Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

APP CRASH (antiRE_auto_failonly.exe) DynamoRIO debug check failure: core\translate.c:817

Created by: Simorfo

With version 6.2.0-2 of DynamoRio The latest build does not solve the problem

On Windows 7, with a 32 bit application, antiRE_auto_failonly.exe from Daniel Plohmann and Christopher Kannen : it is another tool to test reverse engineering tools such as dynamorio file

I run it with (no client) C:\rio\bin32\drrun.exe -- antiRE_auto_failonly.exe

With flags -debug -msgbox_mask 0xf, I got the information message "non-syscall, non-int2b 0x2d @ 0x004027b5 from 0x00402798"

The expected output is some lines ending with "All tests finished. Successful Tests : X. Failed Tests : Y" Instead we get an application crash.

Interruption 2d seems to be mishandled. Looking at http://reverseengineering.stackexchange.com/questions/1541/int-2d-anti-forensic-method, I found that there is a off-by-one as seen in the log file

ASYNCH intercepted exception in thread 1504 at pc 0x18c015b4
	cxt pc is different: 0x18c015b3

The following patch fixes this problem (but it is rather ugly)

diff --git a/dynamorio/core/win32/callback.c b/dynamorio/core/win32/callback.c
index 01e5191..6608ae5 100644
--- a/dynamorio/core/win32/callback.c
+++ b/dynamorio/core/win32/callback.c
@@ -5571,6 +5571,15 @@ intercept_exception(app_state_at_intercept_t *state)
              */
             mutex_lock(&thread_initexit_lock);
             if (cxt->CXT_XIP != (ptr_uint_t)pExcptRec->ExceptionAddress) {
+                app_pc translated_pc;
+                if (cxt->CXT_XIP+1 == (ptr_uint_t)pExcptRec->ExceptionAddress) {
+                    translated_pc =
+                    recreate_app_pc(dcontext, (cache_pc) cxt->CXT_XIP, f) + 1;
+                }
+                else {
+                    translated_pc =
+                    recreate_app_pc(dcontext, pExcptRec->ExceptionAddress, f);
+                }
                 /* sometimes this happens, certainly cxt can be changed by exception
                  * handlers, but not clear why kernel changes it before getting here.
                  * I saw it pointing to next instr while ExceptionAddress was faulting
@@ -5578,8 +5587,6 @@ intercept_exception(app_state_at_intercept_t *state)
                  * exceptionaddress first since cxt is the one we want for real, we
                  * just want pc for exceptionaddress.
                  */
-                app_pc translated_pc =
-                    recreate_app_pc(dcontext, pExcptRec->ExceptionAddress, f);
                 ASSERT(translated_pc != NULL);
                 LOG(THREAD, LOG_ASYNCH, 2, "Translated ExceptionAddress "
                     PFX" to "PFX"\n",