rainbow icon indicating copy to clipboard operation
rainbow copied to clipboard
verified publisher icon Ledger-Donjon

RuntimeError: Emulation crashed at 0x80051F8

Open Wpj-001 opened this issue 1 year ago • 4 comments

I encountered an error while generating a trace for other encrypted codes. How can this be resolved?

Traceback (most recent call last): File "/home/alex/project_wpj/rainbow/rainbow/rainbow.py", line 275, in start self.emu.emu_start(begin, end, timeout=timeout, count=count) File "/home/alex/miniconda3/envs/Rainbow/lib/python3.8/site-packages/unicorn/unicorn.py", line 547, in emu_start raise UcError(status) unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "/home/alex/project_wpj/rainbow/examples/kyber512/cortexm_aes.py", line 66, in container = CortexMAesContainer(N) File "/home/alex/miniconda3/envs/Rainbow/lib/python3.8/site-packages/lascar/container/container.py", line 427, in init trace = self.generate_trace(0) File "/home/alex/project_wpj/rainbow/examples/kyber512/cortexm_aes.py", line 59, in generate_trace leakage = kyber_enc_dec() File "/home/alex/project_wpj/rainbow/examples/kyber512/cortexm_aes.py", line 28, in kyber_enc_dec e.start(e.functions["PQCLEAN_KYBER512_CLEAN_crypto_kem_keypair"] | 1, 0) File "/home/alex/project_wpj/rainbow/rainbow/generics/cortexm.py", line 79, in start return super().start(begin | 1, *args, **kwargs) File "/home/alex/project_wpj/rainbow/rainbow/rainbow.py", line 279, in start raise RuntimeError(f"Emulation crashed at 0x{pc:X}") from e RuntimeError: Emulation crashed at 0x80051F8

Wpj-001 avatar Jun 21 '24 11:06 Wpj-001

"read unmapped" errors occur when an instruction (in this case the one at 0x80051F8) tries to access memory that was not mapped by the original mapping of your binary/executable. You can try executing that same function with the same parameters, but this time without using the 'side-channel mode' and tracing register values instead to see the culprit:

emulator = rainbow_cortexm(print_config=Print.Code | Print.Registers)

yhql avatar Jun 29 '24 18:06 yhql

I changed to a program for analysis, an error occurred at 0X80015B2. Following the method provided by you, I received the following error output. How should I resolve this issue? image

Wpj-001 avatar Jul 01 '24 01:07 Wpj-001

looking at 0x80015a3, you have r3 = 0xdead0400, but in 0x80015b2 the strb instruction tries to write to that address. If you get a UC_ERR_WRITE_UNMAPPED that means the emulator has nothing mapped in 0xdead00xx yet. If you're sure you need to have something available here, you can map it like so:

emulator = rainbow...( ... )
emulator[0xdead0000] = bytes(1024)

which will allocate 1 KB of data starting at 0xdead0000

yhql avatar Jul 01 '24 08:07 yhql

Thank you very much for your reply. The previous issue has been resolved. However, a new problem has arisen. When I was analyzing a program, it got stuck at a certain point. I printed the executed functions using print_config=Print.Functions, and found that it keeps hanging at the place shown in the figure below. It neither throws an error nor proceeds further. What could be the reason for this? image

Wpj-001 avatar Jul 01 '24 12:07 Wpj-001