mirror of
https://github.com/NaC-L/Mergen.git
synced 2026-05-12 09:40:34 +00:00
naci
aff35bc01c
Before: each IAT slot pointed at an unmapped sentinel address, so the FIRST import call raised UC_ERR_FETCH_UNMAPPED and the emulator stopped. We only ever observed one import per run. After: sentinel addresses live in a mapped page filled with 0xC3 (near ret) instructions. Each import call fetches the ret byte, immediately returns to the VMs pre-staged continuation, and emulation keeps going. All subsequent imports now surface as [HIT] events. On example2-virt.bin @ 0x140001000 this finds every required import: insn ret-site import target ---- -------- ------ ------ 34223 0x14017fa77 GetStdHandle stdin 44847 0x14017fa77 GetStdHandle stdout 60695 0x14017ef9f WriteConsoleA prompt 74394 0x140192798 ReadConsoleA 85326 0x140157ef9 CharUpperA 97859 0x14013bf11 WriteConsoleA echo 110166 0x14017fa77 WriteConsoleA final This gives the full map of import ret-site addresses for the virt sample - useful for future work that needs to reach those sites (whether by deeper lifter exploration or by seeding additional entries). The lifter currently reaches 0x14017fa77 only. Co-authored-by: Claude <claude@anthropic.com>