Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x86 Emulation crash on reading CR8 register #1495

Open
cyril-t-f opened this issue Sep 27, 2024 · 6 comments
Open

x86 Emulation crash on reading CR8 register #1495

cyril-t-f opened this issue Sep 27, 2024 · 6 comments

Comments

@cyril-t-f
Copy link

cyril-t-f commented Sep 27, 2024
edited
Loading

Hello,

My x86 emulation crash whenever it tries to load mscoree.dll, it happens that's the first dll where the DllMain is actually called and when it's called it tries to save the cr8 register but reading this register crash the Unicorn engine:

def main() -> None:
    ql = qiling.Qiling(
        ["[...]/x.exe"],
        "./rootfs/x86_windows",
        ostype=qiling.core.QL_OS.WINDOWS,
        archtype=qiling.core.QL_ARCH.X86,
        verbose=qiling.core.QL_VERBOSE.DEBUG,
    )
    print(ql)
[=]     Calling mscoree.dll DllMain at 0x1026f100
Traceback (most recent call last):
[...]
  File "[...]\venv\lib\site-packages\unicorn\unicorn_py3\unicorn.py", line 381, in _reg_read
    raise UcError(status, reg_id)
unicorn.unicorn_py3.unicorn.UcError: Invalid argument (UC_ERR_ARG)

What's happen is that the reg_map_cr in x86_const.py contains the cr8register id:

reg_map_cr = {
    "cr0": UC_X86_REG_CR0,
    "cr1": UC_X86_REG_CR1,
    "cr2": UC_X86_REG_CR2,
    "cr3": UC_X86_REG_CR3,
    "cr4": UC_X86_REG_CR4,
    "cr8": UC_X86_REG_CR8
}

But in Unicorn, in the reg_read function, the UC_X86_REG_CR8 case doens't exist thus it returns an error:

    case UC_MODE_32:
        switch (regid) {
        default:
            break;
        case UC_X86_REG_CR0:
        case UC_X86_REG_CR1:
        case UC_X86_REG_CR2:
        case UC_X86_REG_CR3:
        case UC_X86_REG_CR4:
            CHECK_REG_TYPE(int32_t);
            *(int32_t *)value = env->cr[regid - UC_X86_REG_CR0];
            break;
        case UC_X86_REG_DR0:

I managed to quick fixed it by removing the cr8 line:

reg_map_cr = {
    "cr0": UC_X86_REG_CR0,
    "cr1": UC_X86_REG_CR1,
    "cr2": UC_X86_REG_CR2,
    "cr3": UC_X86_REG_CR3,
    "cr4": UC_X86_REG_CR4,
}

Thanks!
@cyril-t-f cyril-t-f changed the title x86 Emulation crash on reading CR8 registers rom x86 emulation x86 Emulation crash on reading CR8 register Sep 27, 2024
@elicn
Copy link
Member

elicn commented Sep 29, 2024

This is caused by recent changes in Unicorn.
Suggesting to revert Unicorn version for now, till it gets fixed.

@cyril-t-f
Copy link
Author

Thanks for the response.

@shiguowang
Copy link

shiguowang commented Oct 8, 2024
edited
Loading

@elicn Thank you for your help, and do we have methods to force unicorn downgrade by change source code? I also encountered this problem when using the latest code from the branch dev.It may cause confusion for those who are new to using qiling.Just my personal suggestion.

I solved this problem by this method:

pip install --force-reinstall -v "unicorn==2.0.1.post1"

both unicorn 2.1.1 and 2.1.0 are not work.

@shiguowang
Copy link

Unable to run example
image

@elicn
Copy link
Member

elicn commented Oct 8, 2024

You should revert to Unicorn 2.0.1-post

@shiguowang
Copy link

You should revert to Unicorn 2.0.1-post

Thanks for the response, I will use this version.

@elicn elicn linked a pull request Oct 10, 2024 that will close this issue
Adjust Qiling to comply with latest changed in Unicorn 2.1.2 #1499
Open
@elicn elicn mentioned this issue Oct 10, 2024
Open
@elicn elicn removed a link to a pull request Oct 10, 2024
Adjust Qiling to comply with latest changed in Unicorn 2.1.2 #1499
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shiguowang @elicn @cyril-t-f