APP CRASH (antiRE_auto_failonly.exe) DynamoRIO debug check failure: core\translate.c:817
Created by: Simorfo
With version 6.2.0-2 of DynamoRio The latest build does not solve the problem
On Windows 7, with a 32 bit application, antiRE_auto_failonly.exe from Daniel Plohmann and Christopher Kannen : it is another tool to test reverse engineering tools such as dynamorio file
I run it with (no client) C:\rio\bin32\drrun.exe -- antiRE_auto_failonly.exe
With flags -debug -msgbox_mask 0xf, I got the information message "non-syscall, non-int2b 0x2d @ 0x004027b5 from 0x00402798"
The expected output is some lines ending with "All tests finished. Successful Tests : X. Failed Tests : Y" Instead we get an application crash.
Interruption 2d seems to be mishandled. Looking at http://reverseengineering.stackexchange.com/questions/1541/int-2d-anti-forensic-method, I found that there is a off-by-one as seen in the log file
ASYNCH intercepted exception in thread 1504 at pc 0x18c015b4
cxt pc is different: 0x18c015b3
The following patch fixes this problem (but it is rather ugly)
diff --git a/dynamorio/core/win32/callback.c b/dynamorio/core/win32/callback.c
index 01e5191..6608ae5 100644
--- a/dynamorio/core/win32/callback.c
+++ b/dynamorio/core/win32/callback.c
@@ -5571,6 +5571,15 @@ intercept_exception(app_state_at_intercept_t *state)
*/
mutex_lock(&thread_initexit_lock);
if (cxt->CXT_XIP != (ptr_uint_t)pExcptRec->ExceptionAddress) {
+ app_pc translated_pc;
+ if (cxt->CXT_XIP+1 == (ptr_uint_t)pExcptRec->ExceptionAddress) {
+ translated_pc =
+ recreate_app_pc(dcontext, (cache_pc) cxt->CXT_XIP, f) + 1;
+ }
+ else {
+ translated_pc =
+ recreate_app_pc(dcontext, pExcptRec->ExceptionAddress, f);
+ }
/* sometimes this happens, certainly cxt can be changed by exception
* handlers, but not clear why kernel changes it before getting here.
* I saw it pointing to next instr while ExceptionAddress was faulting
@@ -5578,8 +5587,6 @@ intercept_exception(app_state_at_intercept_t *state)
* exceptionaddress first since cxt is the one we want for real, we
* just want pc for exceptionaddress.
*/
- app_pc translated_pc =
- recreate_app_pc(dcontext, pExcptRec->ExceptionAddress, f);
ASSERT(translated_pc != NULL);
LOG(THREAD, LOG_ASYNCH, 2, "Translated ExceptionAddress "
PFX" to "PFX"\n",