DEFCON Magic Errors

[bannsec]

Attempting to run the binaries from the magic challenge from this past DEFCON, manticore does not get past the initial loader and never hits the main binary itself.

================ PROC: 00 ================
Memory:
  0000555555554000-0000555555556000  r x 00000000 3fd8e067af6a7164f64451916885b11b9f909ad18d189575373f17becbc0da81
  0000555555755000-0000555555757000  rw  00001000 3fd8e067af6a7164f64451916885b11b9f909ad18d189575373f17becbc0da81
  00007fffffd51000-00007fffffddb000  r x 00000000 /lib/ld-musl-x86_64.so.1
  00007ffffffda000-00007ffffffdb000  rw  00000000
  00007ffffffdb000-00007ffffffdf000  rw  00000000
  00007ffffffdf000-0000800000000000  rwx 00000000
CPU:
Instruction: 0x00007fffffd72637:    mov rcx, qword ptr [rdi]
RAX: 0x0000000000000001
RCX: 0xfffffffffffff000
RDX: 0x0000000000000000
RBX: 0x00007ffffffdbcc0
RSP: 0x00007ffffffff938
RBP: 0x0000000000000000
RSI: 0x00007ffffffff940
RDI: 0x0000000000000000
 R8: 0xffffffffffffffff
 R9: 0x0000000062696c01
R10: 0x0000000000000000
R11: 0x0000000000000000
R12: 0x0000000000000040
R13: 0x00007ffffffffe6e
R14: 0x0000000000000000
R15: 0x0000000082037bf8
RIP: 0x00007fffffd7263a
EFLAGS: 0x0000000000000044
CF: 0
SF: 0
ZF: 1
OF: 0
AF: 0
PF: 1
IF: 0
DF: 0
CS: 0, fffff000 (rwx)
DS: 0, fffff000 (rwx)
ES: 0, fffff000 (rwx)
SS: 0, fffff000 (rwx)
FS: 7ffffffdc088, 4000 (rw)
GS: 0, fffff000 (rwx)
FP0: (0, 0)
FP1: (0, 0)
FP2: (0, 0)
FP3: (0, 0)
FP4: (0, 0)
FP5: (0, 0)
FP6: (0, 0)
FP7: (0, 0)
TOP: 0
  Instruction: 0x7fffffd72637   (mov rcx, qword ptr [rdi])

[saelo]

I ran into the same issue and made some fixes: https://github.com/trailofbits/manticore/pull/215 https://github.com/trailofbits/manticore/pull/216 https://github.com/trailofbits/manticore/pull/217 https://github.com/trailofbits/manticore/pull/218 With those PRs the binary works at least with a debug build of the musl libc (./configure --enable-debug && sudo make install)

[dguido]

We merged all those PRs so it should work with musl now!

Is there a new issue with non-musl libc's that we should fix? I don't know the exact details of this challenge.

[saelo]

It still doesn't work for the version of musl provided by the Ubuntu repos (but does work for a version compiled from the current source tree). Apparently the cvtsi2ss instruction is emulated incorrectly. I'm working on a fix. Nothing else should be required for manticore to solve the challenge.

[saelo]

It should work once this PR is merged into Unicorn: https://github.com/unicorn-engine/unicorn/pull/819 As a temporary workaround we could read both YMM and XMM registers back from Unicorn.

[offlinemark]

This should now be totally fixed.