flags out of sync by 0000000144F0F139 | 9C | pushfq |
Closed this issue · 11 comments
brandonros commented
{
"i": 2613,
"iHex": "a35",
"x64dbgLine": {
"rawLine": {
"Index": "00A35",
"Address": "0000000144FF3224",
"Bytes": "4C:8B0E",
"Disassembly": "mov r9,qword ptr ds:[rsi]",
"Registers": "r9: FFFFFFFFFFFE5E60-> 292",
"Memory": "000000000014F488: 292-> 292",
"Comments": ""
},
"rip": "144ff3224",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "fffffffffffe5e60",
"newValue": "292"
}
],
"memoryChanges": [
{
"address": "14f488",
"previousValue": "292",
"newValue": "292"
}
]
},
"scemuLine": {
"rawLine": {
"diffRegLine": "diff_reg: pos = 2613 rip = 144ff3224 r9 fffffffffffe5e60 -> a92;",
"memTraceLines": []
},
"position": "a35",
"rip": "144ff3224",
"registerChanges": [
{
"registerName": "r9",
"previousValue": "fffffffffffe5e60",
"newValue": "a92"
}
],
"memoryChanges": []
},
"instructionErrors": [
{
"index": 0,
"message": "newValue mismatch",
"x64dbg": "292",
"scemu": "a92"
}
]
},
brandonros commented
2586 0x144f0f13f: pop qword ptr [rsi] ;0xa92
mem_trace: pos = 2586 rip = 144f0f13f op = write bits = 64 address = 0x14f488 value = 0xa92 name = 'stack'
diff_flags: pos = 5451608383 rip = a19
diff_reg: pos = 2585 rip = 144f0f13f rsp 14f288 -> 14f290;
rax: 0xba5d rbx: 0xfffffffffffad93f rcx: 0xffffffffffffffe0 rdx: 0x9a2b0774032256af rsi: 0x14f488 rdi: 0x144e4716e rbp: 0x144f5766a rsp: 0x14f290
r8: 0x50 r9: 0xfffffffffffe5e60 r10: 0x65d4f88bfcdda931 r11: 0xee0e612dbeee19f1 r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
r8u: 0x0 r9u: 0xffffffff r10u: 0x65d4f88b r11u: 0xee0e612d r12u: 0x1 r13u: 0x0 r14u: 0x1 r15u: 0x0
r8d: 0x50 r9d: 0xfffe5e60 r10d: 0xfcdda931 r11d: 0xbeee19f1 r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
r8w: 0x50 r9w: 0x5e60 r10w: 0xa931 r11w: 0x19f1 r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
r8l: 0x50 r9l: 0x60 r10l: 0x31 r11l: 0xf1 r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
zf: false pf: false af: true of: true sf: false df: false cf: false tf: false if: true nt: false
sha0coder commented
2583 0x144f0f139: pushfq
=>mr
memory argument=>qword ptr [rsp]
0x14f288: 0xa92
sha0coder commented
yep it's a flags thing
sha0coder commented
it's OF, disabling OF become 292
brandonros commented
brandonros commented
2583 0x144f0f139: pushfq
mem_trace: pos = 2583 rip = 144f0f139 op = write bits = 64 address = 0x14f290 value = 0xa92 name = 'stack'
diff_flags: pos = 2582 rip = 144f0f139 in = a92 out = a92
diff_reg: pos = 2582 rip = 144f0f139 rsp 14f290 -> 14f288;
rax: 0x5d rbx: 0xfffffffffffad93f rcx: 0xffffffffffffffe0 rdx: 0x9a2b0774032256af rsi: 0x14f488 rdi: 0x144e4716e rbp: 0x144f5766a rsp: 0x14f288
r8: 0x50 r9: 0xfffffffffffe5e60 r10: 0x65d4f88bfcdda931 r11: 0xee0e612dbeee19f1 r12: 0x1448a76a4 r13: 0x0 r14: 0x140000000 r15: 0x0
r8u: 0x0 r9u: 0xffffffff r10u: 0x65d4f88b r11u: 0xee0e612d r12u: 0x1 r13u: 0x0 r14u: 0x1 r15u: 0x0
r8d: 0x50 r9d: 0xfffe5e60 r10d: 0xfcdda931 r11d: 0xbeee19f1 r12d: 0x448a76a4 r13d: 0x0 r14d: 0x40000000 r15d: 0x0
r8w: 0x50 r9w: 0x5e60 r10w: 0xa931 r11w: 0x19f1 r12w: 0x76a4 r13w: 0x0 r14w: 0x0 r15w: 0x0
r8l: 0x50 r9l: 0x60 r10l: 0x31 r11l: 0xf1 r12l: 0xa4 r13l: 0x0 r14l: 0x0 r15l: 0x0
zf: false pf: false af: true of: true sf: true df: false cf: false tf: false if: true nt: false
we have of true, need it false. tracing...
brandonros commented
A10 | 0000000144F5767A | 48:03CA | add rcx,rdx | rcx: 65D4F88BFCDD | |
should not be setting of to 1
brandonros commented
rcx = 65D4F88BFCDDA931, rdx = 9A2B0774032256AF
sha0coder commented
rcx: 0x65d4f88bfcdda931 7337762973019908401
rdx: 0x9a2b0774032256af 11108981100689643183
2577 0x144f5767a: add rcx,rdx
rcx: 0xffffffffffffffe0 18446744073709551584
sha0coder commented
current logic:
rcx is > 0 and result is < 0 then OF
sha0coder commented
fixed.
2586 0x144f0f13f: pop qword ptr [rsi] ;0x292
I used the integer method overflowing_add() to get carry and overflow.