mirror of
https://github.com/NaC-L/Mergen.git
synced 2026-05-12 09:40:34 +00:00
Claude
9fce8132d8
Two additions, both motivated by the example2-virt.bin diagnosis session: - --dump-visited <path>: writes every unique instruction PC the emulator executes, in first-visit order. Diff against the lifter's 'reached addresses' trace (MERGEN_DIAG_LIFT_PROGRESS=1) to localise where the lifter's static exploration diverges from the dynamic path. - UC_HOOK_MEM_WRITE for stack-addressed 8-byte writes whose payload is a sentinel. Records every such write, not just the first, because Themida uses push-pop swap gadgets that stage a sentinel on the stack transiently before the 'real' push lands it at the ret-target slot. The last-5-pushes summary exposes this. Findings for example2-virt.bin @ 0x140001000: - lifter covers emu_pos=0..1298 out of 4210 unique PCs (~30%) - external call site is at emu_pos=4209; gap of 2911 unvisited PCs - lifter visits 5 addresses the runtime never takes (wrong concolic branch) - the 'final push to ret slot' is not a 'push [iat]' but rather 'sub qword ptr [r14], <const>' — the VM decrypts a pre-staged stack slot in place to reconstruct the IAT pointer. Pattern-match recognition alone cannot handle this; concrete VM-dispatch unrolling is required.