slice exception for small sample

Question

slice exception for small sample

drstrng opened this issue 6 years ago · comments

Using the small 7-byte sample with hex dump
00000000: eb 01 0f 31 c0 40 c3 ...1.@.

Running the command line analysis
xori -f [file]

results in following exception:

error: folder does not exist, using current_dir
error: config file does not exist, using default configurations.
IMAGE START: 1000
CODE START: 1000
ENTRYPOINT: 1000
ARCH: ArchX86
MODE: Mode32
thread 'main' panicked at 'index 11 out of range for slice of length 7', libcore/slice/mod.rs:1965:5
stack backtrace:
0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace
at libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
1: std::sys_common::backtrace::print
at libstd/sys_common/backtrace.rs:71
at libstd/sys_common/backtrace.rs:59
2: std::panicking::default_hook::{{closure}}
at libstd/panicking.rs:211
3: std::panicking::default_hook
at libstd/panicking.rs:227
4: std::panicking::rust_panic_with_hook
at libstd/panicking.rs:511
5: std::panicking::continue_panic_fmt
at libstd/panicking.rs:426
6: rust_begin_unwind
at libstd/panicking.rs:337
7: core::panicking::panic_fmt
at libcore/panicking.rs:92
8: core::slice::slice_index_len_fail
at libcore/slice/mod.rs:1965
9: xori::analysis::data_analyzer::check_if_padding
at /checkout/src/libcore/slice/mod.rs:2130
at /checkout/src/libcore/slice/mod.rs:1947
at src/analysis/data_analyzer.rs:33
10: xori::arch::x86::analyzex86::analyze_instructionx86
at src/arch/x86/analyzex86.rs:1247
11: xori::arch::x86::analyzex86::recurse_disasmx86
at src/arch/x86/analyzex86.rs:1387
12: xori::analysis::analyze::disassemble_init
at src/analysis/analyze.rs:421
13: xori::analysis::analyze::analyze
at src/analysis/analyze.rs:523
14: xori::main
at src/main.rs:131
15: std::rt::lang_start::{{closure}}
at /checkout/src/libstd/rt.rs:74
16: std::panicking::try::do_call
at libstd/rt.rs:59
at libstd/panicking.rs:310
17: __rust_maybe_catch_panic
at libpanic_unwind/lib.rs:105
18: std::rt::lang_start_internal
at libstd/panicking.rs:289
at libstd/panic.rs:392
at libstd/rt.rs:58
19: main
20: __libc_start_main
21: _start

Note: ubuntu 16.04
rustc 1.28.0
cargo 1.28.0

Rich Seymour · Answer 1 · Tue Aug 28 2018 02:43:09 GMT+0800 (China Standard Time)

I'm not the reversing pro, but is that a 16bit code snippet? We should make Xori fail a bit more gracefully, but it doesn't currently handle 16bit, only 32 and 64.

iximeow · Answer 2 · Tue Aug 28 2018 09:27:54 GMT+0800 (China Standard Time)

xori is decoding as 32bit, though this is valid 16 or 64 bit x86 as well. roughly: jmp $+1; 0x0f; xor eax, eax; inc eax; ret. 16bit would be ax in all places, whereas in 64bit inc eax ends up a no-op prefix on ret.

this is caused by reading address_size bytes in data_analyzer where the start is less than address_size from the end. end ends up out of bounds well.. that's that.

it looks like this will happen for any code with a c3 that's found to be code within 4 (or 8, in 64bit) bytes from the end - just c3 in a file causes it too!

malwareunicorn · Answer 3 · Tue Aug 28 2018 11:51:39 GMT+0800 (China Standard Time)

Ahh you need to specify the arch on the command line. By default it will choose 32bit for binary files.
xori --mode Mode16 -f

malwareunicorn · Answer 4 · Sat Oct 06 2018 04:57:28 GMT+0800 (China Standard Time)

fix is merged