __sync_val_compare_and_swap(
reinterpret_cast<uint64_t *>(addr), expected, desired);
return memory;
}
} // namespace remillBut the llvm::function and Memory struct don't match. Is there code missing to convert memory to an instruction? There is no constructor for llvm::function
sab24
commented
4 years ago They should match declarations such as
llvm::Function * const atomic_begin;
llvm::Function * const atomic_end;
Aiethel
commented
4 years ago I am not sure what does you code snippet trying to achieve. I believe that what @pgoodman tried to say is that you can have a look at the definitions in the remill/tests/X86/Run.cpp and create a runtime library from it, i.e. you would want to compile that to bitcode (or pass it as .c/.cpp during re-compilation).
So you can write something like
clang lifted.bc my_runtime.bc -o recompiled
Some intrinsic are easy to implement, however __mcsema_attach_call may prove to be a bit tough.
(depending on what is your goal you may be able to by-pass it with --explicit-args option of mcsem-lift).
You don't need to implement new things into remill/mcsema code that "lifts things".
(Maybe it would be better to move this conversation to Slack?)
sab24
commented
4 years ago Hi Aiethel,
The above code is from remill/tests/X86/Run.cpp . I tried to overwrite the symbols from remill.lib but indeed that might not be necessary. I will try tomorrow, it’s evening here. On Slack from Empire Hacking was very little activity
sab24
commented
4 years ago Almost there, I have this code that is 64bit assembly, incompatible with my 32 bit executable:
Memory *__remill_sync_hyper_call(
X86State &state, Memory *mem, SyncHyperCall::Name call) {
switch (call) {
case SyncHyperCall::kX86CPUID:
asm volatile(
"cpuid"
: "=a"(state.gpr.rax.aword),
"=b"(state.gpr.rbx.aword),
"=c"(state.gpr.rcx.aword),
"=d"(state.gpr.rdx.aword)
: "a"(state.gpr.rax.aword),
"b"(state.gpr.rbx.aword),
"c"(state.gpr.rcx.aword),
"d"(state.gpr.rdx.aword)
);
break;
case SyncHyperCall::kX86ReadTSC:
asm volatile(
"rdtsc"
: "=a"(state.gpr.rax.dword),
"=d"(state.gpr.rdx.dword)
);
break;
case SyncHyperCall::kX86ReadTSCP:
asm volatile(
"rdtscp"
: "=a"(state.gpr.rax.aword),
"=c"(state.gpr.rcx.aword),
"=d"(state.gpr.rdx.aword)
: "a"(state.gpr.rax.aword),
"c"(state.gpr.rcx.aword),
"d"(state.gpr.rdx.aword)
);
break;
default:
abort();
}
return mem;
}How do I change this to 32 bit?
Error is:
run.cpp:160:18: error: invalid output size for constraint '=a'
: "=a"(state.gpr.rax.aword),
^
run.cpp:182:18: error: invalid output size for constraint '=a'
: "=a"(state.gpr.rax.aword),
^You can find binary-lifting on Empire Hacking, it allows for more flexible communication than github issue.
Anyway, you say you want 32-bit code, but in code snippet you use rax (and others) that are probably not present.
When I allow the failure though the program crashes a few bits after the way. Ultimately I was able to make it to a point where it fails on assertation inside llvm saying that variable type mismatches. However for that to happen I referred to access violation skipper.
Here is the CFG file I used (you also need to patch the SetTotalBytesLimit call to INT_MAX to read the protobuf stream and also you need like at least 100 gbs of ram).
Here is the full output with only the SetTotalBytesLimit patched:
OS is windows and arch is x86
Also maybe there is someway to skip this function since it's part of a library to which I can probably relink later.