M68k (Coldfire 4e) addressing mode with instruction size > 2 not executed properly.

[dannyp303]

Hello, I'm having an issue with M68k instructions that use addressing modes referencing the following 2 bytes of an instruction with size > 2 bytes. I have debugged into TCG a but to try to hunt down the issue but did not have any luck. I traced the instruction decoding back to the gen_lea portion and the logic seemed fine, from that point I'm a bit stuck.

Here is the script I'm using to test:

import sys
import json 
from capstone import Cs, CS_ARCH_M68K, CS_MODE_BIG_ENDIAN

cs = Cs(CS_ARCH_M68K, CS_MODE_BIG_ENDIAN)

mu = Uc(UC_ARCH_M68K, UC_MODE_BIG_ENDIAN)

def hook_code(uc, address, size, user_data):
    mem = mu.mem_read(address, size)
    print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size))
    for (cs_address, cs_size, cs_mnemonic, cs_opstr) in cs.disasm_lite(bytes(mem), size):
        print("    Instr: {:#016x}:\t{}\t{}".format(address, cs_mnemonic, cs_opstr))

with open(sys.argv[1], "rb") as fh:
    data = fh.read()

mu.mem_map(0x0, len(data))
mu.mem_write(0x0, data)
with open(sys.argv[2], "r") as fh:
    regs = json.load(fh)
regs = regs["registers"]

for i, v in enumerate(regs.values()):
    mu.reg_write(i+1, int(v))
mu.hook_add(UC_HOOK_CODE, hook_code)
mu.emu_start(0x15a7d8, 0x15a82a)

and here is the output:

>>> Tracing instruction at 0x15a7d8, instruction size = 0x2
    Instr: 0x0000000015a7d8:    link.w  a6, #$aaaa
>>> Tracing instruction at 0x15a7dc, instruction size = 0x2
    Instr: 0x0000000015a7dc:    lea.l   -$5556(a7), a7
>>> Tracing instruction at 0x15a7e0, instruction size = 0x2
    Instr: 0x0000000015a7e0:    movem.l d1/d3/d5/d7/a1/a3/a5/a7, -$5556(a7)
>>> Tracing instruction at 0x15a7e6, instruction size = 0x2
    Instr: 0x0000000015a7e6:    movea.l -$5556(a6), a5
>>> Tracing instruction at 0x15a7ea, instruction size = 0x2
    Instr: 0x0000000015a7ea:    moveq   #$0, d5
>>> Tracing instruction at 0x15a7ec, instruction size = 0x2
    Instr: 0x0000000015a7ec:    moveq   #$e, d7
>>> Tracing instruction at 0x15a7ee, instruction size = 0x2
    Instr: 0x0000000015a7ee:    moveq   #$40, d6
>>> Tracing instruction at 0x15a7f0, instruction size = 0x2
    Instr: 0x0000000015a7f0:    move.l  -$56(a5, a2.l), d0
>>> Tracing instruction at 0x15a7f4, instruction size = 0x2
    Instr: 0x0000000015a7f4:    tst.l   d0
>>> Tracing instruction at 0x15a7f6, instruction size = 0x2
    Instr: 0x0000000015a7f6:    beq.b   $e
>>> Tracing instruction at 0x15a802, instruction size = 0x2
    Instr: 0x0000000015a802:    move.l  a5, (a7)
>>> Tracing instruction at 0x15a804, instruction size = 0x2
    Instr: 0x0000000015a804:    jsr     $aaaaaaaa.l
>>> Tracing instruction at 0x16240c, instruction size = 0x2
    Instr: 0x0000000016240c:    link.w  a6, #$aaaa
>>> Tracing instruction at 0x162410, instruction size = 0x2
    Instr: 0x00000000162410:    lea.l   -$5556(a7), a7
>>> Tracing instruction at 0x162414, instruction size = 0x2
    Instr: 0x00000000162414:    movem.l d1/d3/d5/d7/a1/a3/a5/a7, -$5556(a7)
>>> Tracing instruction at 0x16241a, instruction size = 0x2
    Instr: 0x0000000016241a:    movea.l -$5556(a6), a4
>>> Tracing instruction at 0x16241e, instruction size = 0x2
    Instr: 0x0000000016241e:    moveq   #$0, d7
>>> Tracing instruction at 0x162420, instruction size = 0x2
    Instr: 0x00000000162420:    moveq   #$0, d6
>>> Tracing instruction at 0x162422, instruction size = 0x2
    Instr: 0x00000000162422:    movea.l -$5556(a4), a5
>>> Tracing instruction at 0x162426, instruction size = 0x2
    Instr: 0x00000000162426:    move.l  -$5556(a5), d0
>>> Tracing instruction at 0x16242a, instruction size = 0x2
    Instr: 0x0000000016242a:    cmpi.l  #$aaaaaaaa, d0
>>> Tracing instruction at 0x162430, instruction size = 0x2
    Instr: 0x00000000162430:    bgt.w   $ffffaaae
>>> Tracing instruction at 0x162434, instruction size = 0x2
    Instr: 0x00000000162434:    tst.l   d0
>>> Tracing instruction at 0x162436, instruction size = 0x2
    Instr: 0x00000000162436:    blt.w   $ffffaaae
>>> Tracing instruction at 0x16243a, instruction size = 0x2
    Instr: 0x0000000016243a:    move.w  $ffffffae(pc, a2.l), d0
>>> Tracing instruction at 0x16243e, instruction size = 0x2
    Instr: 0x0000000016243e:    ext.l   d0
>>> Tracing instruction at 0x162440, instruction size = 0x2
    Instr: 0x00000000162440:    jmp     $ffffffae(pc, a2.l)
>>> Tracing instruction at 0x8, instruction size = 0x2
    Instr: 0x00000000000008:    ori.b   #$aa, d4
Traceback (most recent call last):
  File "unicorn-script.py", line 28, in <module>
    mu.emu_start(0x15a7d8, 0x15a82a)
  File "/home/dan/.local/lib/python3.6/site-packages/unicorn/unicorn.py", line 341, in emu_start

And a ghidra snapshot of the code:

Any help or insight into how to fix this problem is highly appreciated! Thank you.

[wtdcode]

Link to #1217. I would have a look time if I get some free time.

________________________________ From: Dan Pesce ***@***.***> Sent: Wednesday, September 29, 2021 6:34:09 PM To: unicorn-engine/unicorn ***@***.***> Cc: Subscribed ***@***.***> Subject: [unicorn-engine/unicorn] M68k (Coldfire 4e) addressing mode with instruction size > 2 not executed properly. (#1445) Hello, I'm having an issue with M68k instructions that use addressing modes referencing the following 2 bytes of an instruction with size > 2 bytes. I have debugged into TCG a but to try to hunt down the issue but did not have any luck. I traced the instruction decoding back to the gen_lea portion and the logic seemed fine, from that point I'm a bit stuck. Here is the script I'm using to test: import sys import json from capstone import Cs, CS_ARCH_M68K, CS_MODE_BIG_ENDIAN cs = Cs(CS_ARCH_M68K, CS_MODE_BIG_ENDIAN) mu = Uc(UC_ARCH_M68K, UC_MODE_BIG_ENDIAN) def hook_code(uc, address, size, user_data): mem = mu.mem_read(address, size) print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" %(address, size)) for (cs_address, cs_size, cs_mnemonic, cs_opstr) in cs.disasm_lite(bytes(mem), size): print(" Instr: {:#016x}:\t{}\t{}".format(address, cs_mnemonic, cs_opstr)) with open(sys.argv[1], "rb") as fh: data = fh.read() mu.mem_map(0x0, len(data)) mu.mem_write(0x0, data) with open(sys.argv[2], "r") as fh: regs = json.load(fh) regs = regs["registers"] for i, v in enumerate(regs.values()): mu.reg_write(i+1, int(v)) mu.hook_add(UC_HOOK_CODE, hook_code) mu.emu_start(0x15a7d8, 0x15a82a) and here is the output:

>> Tracing instruction at 0x15a7d8, instruction size = 0x2

Instr: 0x0000000015a7d8: link.w a6, #$aaaa

>> Tracing instruction at 0x15a7dc, instruction size = 0x2

Instr: 0x0000000015a7dc: lea.l -$5556(a7), a7

>> Tracing instruction at 0x15a7e0, instruction size = 0x2

Instr: 0x0000000015a7e0: movem.l d1/d3/d5/d7/a1/a3/a5/a7, -$5556(a7)

>> Tracing instruction at 0x15a7e6, instruction size = 0x2

Instr: 0x0000000015a7e6: movea.l -$5556(a6), a5

>> Tracing instruction at 0x15a7ea, instruction size = 0x2

Instr: 0x0000000015a7ea: moveq #$0, d5

>> Tracing instruction at 0x15a7ec, instruction size = 0x2

Instr: 0x0000000015a7ec: moveq #$e, d7

>> Tracing instruction at 0x15a7ee, instruction size = 0x2

Instr: 0x0000000015a7ee: moveq #$40, d6

>> Tracing instruction at 0x15a7f0, instruction size = 0x2

Instr: 0x0000000015a7f0: move.l -$56(a5, a2.l), d0

>> Tracing instruction at 0x15a7f4, instruction size = 0x2

Instr: 0x0000000015a7f4: tst.l d0

>> Tracing instruction at 0x15a7f6, instruction size = 0x2

Instr: 0x0000000015a7f6: beq.b $e

>> Tracing instruction at 0x15a802, instruction size = 0x2

Instr: 0x0000000015a802: move.l a5, (a7)

>> Tracing instruction at 0x15a804, instruction size = 0x2

Instr: 0x0000000015a804: jsr $aaaaaaaa.l

>> Tracing instruction at 0x16240c, instruction size = 0x2

Instr: 0x0000000016240c: link.w a6, #$aaaa

>> Tracing instruction at 0x162410, instruction size = 0x2

Instr: 0x00000000162410: lea.l -$5556(a7), a7

>> Tracing instruction at 0x162414, instruction size = 0x2

Instr: 0x00000000162414: movem.l d1/d3/d5/d7/a1/a3/a5/a7, -$5556(a7)

>> Tracing instruction at 0x16241a, instruction size = 0x2

Instr: 0x0000000016241a: movea.l -$5556(a6), a4

>> Tracing instruction at 0x16241e, instruction size = 0x2

Instr: 0x0000000016241e: moveq #$0, d7

>> Tracing instruction at 0x162420, instruction size = 0x2

Instr: 0x00000000162420: moveq #$0, d6

>> Tracing instruction at 0x162422, instruction size = 0x2

Instr: 0x00000000162422: movea.l -$5556(a4), a5

>> Tracing instruction at 0x162426, instruction size = 0x2

Instr: 0x00000000162426: move.l -$5556(a5), d0

>> Tracing instruction at 0x16242a, instruction size = 0x2

Instr: 0x0000000016242a: cmpi.l #$aaaaaaaa, d0

>> Tracing instruction at 0x162430, instruction size = 0x2

Instr: 0x00000000162430: bgt.w $ffffaaae

>> Tracing instruction at 0x162434, instruction size = 0x2

Instr: 0x00000000162434: tst.l d0

>> Tracing instruction at 0x162436, instruction size = 0x2

Instr: 0x00000000162436: blt.w $ffffaaae

>> Tracing instruction at 0x16243a, instruction size = 0x2

Instr: 0x0000000016243a: move.w $ffffffae(pc, a2.l), d0

>> Tracing instruction at 0x16243e, instruction size = 0x2

Instr: 0x0000000016243e: ext.l d0

>> Tracing instruction at 0x162440, instruction size = 0x2

Instr: 0x00000000162440: jmp $ffffffae(pc, a2.l)

>> Tracing instruction at 0x8, instruction size = 0x2

Instr: 0x00000000000008: ori.b #$aa, d4 Traceback (most recent call last): File "unicorn-script.py", line 28, in <module> mu.emu_start(0x15a7d8, 0x15a82a) File "/home/dan/.local/lib/python3.6/site-packages/unicorn/unicorn.py", line 341, in emu_start And a ghidra snapshot of the code: [Screen Shot 2021-09-29 at 12 30 46 PM]<https://user-images.githubusercontent.com/14964383/135310939-d45134c8-c7ac-4c56-b939-cbad464900b2.png> Any help or insight into how to fix this problem is highly appreciated! Thank you. ― You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#1445>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AHJULOY3ZCRMIOWJAMMV6JLUEM5YDANCNFSM5FAJWPEA>.

[wtdcode]

Hello, you leave out the data in your sample code and I couldn't reproduce it locally.

[wtdcode]

Closed due to inactivity.