.Hello All,
I am currently developing a code emulator more for fun than for anything else. Using libemu as the core for this emulator.
The only thing that I really want to active to load an entire PE into memory and let it rip.
So, my TODO list had the following:
- Read the headers
- Check if the PE is Valid (x86 Platform)
- Extract the required data to setup the memory segments
- Hook all the imported functions to my custom API.
- Build the stack segment (set esp and ebp)
- Set the Eflags
- Set the EIP to work correctly
Currently my app does the following.
0005371D >/$ 8BFF mov edi, edi |<< Works
0005371F |. 55 push ebp |<< Works
00053720 |. 8BEC mov ebp, esp |<< Works
00053722 |. 83EC 10 sub esp, 10 |<< It dies.
Conclusion, I have not build the stack segment correctly.
My question is, how does Windows load an exe to build it's stack in the right manner. I am looking for a technical implemenation or document.
Now I've hard-coded the registers:
entry_point = pe->nt_header->AddressOfEntryPoint;
emu_cpu_eip_set(cpu, entry_point);
emu_cpu_reg32_set(cpu, eax, 0x00);
emu_cpu_reg32_set(cpu, ecx, 0x00);
emu_cpu_reg32_set(cpu, edx, entry_point);
emu_cpu_reg32_set(cpu, ebx, 0x00);
emu_cpu_reg32_set(cpu, esp, 0x0ff8c);
emu_cpu_reg32_set(cpu, ebp, 0x00); <--Wrong as I don't know where to get this. (PyEmu told me (0x0095f000 - 0x1000 / 2) but that seems random).
emu_cpu_reg32_set(cpu, esi, 0x00);
emu_cpu_reg32_set(cpu, edi, 0x00);
emu_cpu_eflags_set(cpu, 0x0000246);
Long story short: How to I get the correct values from the PE Header?
Thanks in advance
A day has passed.
I am still having issues these issues. And I've tested a number of binz.
I've noticed that every app dies at the same code.
83 65 f8 00
83 65 fc 00
53 57 bf 4e
e6 40 bb bb
00 00 ff ff
3b c7 74 0d
85 c3 74 09
f7 d0 a3 04
emu_cpu_run(cpu);
printf("Last Error: %s\n", emu_strerror(e));
printf("Crash EIP: 0x%08x\n", emu_cpu_eip_get(cpu));
printf("Bytes:\n");
for(itr = 0 ; 32 > itr ; ++itr) {
emu_memory_read_byte(mem, emu_cpu_eip_get(cpu)+itr, &byte);
printf("%02x ", byte);
if(((itr+1) % 4) == 0) {
printf("\n");
}
}
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}