search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.11k stars 742 forks source link

x86 Emulation crash on reading CR8 register #1495

Open cyril-t-f opened 2 weeks ago

cyril-t-f commented 2 weeks ago

Hello,

My x86 emulation crash whenever it tries to load mscoree.dll, it happens that's the first dll where the DllMain is actually called and when it's called it tries to save the cr8 register but reading this register crash the Unicorn engine:

def main() -> None:
    ql = qiling.Qiling(
        ["[...]/x.exe"],
        "./rootfs/x86_windows",
        ostype=qiling.core.QL_OS.WINDOWS,
        archtype=qiling.core.QL_ARCH.X86,
        verbose=qiling.core.QL_VERBOSE.DEBUG,
    )
    print(ql)
[=]     Calling mscoree.dll DllMain at 0x1026f100
Traceback (most recent call last):
[...]
  File "[...]\venv\lib\site-packages\unicorn\unicorn_py3\unicorn.py", line 381, in _reg_read
    raise UcError(status, reg_id)
unicorn.unicorn_py3.unicorn.UcError: Invalid argument (UC_ERR_ARG)

What's happen is that the reg_map_cr in x86_const.py contains the cr8register id:

reg_map_cr = {
    "cr0": UC_X86_REG_CR0,
    "cr1": UC_X86_REG_CR1,
    "cr2": UC_X86_REG_CR2,
    "cr3": UC_X86_REG_CR3,
    "cr4": UC_X86_REG_CR4,
    "cr8": UC_X86_REG_CR8
}

But in Unicorn, in the reg_read function, the UC_X86_REG_CR8 case doens't exist thus it returns an error:

    case UC_MODE_32:
        switch (regid) {
        default:
            break;
        case UC_X86_REG_CR0:
        case UC_X86_REG_CR1:
        case UC_X86_REG_CR2:
        case UC_X86_REG_CR3:
        case UC_X86_REG_CR4:
            CHECK_REG_TYPE(int32_t);
            *(int32_t *)value = env->cr[regid - UC_X86_REG_CR0];
            break;
        case UC_X86_REG_DR0:

I managed to quick fixed it by removing the cr8 line:

reg_map_cr = {
    "cr0": UC_X86_REG_CR0,
    "cr1": UC_X86_REG_CR1,
    "cr2": UC_X86_REG_CR2,
    "cr3": UC_X86_REG_CR3,
    "cr4": UC_X86_REG_CR4,
}

Thanks!

elicn commented 2 weeks ago

This is caused by recent changes in Unicorn. Suggesting to revert Unicorn version for now, till it gets fixed.

cyril-t-f commented 2 weeks ago

Thanks for the response.

shiguowang commented 6 days ago

@elicn Thank you for your help, and do we have methods to force unicorn downgrade by change source code? I also encountered this problem when using the latest code from the branch dev.It may cause confusion for those who are new to using qiling.Just my personal suggestion.

I solved this problem by this method:

pip install --force-reinstall -v "unicorn==2.0.1.post1"

both unicorn 2.1.1 and 2.1.0 are not work.

shiguowang commented 6 days ago

Unable to run example image

elicn commented 6 days ago

You should revert to Unicorn 2.0.1-post

shiguowang commented 6 days ago

You should revert to Unicorn 2.0.1-post

Thanks for the response, I will use this version.