Crash when analyzing XAP file

mirh commented 1 month ago

Environment information

Operating System: W10 22H2
Cutter version: 2.3.4
Obtained from:
- [ ] Built from source
- [x] Downloaded release from Cutter website or GitHub
- [ ] Distribution repository
File format: XAP

To Reproduce

Steps to reproduce the behavior:

Open this file
Set architecture to xap
Do any sort of analysis

Additional context

Critical error detected c0000374
cutter.exe caused an Unknown [0xC0000374] Exception at location 00007FFBCF68F349 in module ntdll.dll.

AddrPC           Params
00007FFBCF68F349 00007FFB8D35E9E0 0000008A1B6FB940 00007FFBCF6CE450  ntdll.dll!RtlReportFatalFailure+0x9
00007FFBCF68F313 0000000000000000 00007FFBCF6F97F0 0000000000000003  ntdll.dll!RtlReportCriticalFailure+0x97
00007FFBCF698092 0000000000000003 0000000000000000 000001B1EBAF0000  ntdll.dll!RtlpHeapHandleError+0x12
00007FFBCF69837A 000001B1EBAF0000 000001B1EBAF0000 0000000000000010  ntdll.dll!RtlpHpHeapHandleError+0x7a
00007FFBCF69E001 0000000000000000 0000000000000010 0000000000000003  ntdll.dll!RtlpLogHeapFailure+0x45
00007FFBCF637442 000001B1F437D280 000001B1EBAF0000 000001B1F3B57901  ntdll.dll!RtlpFreeHeapInternal+0x81d32
00007FFBCF5B47B1 000001B1F3AE8B70 0000000000000000 0000000000000000  ntdll.dll!RtlFreeHeap+0x51
00007FFBCD44F05B 0000008A1B6F9EB0 00007FFB00000000 000001B1F3B57980  ucrtbase.dll!_free_base+0x1b
00007FFBA6E7360B 000001B1F3553C80 0000000000000000 000001B1F3553C80  rz_debug-0.7.dll!rz_debug_set_arch+0xab
00007FFB7F1D9C50 000001B1F4E45640 0000000000000000 000001B1F3A34D30  rz_core-0.7.dll!rz_core_sym_name_init+0x2b70
00007FFBC3BD2239 000001B1FC961010 0000000000000012 000001B1F3553C80  rz_config-0.7.dll!rz_config_set_i+0x1a9
00007FFB7F20C0EC 000001B1F3553C80 000001B1FC961010 0000000000000012  rz_core-0.7.dll!rz_core_syscall_as_string+0x196c
00007FFB7F219A23 000001B1FC678310 0000000000000020 0000008A1B6FA2B0  rz_core-0.7.dll!rz_core_print_disasm+0xab3
00007FF688B319B4 000001B1F42FE1A0 00007FFB6C460020 000001B100000005  cutter.exe!CutterJson::last+0xbe64
00007FF688B3312A 000001B1FE0F8750 000001B1FA62FF10 000001B1FE0F8750  cutter.exe!CutterJson::last+0xd5da
00007FF688B32A71 000001B1FE0F8750 0000000000000000 0000008A1B6FA619  cutter.exe!CutterJson::last+0xcf21
00007FFB6C35C1E0 000001B1F3ACAE01 000001B1FD8587A0 0000000000000000  Qt5Core.dll!QObject::qt_static_metacall+0x1330
00007FFB8D044FC3 000001B1FD8587A0 000001B1FE0FA801 0000000000000000  Qt5Widgets.dll!QDockWidget::visibilityChanged+0x33
00007FFB8D0465C3 00000014000000F8 000001B1F3ACA8C0 000001B1F3ACAE60  Qt5Widgets.dll!QDockWidgetLayout::wmSupportsNativeWindowDeco+0x1583
00007FFB8D074279 000001B1F3ACA8C0 000001B1FE181380 0000000000000000  Qt5Widgets.dll!QStatusBar::tr+0x659
00007FFB6C35C21D 0000000000000001 0000000000000002 0000000000000001  Qt5Core.dll!QObject::qt_static_metacall+0x136d
00007FFB8D0D0A20 0000000000000002 000001B1FD8587A0 0000008A1B6FB200  Qt5Widgets.dll!QTabBar::setCurrentIndex+0x180
00007FFB8D050DE2 000001B1F340C800 000001B1F3ACA8C0 000001B1F39C2B18  Qt5Widgets.dll!QDockWidgetLayout::wmSupportsNativeWindowDeco+0xbda2
00007FFB8D041928 000001B1EBB1B100 000001B1EBB1BEB0 000001B1FD8587A0  Qt5Widgets.dll!QDockWidget::event+0x228
00007FFB8CF4797A 00007FFB8CF30000 0000008A1B6FAB30 0000008A1B6FB200  Qt5Widgets.dll!QApplicationPrivate::notify_helper+0x13a
00007FFB8CF469D7 000000000000007C 0000008A1B6FB200 000001B1FE1BA340  Qt5Widgets.dll!QApplication::notify+0x1ae7
00007FFB6C33C669 000000000000007C 0000000000000098 000000000000007C  Qt5Core.dll!QCoreApplication::notifyInternal2+0xb9
00007FFB8CF75111 000001B1FE1BA340 000001B1FD8587A0 0000008A1B6FB340  Qt5Widgets.dll!QWidget::raise+0x1d1
00007FF688B5B633 0000000000000000 000001B1FC0B1880 0000000000000000  cutter.exe!MainWindow::setViewLayout+0x743
00007FF688B4F318 000001B100000002 000001B1F431C590 000001B1EBB47F70  cutter.exe!MainWindow::finalizeOpen+0x2e8
00007FFB6C365844 000001B1F340C800 000001B1FA74C780 0000000000000000  Qt5Core.dll!QMetaCallEvent::placeMetaCall+0x34
00007FFB6C363F93 0000000000000000 0000000000000000 0000C48F00000000  Qt5Core.dll!QObject::event+0x183
00007FFB8CF6D43F 000001B1EBB1B100 000001B1F340C800 000001B1F340C800  Qt5Widgets.dll!QWidget::event+0xf1f
00007FFB8CF4797A 00007FFB8CF30000 0000008A1B6FBA40 000001B1F49339F0  Qt5Widgets.dll!QApplicationPrivate::notify_helper+0x13a
00007FFB8CF469D7 000001B1F49339F0 000001B1F49339F0 FFFFFFFFFFFFFFFE  Qt5Widgets.dll!QApplication::notify+0x1ae7
00007FFB6C33C669 000001B1F4933970 0000000000000000 000001B1F49339F0  Qt5Core.dll!QCoreApplication::notifyInternal2+0xb9
00007FFB6C33E39E 000001B1F49339F0 0000000000000000 000001B1EBB786D0  Qt5Core.dll!QCoreApplicationPrivate::sendPostedEvents+0x22e
00007FFB98526D8F 0000000000000000 0000000000000000 000001B1EBB17F78  qwindows.dll!qt_plugin_query_metadata+0x20af
00007FFB6C387830 000001B1EBB786D0 0000000000000000 000001B1EBB1B100  Qt5Core.dll!QEventDispatcherWin32::processEvents+0x70
00007FFB98526D69 0000000000000000 0000000000000014 000001B1FC1C0310  qwindows.dll!qt_plugin_query_metadata+0x2089
00007FFB6C33861B 000001B1EBB26B78 0000000000000000 00007FF688CA8E20  Qt5Core.dll!QEventLoop::exec+0x1db
00007FFB6C33B5DB 00007FF688CA8E20 000001B1EBB1B600 00007FFB00000004  Qt5Core.dll!QCoreApplication::exec+0x14b
00007FF688B01B2A 0000000000000001 0000000000000000 000001B1EBB45720  cutter.exe!AddressableItemContextMenu::xrefsTriggered+0x41a
00007FF688C801D7 0000000000000000 0000000000000000 0000000000000000  cutter.exe!PyInit_CutterBindings+0x2b0d7
00007FF688C7F7A2 0000000000000000 0000000000000000 0000000000000000  cutter.exe!PyInit_CutterBindings+0x2a6a2
00007FFBCDC17344 0000000000000000 0000000000000000 0000000000000000  KERNEL32.DLL!BaseThreadInitThunk+0x14
00007FFBCF5E26B1 0000000000000000 0000000000000000 0000000000000000  ntdll.dll!RtlUserThreadStart+0x21

wargio commented 1 month ago

~~we do not even support it as format.~~ Edit: i just noticed that is an arch, not a format.

XVilka commented 1 month ago

We support XAP architecture. I opened it directly with the Rizin and it's indeed quite broken, though doesnt crash:

[0x00000a20]> pdf
     ╎╎╎╎   ; CALL XREF from fcn.00000a20 @ +0x20
╭ fcn.00000a20();
│    ╎╎╎╎   0x00000a20      1400           ld
│    ╎╎╎╎   0x00000a22      35e0           add
│    ╎╎╎╎   0x00000a24      846a           cmp
│    ╎╎╎╎   0x00000a26      0002
│   ╭─────< 0x00000a28      f858           bcc
│   │╎╎╎╎   0x00000a2a      19e1           ld
│   │╎╎╎╎   0x00000a2c      0076
│   │╎╎╎╎   0x00000a2e      1a47           ld
│   │╎╎╎╎   0x00000a30      09fe           brx
..
    │ ╎╎╎   ; CALL XREF from fcn.000009f2 @ 0x9fe
    │ ╎╎╎   ; CALL XREF from fcn.000009f2 @ 0xa18
    │ ╎╎╎   ; CALL XREF from fcn.000009ac @ 0x9d2
│  │ │ ╎╎   ; CALL XREF from fcn.00000a4e @ 0xa5a
    │ │╎╎   ; CALL XREF from fcn.000009f2 @ 0xa0e
│   ╰─────> 0x00000a82      b5e0           or
│     ││╎   0x00000a84      0005
│     ││╎   0x00000a86      2539           st
│     ││╎   ; CALL XREF from fcn.00000a20 @ 0xa90
│     ││╎   0x00000a88      0005
│     ││╎   0x00000a8a      140f           ld
│     ││╎   0x00000a8c      0001
│     ││╎   0x00000a8e      0039
│     ││╎   0x00000a90      9cf6           bsr
│     ││╎   0x00000a92      0002
│     ││╭─< 0x00000a94      e022           bra
..
│     │││   ; CODE XREF from fcn.00000a4e @ 0xa62
│      ││   ; CODE XREF from fcn.00000a6c @ 0xa70
│      ││   ; CODE XREF from fcn.00000a20 @ 0xa94
│      │╰─> 0x00000abc      007a
│      │    0x00000abe      9c48           bsr                         ; fcn.00000b08
│      │    0x00000ac0      1318           ld
╰      ╰──> 0x00000ac2      3002           add
[0x00000a20]>

XVilka commented 1 month ago

It doesn't crash now but there are few missing opcodes left: https://github.com/rizinorg/rizin/issues/4661

rizinorg / cutter

Crash when analyzing XAP file #3379