Open pmondon opened 2 years ago
hey @pmondon happy to triage this. would you be willing to share the .exe? we can also incorporate this scenario as a test case for the project, if you're ok with it.
Hi, I used one of the examples from the repository compiled with VisualStudio. I also created a really simple program (yes malloc 100 is arbitrary and not beautiful I know simple_encoder.zip )
Great test case! vivisect fails to resolve the imports, so we cannot hook them
TRACE: floss.api_hooks: prehook: 0x140001082 call qword [rip + 4128]
TRACE: floss.api_hooks: apicall: 0x415c300f call qword [rip + 4128] ('int', None, 'msx64call', 'UnknownApi', ()) []
DEBUG: EmulatorDriver: driver hook API call NOT handled: UnknownApi
compare to IDA
.text:000000014000107A 48 8B D9 mov rbx, rcx
.text:000000014000107D B9 64 00 00 00 mov ecx, 64h ; 'd' ; Size
.text:0000000140001082 FF 15 20 10 00 00 call cs:malloc
.text:0000000140001088 48 8B F8 mov rdi, rax
I used the standalone version of FLOSS as described in the documentation and it is not able to decode strings. I just setup a main and a function that XOR using a simple 0x80 byte and it doesn't retrieve it whether it is in the stack or the heap it doesn't work. Even taking the code from the test sample create the same result. version used : floss.exe 1.7.0-alpha1