Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Emu start failed after i use UniPE run PE file(32). #3

Open
LakerMoon opened this issue Dec 29, 2021 · 3 comments
Open

Emu start failed after i use UniPE run PE file(32). #3

LakerMoon opened this issue Dec 29, 2021 · 3 comments

Comments

@LakerMoon
Copy link

"Loading Address: CCCCCCCC" ?
why "CCCCCCCC" in reg_eip and hook Segment occurred error ?
please help me.

FS : 020C4000
Stack : 03FB0000
Stack Region : 03FB0000 - 040B0000
Loading Address: CCCCCCCC
Image Size : CCCCCCCC
Image Region : CCCCCCCC - 99999998

0xCCCCCCCC Missing memory at 0xCCCCCCCC, data size = 1, data value = 0x0
EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 ESI=00000000
EDI=00000000 EBP=00000000 ESP=040AFFE0 EIP=CCCCCCCC �[37mo �[37md �[37mI �[37ms �[37mZ �[37ma �[37mP �[37mc

�[37mFailed on uc_emu_start() with error returned 8: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED)
EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 ESI=00000000
EDI=00000000 EBP=00000000 ESP=040AFFE0 EIP=CCCCCCCC �[37mo �[37md �[37mI �[37ms �[37mZ �[37ma �[37mP �[37mc
@pgarba
Copy link
Owner

pgarba commented Dec 29, 2021 via email

@LakerMoon
Copy link
Author

Hi, This is more a PoC and I didn't look into it for a long time. I can recommend you to use Qiling as they basically reimplemented this idea in a really nice Framework. LakerMoon @.> schrieb am Mi., 29. Dez. 2021, 10:37:

"Loading Address: CCCCCCCC" ? why "CCCCCCCC" in reg_eip and hook Segment occurred error ? please help me. FS : 020C4000 Stack : 03FB0000 Stack Region : 03FB0000 - 040B0000 Loading Address: CCCCCCCC Image Size : CCCCCCCC Image Region : CCCCCCCC - 99999998 0xCCCCCCCC Missing memory at 0xCCCCCCCC, data size = 1, data value = 0x0 EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 ESI=00000000 EDI=00000000 EBP=00000000 ESP=040AFFE0 EIP=CCCCCCCC �[37mo �[37md �[37mI �[37ms �[37mZ �[37ma �[37mP �[37mc �[37mFailed on uc_emu_start() with error returned 8: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED) EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000000 ESI=00000000 EDI=00000000 EBP=00000000 ESP=040AFFE0 EIP=CCCCCCCC �[37mo �[37md �[37mI �[37ms �[37mZ �[37ma �[37mP �[37mc — Reply to this email directly, view it on GitHub <#3>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACJFEXYT7TT3KUFSXVASTGLUTLJFVANCNFSM5K5TZZYA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you are subscribed to this thread.Message ID: @.>

emmm, I know it, I just write a poc and load pe is OK but emu start always occurred:
READ on unmapped memory
FETCH on unmapped memory

@LakerMoon
Copy link
Author

I can use it emulate a pe file.
please, I just want to ask some questions:

  1. Does it have to map dll memory and parse imports Emulate a complete pe file, for example .exe?
  2. I noticed that the value of FS in the setup Segment Regs is the handle of the current thread. In other implementations of pe emulation, FS is a custom value. why?
  3. When I try to comment out the hook imports part and just simply emulate, why do I get an error?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pgarba @LakerMoon