Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flags out of sync by 0000000144F0F139 | 9C | pushfq | #46

Closed
brandonros opened this issue Oct 11, 2022 · 11 comments
Closed

flags out of sync by 0000000144F0F139 | 9C | pushfq | #46

brandonros opened this issue Oct 11, 2022 · 11 comments

Comments

@brandonros
Copy link
Contributor 

  {
    "i": 2613,
    "iHex": "a35",
    "x64dbgLine": {
      "rawLine": {
        "Index": "00A35",
        "Address": "0000000144FF3224",
        "Bytes": "4C:8B0E",
        "Disassembly": "mov r9,qword ptr ds:[rsi]",
        "Registers": "r9: FFFFFFFFFFFE5E60-> 292",
        "Memory": "000000000014F488: 292-> 292",
        "Comments": ""
      },
      "rip": "144ff3224",
      "registerChanges": [
        {
          "registerName": "r9",
          "previousValue": "fffffffffffe5e60",
          "newValue": "292"
        }
      ],
      "memoryChanges": [
        {
          "address": "14f488",
          "previousValue": "292",
          "newValue": "292"
        }
      ]
    },
    "scemuLine": {
      "rawLine": {
        "diffRegLine": "diff_reg: pos = 2613 rip = 144ff3224 r9 fffffffffffe5e60 -> a92;",
        "memTraceLines": []
      },
      "position": "a35",
      "rip": "144ff3224",
      "registerChanges": [
        {
          "registerName": "r9",
          "previousValue": "fffffffffffe5e60",
          "newValue": "a92"
        }
      ],
      "memoryChanges": []
    },
    "instructionErrors": [
      {
        "index": 0,
        "message": "newValue mismatch",
        "x64dbg": "292",
        "scemu": "a92"
      }
    ]
  },
@brandonros
Copy link
Contributor Author 

2586 0x144f0f13f: pop   qword ptr [rsi] ;0xa92 
	mem_trace: pos = 2586 rip = 144f0f13f op = write bits = 64 address = 0x14f488 value = 0xa92 name = 'stack'
	diff_flags: pos = 5451608383 rip = a19 
	diff_reg: pos = 2585 rip = 144f0f13f rsp 14f288 -> 14f290; 
	rax: 0xba5d rbx: 0xfffffffffffad93f rcx: 0xffffffffffffffe0 rdx: 0x9a2b0774032256af rsi: 0x14f488 rdi: 0x144e4716e rbp: 0x144f5766a rsp: 0x14f290
	r8: 0x50 r9: 0xfffffffffffe5e60 r10: 0x65d4f88bfcdda931 r11: 0xee0e612dbeee19f1 r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
	r8u: 0x0 r9u: 0xffffffff r10u: 0x65d4f88b r11u: 0xee0e612d r12u: 0x1 r13u: 0x0 r14u: 0x1 r15u: 0x0
	r8d: 0x50 r9d: 0xfffe5e60 r10d: 0xfcdda931 r11d: 0xbeee19f1 r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
	r8w: 0x50 r9w: 0x5e60 r10w: 0xa931 r11w: 0x19f1 r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
	r8l: 0x50 r9l: 0x60 r10l: 0x31 r11l: 0xf1 r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
	zf: false pf: false af: true of: true sf: false df: false cf: false tf: false if: true nt: false

@sha0coder
Copy link
Owner

2583 0x144f0f139: pushfq
=>mr
memory argument=>qword ptr [rsp]
0x14f288: 0xa92

@sha0coder
Copy link
Owner

yep it's a flags thing

@sha0coder
Copy link
Owner

it's OF, disabling OF become 292

@brandonros brandonros changed the title flags out of sync? flags out of sync by 0000000144F0F139 | 9C | pushfq | Oct 11, 2022
@brandonros
Copy link
Contributor Author

image

@brandonros
Copy link
Contributor Author

brandonros commented Oct 11, 2022
edited 

2583 0x144f0f139: pushfq
	mem_trace: pos = 2583 rip = 144f0f139 op = write bits = 64 address = 0x14f290 value = 0xa92 name = 'stack'
	diff_flags: pos = 2582 rip = 144f0f139 in = a92 out = a92 
	diff_reg: pos = 2582 rip = 144f0f139 rsp 14f290 -> 14f288; 
	rax: 0x5d rbx: 0xfffffffffffad93f rcx: 0xffffffffffffffe0 rdx: 0x9a2b0774032256af rsi: 0x14f488 rdi: 0x144e4716e rbp: 0x144f5766a rsp: 0x14f288
	r8: 0x50 r9: 0xfffffffffffe5e60 r10: 0x65d4f88bfcdda931 r11: 0xee0e612dbeee19f1 r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
	r8u: 0x0 r9u: 0xffffffff r10u: 0x65d4f88b r11u: 0xee0e612d r12u: 0x1 r13u: 0x0 r14u: 0x1 r15u: 0x0
	r8d: 0x50 r9d: 0xfffe5e60 r10d: 0xfcdda931 r11d: 0xbeee19f1 r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
	r8w: 0x50 r9w: 0x5e60 r10w: 0xa931 r11w: 0x19f1 r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
	r8l: 0x50 r9l: 0x60 r10l: 0x31 r11l: 0xf1 r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
	zf: false pf: false af: true of: true sf: true df: false cf: false tf: false if: true nt: false

we have of true, need it false. tracing...

@brandonros
Copy link
Contributor Author 

A10 | 0000000144F5767A     | 48:03CA                  | add rcx,rdx                             | rcx: 65D4F88BFCDD |                                                                                          |

should not be setting of to 1

@brandonros
Copy link
Contributor Author 

rcx = 65D4F88BFCDDA931, rdx = 9A2B0774032256AF

@sha0coder
Copy link
Owner 

    rcx: 0x65d4f88bfcdda931 7337762973019908401
    rdx: 0x9a2b0774032256af 11108981100689643183

2577 0x144f5767a: add rcx,rdx

    rcx: 0xffffffffffffffe0 18446744073709551584

@sha0coder
Copy link
Owner

current logic:

rcx is > 0 and result is < 0 then OF

@sha0coder
Copy link
Owner

fixed.
2586 0x144f0f13f: pop qword ptr [rsi] ;0x292

I used the integer method overflowing_add() to get carry and overflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sha0coder @brandonros