Skip to content

Instantly share code, notes, and snippets.

@richinseattle

richinseattle/triage_oggenc.log

Created February 5, 2022 01:43
Show Gist options
  • Save richinseattle/c093db0eb1443d14adc1029cfacda6ec to your computer and use it in GitHub Desktop.
Save richinseattle/c093db0eb1443d14adc1029cfacda6ec to your computer and use it in GitHub Desktop.
Download ZIP
Example of automated crash triage with taint slicing
Raw
triage_oggenc.log
# log generated with: ./moflow_triage.sh -f crash.wav -- oggenc crash.wav
Moflow slicer triage
[+] Tracing taint propagation from crash.wav with pintool..
Thread 0 starting
Opening tainted file: crash.wav
Tainting 44 bytes from read at 7fcdc5c4e000, fd=4
Taint introduction #0. @7fcdc5c4e000/44 bytes: file crash.wav
Changing offset for fd 4 to 44
Changing offset for fd 4 to 0
Tainting 44 bytes from read at 7fcdc5c4e000, fd=4
Taint introduction #1. @7fcdc5c4e000/44 bytes: file crash.wav
Changing offset for fd 4 to 0
Tainting 44 bytes from read at 7fcdc5c4e000, fd=4
Taint introduction #2. @7fcdc5c4e000/44 bytes: file crash.wav
[+] Lifting trace and concretizing BAP IL..
Concrete Substitution Run: 91% (1600.146498 eps)
Concrete Substitution Run: 92% (1533.726584 eps)
Concrete Substitution Run: 93% (2660.572588 eps)
Concrete Substitution Run: 94% (2736.724520 eps)
Concrete Substitution Run: 95% (1713.559472 eps)
Concrete Substitution Run: 96% (2298.836597 eps)
Concrete Substitution Run: 97% (2159.859933 eps)
Concrete Substitution Run: 98% (3081.619313 eps)
Concrete Substitution Run: 99% (5571.604676 eps)
Concrete Substitution Run: 100% (5840.486970 eps)
Concrete Substitution Run: Done! (0.440908 seconds)
[+] Tainted instructions executed in main image:
addr 0x4056b0 @asm "movzx eax,BYTE PTR [rsp+0x7]" @tid "0"
addr 0x4056b5 @asm "movzx edx,BYTE PTR [rsp+0x6]" @tid "0"
addr 0x4056ba @asm "shl eax,0x18" @tid "0"
addr 0x4056bd @asm "shl edx,0x10" @tid "0"
addr 0x4056c0 @asm "or eax,edx" @tid "0"
addr 0x4056c2 @asm "movzx edx,BYTE PTR [rsp+0x4]" @tid "0"
addr 0x4056c7 @asm "or eax,edx" @tid "0"
addr 0x4056c9 @asm "movzx edx,BYTE PTR [rsp+0x5]" @tid "0"
addr 0x4056ce @asm "shl edx,0x8" @tid "0"
addr 0x4056d1 @asm "or eax,edx" @tid "0"
addr 0x4056d3 @asm "mov DWORD PTR [rbp+0x0],eax" @tid "0"
addr 0x4056d6 @asm "mov eax,0x1" @tid "0"
addr 0x405692 @asm "mov rdx,QWORD PTR [rsp+0x8]" @tid "0"
addr 0x405697 @asm "xor rdx,QWORD PTR fs:0x28" @tid "0"
addr 0x405755 @asm "mov ecx,DWORD PTR [rsp+0x5c]" @tid "0"
addr 0x405763 @asm "cmp ecx,0xf" @tid "0"
addr 0x405766 @asm "jbe 0x00000000004059fa" @tid "0"
addr 0x40576c @asm "mov eax,ecx" @tid "0"
addr 0x40576e @asm "and eax,0xfffffffd" @tid "0"
addr 0x405771 @asm "cmp eax,0x10" @tid "0"
addr 0x405774 @asm "je 0x00000000004057a6" @tid "0"
addr 0x405776 @asm "cmp ecx,0x28" @tid "0"
addr 0x405779 @asm "je 0x00000000004057b8" @tid "0"
addr 0x405785 @asm "xor edi,edi" @tid "0"
addr 0x4057a2 @asm "mov ecx,DWORD PTR [rsp+0x5c]" @tid "0"
addr 0x4057a6 @asm "cmp ecx,0x28" @tid "0"
addr 0x4057a9 @asm "jbe 0x00000000004057b8" @tid "0"
addr 0x4057ab @asm "mov DWORD PTR [rsp+0x5c],0x28" @tid "0"
addr 0x4057b3 @asm "mov ecx,0x28" @tid "0"
addr 0x4057d3 @asm "mov ecx,edx" @tid "0"
addr 0x4057de @asm "movzx eax,BYTE PTR [rsp+0x61]" @tid "0"
addr 0x4057e3 @asm "movzx ecx,BYTE PTR [rsp+0x60]" @tid "0"
addr 0x4057e8 @asm "movzx r15d,BYTE PTR [rsp+0x63]" @tid "0"
addr 0x4057ee @asm "movzx r14d,BYTE PTR [rsp+0x6f]" @tid "0"
addr 0x4057f4 @asm "movzx r13d,BYTE PTR [rsp+0x6e]" @tid "0"
addr 0x4057fa @asm "shl eax,0x8" @tid "0"
addr 0x4057fd @asm "or ecx,eax" @tid "0"
addr 0x4057ff @asm "movzx eax,BYTE PTR [rsp+0x62]" @tid "0"
addr 0x405804 @asm "cmp cx,0xfffe" @tid "0"
addr 0x405808 @asm "mov BYTE PTR [rsp+0x4b],al" @tid "0"
addr 0x40580c @asm "movzx eax,BYTE PTR [rsp+0x67]" @tid "0"
addr 0x405811 @asm "mov BYTE PTR [rsp+0x30],al" @tid "0"
addr 0x405815 @asm "movzx eax,BYTE PTR [rsp+0x66]" @tid "0"
addr 0x40581a @asm "mov BYTE PTR [rsp+0x4d],al" @tid "0"
addr 0x40581e @asm "movzx eax,BYTE PTR [rsp+0x65]" @tid "0"
addr 0x405823 @asm "mov BYTE PTR [rsp+0x4e],al" @tid "0"
addr 0x405827 @asm "movzx eax,BYTE PTR [rsp+0x64]" @tid "0"
addr 0x40582c @asm "mov BYTE PTR [rsp+0x4f],al" @tid "0"
addr 0x405830 @asm "movzx eax,BYTE PTR [rsp+0x6d]" @tid "0"
addr 0x405835 @asm "mov BYTE PTR [rsp+0x20],al" @tid "0"
addr 0x405839 @asm "movzx eax,BYTE PTR [rsp+0x6c]" @tid "0"
addr 0x40583e @asm "mov BYTE PTR [rsp+0x4c],al" @tid "0"
addr 0x405842 @asm "je 0x0000000000405a70" @tid "0"
addr 0x405855 @asm "mov DWORD PTR [rsp+0x8],ecx" @tid "0"
addr 0x405590 @asm "push r13" @tid "0" @context "R_R13" = 0x10, -1, u64, rd
addr 0x40559f @asm "sub rsp,0x18" @tid "0"
addr 0x4055a3 @asm "mov rax,QWORD PTR fs:0x28" @tid "0"
addr 0x40564a @asm "mov rcx,rbx" @tid "0"
addr 0x4056b0 @asm "movzx eax,BYTE PTR [rsp+0x7]" @tid "0"
addr 0x4056b5 @asm "movzx edx,BYTE PTR [rsp+0x6]" @tid "0"
addr 0x4056ba @asm "shl eax,0x18" @tid "0"
addr 0x4056bd @asm "shl edx,0x10" @tid "0"
addr 0x4056c0 @asm "or eax,edx" @tid "0"
addr 0x4056c2 @asm "movzx edx,BYTE PTR [rsp+0x4]" @tid "0"
addr 0x4056c7 @asm "or eax,edx" @tid "0"
addr 0x4056c9 @asm "movzx edx,BYTE PTR [rsp+0x5]" @tid "0"
addr 0x4056ce @asm "shl edx,0x8" @tid "0"
addr 0x4056d1 @asm "or eax,edx" @tid "0"
addr 0x4056d3 @asm "mov DWORD PTR [rbp+0x0],eax" @tid "0"
addr 0x4056d6 @asm "mov eax,0x1" @tid "0"
addr 0x405692 @asm "mov rdx,QWORD PTR [rsp+0x8]" @tid "0"
addr 0x405697 @asm "xor rdx,QWORD PTR fs:0x28" @tid "0"
addr 0x4056aa @asm "pop r13" @tid "0" @context "R_R13" = 0x10, -1, u64, wr
addr 0x405860 @asm "mov ecx,DWORD PTR [rsp+0x8]" @tid "0"
addr 0x40586a @asm "shl r14d,0x8" @tid "0"
addr 0x40586e @asm "or r14d,r13d" @tid "0"
addr 0x405871 @asm "cmp cx,0x1" @tid "0"
addr 0x405875 @asm "je 0x0000000000405ad8" @tid "0"
addr 0x405ad8 @asm "lea r9d,[r14+0x7]" @tid "0"
addr 0x405adc @asm "test r14w,r14w" @tid "0"
addr 0x405ae9 @asm "cmovns r9d,r14d" @tid "0"
addr 0x405aed @asm "sar r9w,0x3" @tid "0"
addr 0x405af2 @asm "movsx r9d,r9w" @tid "0"
addr 0x405af6 @asm "lea r8d,[r9*8+0x0]" @tid "0"
addr 0x40589a @asm "movzx eax,BYTE PTR [rsp+0x4b]" @tid "0"
addr 0x40589f @asm "shl r15d,0x8" @tid "0"
addr 0x4058a3 @asm "movzx edx,BYTE PTR [rsp+0x4c]" @tid "0"
addr 0x4058a8 @asm "or r15d,eax" @tid "0"
addr 0x4058ab @asm "movzx eax,BYTE PTR [rsp+0x20]" @tid "0"
addr 0x4058b0 @asm "movsx r13d,r15w" @tid "0"
addr 0x4058b4 @asm "imul r9d,r13d" @tid "0"
addr 0x4058b8 @asm "shl eax,0x8" @tid "0"
addr 0x4058bb @asm "or eax,edx" @tid "0"
addr 0x4058bd @asm "cwde " @tid "0" @context "R_RAX" = 0x3f7, -1, u64, wr
addr 0x4058be @asm "cmp eax,r9d" @tid "0"
addr 0x4058c1 @asm "je 0x0000000000405906" @tid "0"
addr 0x4058c3 @asm "mov edx,0x5" @tid "0"
addr 0x4058cd @asm "xor edi,edi" @tid "0"
addr 0x4058cf @asm "mov DWORD PTR [rsp+0x8],ecx" @tid "0"
addr 0x4058d3 @asm "mov DWORD PTR [rsp+0x18],r8d" @tid "0"
addr 0x4058d8 @asm "mov DWORD PTR [rsp+0x10],r9d" @tid "0"
addr 0x4058f8 @asm "mov r9d,DWORD PTR [rsp+0x10]" @tid "0"
addr 0x4058fd @asm "mov r8d,DWORD PTR [rsp+0x18]" @tid "0"
addr 0x405902 @asm "mov ecx,DWORD PTR [rsp+0x8]" @tid "0"
addr 0x405906 @asm "movsx eax,r14w" @tid "0"
addr 0x40590a @asm "cmp eax,r8d" @tid "0"
addr 0x40590d @asm "jne 0x00000000004059f0" @tid "0"
addr 0x405913 @asm "mov eax,r14d" @tid "0"
addr 0x405916 @asm "and eax,0xfffffff7" @tid "0"
addr 0x405919 @asm "cmp ax,0x10" @tid "0"
addr 0x40591d @asm "jne 0x00000000004059d0" @tid "0"
addr 0x405923 @asm "movzx eax,BYTE PTR [rsp+0x30]" @tid "0"
addr 0x405928 @asm "movzx edx,BYTE PTR [rsp+0x4d]" @tid "0"
addr 0x40592d @asm "mov DWORD PTR [r12+0x50],r13d" @tid "0"
addr 0x405944 @asm "mov WORD PTR [rbp+0x0],r15w" @tid "0"
addr 0x405949 @asm "mov WORD PTR [rbp+0x2],r14w" @tid "0"
addr 0x40594e @asm "shl edx,0x10" @tid "0"
addr 0x405951 @asm "shl eax,0x18" @tid "0"
addr 0x405954 @asm "or eax,edx" @tid "0"
addr 0x405956 @asm "movzx edx,BYTE PTR [rsp+0x4f]" @tid "0"
addr 0x40595b @asm "or eax,edx" @tid "0"
addr 0x40595d @asm "movzx edx,BYTE PTR [rsp+0x4e]" @tid "0"
addr 0x405962 @asm "shl edx,0x8" @tid "0"
addr 0x405965 @asm "or eax,edx" @tid "0"
addr 0x405967 @asm "cdqe " @tid "0"
addr 0x405969 @asm "mov QWORD PTR [r12+0x58],rax" @tid "0"
addr 0x40596e @asm "mov eax,DWORD PTR [rsp+0x5c]" @tid "0"
addr 0x405972 @asm "test eax,eax" @tid "0"
addr 0x405974 @asm "je 0x0000000000405c4f" @tid "0"
addr 0x405c52 @asm "mov DWORD PTR [rsp+0x10],r9d" @tid "0"
addr 0x405c66 @asm "mov r13,rax" @tid "0"
addr 0x405c71 @asm "mov r9d,DWORD PTR [rsp+0x10]" @tid "0"
addr 0x405cb6 @asm "mov DWORD PTR [rsp+0x10],r9d" @tid "0"
addr 0x405cc0 @asm "movsxd r9,DWORD PTR [rsp+0x10]" @tid "0"
addr 0x405cd5 @asm "idiv r9" @tid "0"
addr 0x405cd8 @asm "xor edx,edx" @tid "0"
addr 0x405cda @asm "mov QWORD PTR [r12+0x48],rax" @tid "0"
addr 0x405ce4 @asm "movzx r15d,WORD PTR [rbp+0x0]" @tid "0"
addr 0x405ce9 @asm "mov rax,QWORD PTR [r12+0x48]" @tid "0"
addr 0x405cee @asm "movsx r13d,r15w" @tid "0"
addr 0x405986 @asm "movsx rbx,r15w" @tid "0"
addr 0x40598f @asm "mov QWORD PTR [rbp+0x8],rax" @tid "0"
addr 0x405993 @asm "shl rbx,0x2" @tid "0"
addr 0x405997 @asm "mov rdi,rbx" @tid "0"
addr 0x40599f @asm "cmp r15w,0x8" @tid "0"
addr 0x4059a8 @asm "jle 0x0000000000405c91" @tid "0"
addr 0x405c91 @asm "lea edx,[r13-0x1]" @tid "0"
addr 0x405c98 @asm "movsxd rdx,edx" @tid "0"
addr 0x405c9b @asm "shl rdx,0x5" @tid "0"
addr 0x405c9f @asm "lea rsi,[rdx+0x610920]" @tid "0"
addr 0x405ca6 @asm "mov rdx,rbx" @tid "0"
addr 0x401e10
[+] Last 20 instructions executed before crash..
addr 0x7fcdc5e5bb59 @asm "je 0x00007fcdc5e5ba6e" @tid "0"
addr 0x7fcdc5e5bb5f @asm "mov r9,rdx" @tid "0"
addr 0x7fcdc5e5bb62 @asm "lea rcx,[rsi+0x10]" @tid "0"
addr 0x7fcdc5e5bb6a @asm "shr r9,0x4" @tid "0"
addr 0x7fcdc5e5bb6e @asm "mov rax,r9" @tid "0"
addr 0x7fcdc5e5bb71 @asm "shl rax,0x4" @tid "0"
addr 0x7fcdc5e5bb75 @asm "cmp rdi,rcx" @tid "0"
addr 0x7fcdc5e5bb78 @asm "setae cl" @tid "0"
addr 0x7fcdc5e5bb7b @asm "cmp rsi,r8" @tid "0"
addr 0x7fcdc5e5bb7e @asm "setae r8b" @tid "0"
addr 0x7fcdc5e5bb82 @asm "or ecx,r8d" @tid "0"
addr 0x7fcdc5e5bb85 @asm "cmp rdx,0xf" @tid "0"
addr 0x7fcdc5e5bb89 @asm "seta r8b" @tid "0"
addr 0x7fcdc5e5bb8d @asm "test cl,r8b" @tid "0"
addr 0x7fcdc5e5bb90 @asm "je 0x00007fcdc5e5bc32" @tid "0"
addr 0x7fcdc5e5bb96 @asm "test rax,rax" @tid "0"
addr 0x7fcdc5e5bb99 @asm "je 0x00007fcdc5e5bc32" @tid "0"
addr 0x7fcdc5e5bb9f @asm "xor ecx,ecx" @tid "0"
addr 0x7fcdc5e5bba1 @asm "xor r8d,r8d" @tid "0"
addr 0x7fcdc5e5bba4 @asm "movdqu xmm8,XMMWORD PTR [rsi+rcx*1]" @tid "0"
[+] Display context for last executed instruction..
addr 0x7fcdc5e5bba4 @asm "movdqu xmm8,XMMWORD PTR [rsi+rcx*1]" @tid "0"
@context "R_YMM8" = 0x0, -1, u256, wr
@context "R_RSI" = 0x5c86e0, -1, u64, rd @context "R_RCX" = 0x0, 0, u64, rd
@context "mem64[0x5c86e0]" = 0x0, 0, u8, rd
@context "mem64[0x5c86e1]" = 0x0, 0, u8, rd
@context "mem64[0x5c86e2]" = 0x0, 0, u8, rd
@context "mem64[0x5c86e3]" = 0x0, 0, u8, rd
@context "mem64[0x5c86e4]" = 0x0, 0, u8, rd
@context "mem64[0x5c86e5]" = 0x0, 0, u8, rd
@context "mem64[0x5c86e6]" = 0x0, 0, u8, rd
@context "mem64[0x5c86e7]" = 0x0, 0, u8, rd
@context "mem64[0x5c86e8]" = 0x0, 0, u8, rd
@context "mem64[0x5c86e9]" = 0x0, 0, u8, rd
@context "mem64[0x5c86ea]" = 0x0, 0, u8, rd
@context "mem64[0x5c86eb]" = 0x0, 0, u8, rd
@context "mem64[0x5c86ec]" = 0x0, 0, u8, rd
@context "mem64[0x5c86ed]" = 0x0, 0, u8, rd
@context "mem64[0x5c86ee]" = 0x0, 0, u8, rd
@context "mem64[0x5c86ef]" = 0x0, 0, u8, rd
[+] Getting slice for tainted variable dsa_R_RSI_1_15419..
addr 0x7fcdc5e52b30 @asm "movzx eax,BYTE PTR [rsi]" @tid "0"
@context "R_RAX" = 0x0, 22, u64, wr
@context "R_RSI" = 0x7fcdc5c4e016, 0, u64, rd
@context "mem64[0x7fcdc5c4e016]" = 0xef, 23, u8, rd
addr 0x7fcdc5e52b33 @asm "mov BYTE PTR [rdi],al" @tid "0"
@context "R_RDI" = 0x7ffd6de3b232, 0, u64, rd
@context "R_RAX" = 0xef, 23, u64, rd
@context "mem64[0x7ffd6de3b232]" = 0x0, 0, u8, wr
addr 0x7fcdc5e52b30 @asm "movzx eax,BYTE PTR [rsi]" @tid "0"
@context "R_RAX" = 0xef, 23, u64, wr
@context "R_RSI" = 0x7fcdc5c4e017, 0, u64, rd
@context "mem64[0x7fcdc5c4e017]" = 0xdb, 24, u8, rd
addr 0x7fcdc5e52b33 @asm "mov BYTE PTR [rdi],al" @tid "0"
@context "R_RDI" = 0x7ffd6de3b233, 0, u64, rd
@context "R_RAX" = 0xdb, 24, u64, rd
@context "mem64[0x7ffd6de3b233]" = 0x0, 0, u8, wr
addr 0x4057e8 @asm "movzx r15d,BYTE PTR [rsp+0x63]" @tid "0"
@context "R_R15" = 0xc, 0, u64, wr
@context "R_RSP" = 0x7ffd6de3b1d0, 0, u64, rd
@context "mem64[0x7ffd6de3b233]" = 0xdb, 24, u8, rd
addr 0x4057ff @asm "movzx eax,BYTE PTR [rsp+0x62]" @tid "0"
@context "R_RAX" = 0x0, 22, u64, wr
@context "R_RSP" = 0x7ffd6de3b1d0, 0, u64, rd
@context "mem64[0x7ffd6de3b232]" = 0xef, 23, u8, rd
addr 0x405808 @asm "mov BYTE PTR [rsp+0x4b],al" @tid "0"
@context "R_RSP" = 0x7ffd6de3b1d0, 0, u64, rd
@context "R_RAX" = 0xef, 23, u64, rd
@context "mem64[0x7ffd6de3b21b]" = 0x1, 0, u8, wr
addr 0x40589a @asm "movzx eax,BYTE PTR [rsp+0x4b]" @tid "0"
@context "R_RAX" = 0x1, 0, u64, wr
@context "R_RSP" = 0x7ffd6de3b1d0, 0, u64, rd
@context "mem64[0x7ffd6de3b21b]" = 0xef, 23, u8, rd
addr 0x40589f @asm "shl r15d,0x8" @tid "0"
@context "R_R15" = 0xdb, 24, u64, rw
@context "R_RFLAGS" = 0x202, -1, u64, wr
addr 0x4058a8 @asm "or r15d,eax" @tid "0"
@context "R_R15" = 0xdb00, 24, u64, rw @context "R_RAX" = 0xef, 23, u64, rd
@context "R_RFLAGS" = 0x206, 24, u64, wr
addr 0x7fcdc5df24a4 @asm "push r15" @tid "0"
@context "R_R15" = 0xdbef, -1, u64, rd
@context "R_RSP" = 0x7ffd6de3b1c0, 0, u64, rd
@context "mem64[0x7ffd6de3b1b8]" = 0xf0, 0, u8, wr
@context "mem64[0x7ffd6de3b1b9]" = 0xb3, 0, u8, wr
@context "mem64[0x7ffd6de3b1ba]" = 0xe3, 0, u8, wr
@context "mem64[0x7ffd6de3b1bb]" = 0x6d, 0, u8, wr
@context "mem64[0x7ffd6de3b1bc]" = 0xfd, 0, u8, wr
@context "mem64[0x7ffd6de3b1bd]" = 0x7f, 0, u8, wr
@context "mem64[0x7ffd6de3b1be]" = 0x0, 0, u8, wr
@context "mem64[0x7ffd6de3b1bf]" = 0x0, 0, u8, wr
addr 0x7fcdc5df2957 @asm "pop r15" @tid "0"
@context "R_R15" = 0x1c7df0b, 0, u64, wr
@context "R_RSP" = 0x7ffd6de3b1b8, 0, u64, rd
@context "mem64[0x7ffd6de3b1b8]" = 0xef, -1, u8, rd
@context "mem64[0x7ffd6de3b1b9]" = 0xdb, -1, u8, rd
@context "mem64[0x7ffd6de3b1ba]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b1bb]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b1bc]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b1bd]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b1be]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b1bf]" = 0x0, -1, u8, rd
addr 0x7fcdc5e0ac44 @asm "push r15" @tid "0"
@context "R_R15" = 0xdbef, -1, u64, rd
@context "R_RSP" = 0x7ffd6de3b0d0, 0, u64, rd
@context "mem64[0x7ffd6de3b0c8]" = 0x53, 0, u8, wr
@context "mem64[0x7ffd6de3b0c9]" = 0x25, 0, u8, wr
@context "mem64[0x7ffd6de3b0ca]" = 0xdf, 0, u8, wr
@context "mem64[0x7ffd6de3b0cb]" = 0xc5, 0, u8, wr
@context "mem64[0x7ffd6de3b0cc]" = 0xcd, 0, u8, wr
@context "mem64[0x7ffd6de3b0cd]" = 0x7f, 0, u8, wr
@context "mem64[0x7ffd6de3b0ce]" = 0x0, 0, u8, wr
@context "mem64[0x7ffd6de3b0cf]" = 0x0, 0, u8, wr
addr 0x7fcdc5e0ae09 @asm "pop r15" @tid "0"
@context "R_R15" = 0x7ffd6de3b0e8, 0, u64, wr
@context "R_RSP" = 0x7ffd6de3b0c8, 0, u64, rd
@context "mem64[0x7ffd6de3b0c8]" = 0xef, -1, u8, rd
@context "mem64[0x7ffd6de3b0c9]" = 0xdb, -1, u8, rd
@context "mem64[0x7ffd6de3b0ca]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b0cb]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b0cc]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b0cd]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b0ce]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b0cf]" = 0x0, -1, u8, rd
addr 0x405944 @asm "mov WORD PTR [rbp+0x0],r15w" @tid "0"
@context "R_RBP" = 0x1c7e290, 0, u64, rd
@context "R_R15" = 0xdbef, -1, u64, rd
@context "mem64[0x1c7e290]" = 0x0, 0, u8, wr
@context "mem64[0x1c7e291]" = 0x0, 0, u8, wr
addr 0x405ce4 @asm "movzx r15d,WORD PTR [rbp+0x0]" @tid "0"
@context "R_R15" = 0xdbef, -1, u64, wr
@context "R_RBP" = 0x1c7e290, 0, u64, rd
@context "mem64[0x1c7e290]" = 0xef, -1, u8, rd
@context "mem64[0x1c7e291]" = 0xdb, -1, u8, rd
addr 0x405cee @asm "movsx r13d,r15w" @tid "0"
@context "R_R13" = 0x44, 0, u64, wr @context "R_R15" = 0xdbef, -1, u64, rd
addr 0x7fcdc5e41744 @asm "push r13" @tid "0"
@context "R_R13" = 0xffffdbef, -1, u64, rd
@context "R_RSP" = 0x7ffd6de3b198, 0, u64, rd
@context "mem64[0x7ffd6de3b190]" = 0x44, 0, u8, wr
@context "mem64[0x7ffd6de3b191]" = 0x0, 0, u8, wr
@context "mem64[0x7ffd6de3b192]" = 0x0, 0, u8, wr
@context "mem64[0x7ffd6de3b193]" = 0x0, 0, u8, wr
@context "mem64[0x7ffd6de3b194]" = 0x0, 0, u8, wr
@context "mem64[0x7ffd6de3b195]" = 0x0, 0, u8, wr
@context "mem64[0x7ffd6de3b196]" = 0x0, 0, u8, wr
@context "mem64[0x7ffd6de3b197]" = 0x0, 0, u8, wr
addr 0x7fcdc5e41878 @asm "pop r13" @tid "0"
@context "R_R13" = 0x1c9e000, -1, u64, wr
@context "R_RSP" = 0x7ffd6de3b190, 0, u64, rd
@context "mem64[0x7ffd6de3b190]" = 0xef, -1, u8, rd
@context "mem64[0x7ffd6de3b191]" = 0xdb, -1, u8, rd
@context "mem64[0x7ffd6de3b192]" = 0xff, -1, u8, rd
@context "mem64[0x7ffd6de3b193]" = 0xff, -1, u8, rd
@context "mem64[0x7ffd6de3b194]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b195]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b196]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b197]" = 0x0, -1, u8, rd
addr 0x7fcdc5e41744 @asm "push r13" @tid "0"
@context "R_R13" = 0xffffdbef, -1, u64, rd
@context "R_RSP" = 0x7ffd6de3b198, 0, u64, rd
@context "mem64[0x7ffd6de3b190]" = 0xef, -1, u8, wr
@context "mem64[0x7ffd6de3b191]" = 0xdb, -1, u8, wr
@context "mem64[0x7ffd6de3b192]" = 0xff, -1, u8, wr
@context "mem64[0x7ffd6de3b193]" = 0xff, -1, u8, wr
@context "mem64[0x7ffd6de3b194]" = 0x0, -1, u8, wr
@context "mem64[0x7ffd6de3b195]" = 0x0, -1, u8, wr
@context "mem64[0x7ffd6de3b196]" = 0x0, -1, u8, wr
@context "mem64[0x7ffd6de3b197]" = 0x0, -1, u8, wr
addr 0x7fcdc5e41878 @asm "pop r13" @tid "0"
@context "R_R13" = 0x7fcdc0000000, 0, u64, wr
@context "R_RSP" = 0x7ffd6de3b190, 0, u64, rd
@context "mem64[0x7ffd6de3b190]" = 0xef, -1, u8, rd
@context "mem64[0x7ffd6de3b191]" = 0xdb, -1, u8, rd
@context "mem64[0x7ffd6de3b192]" = 0xff, -1, u8, rd
@context "mem64[0x7ffd6de3b193]" = 0xff, -1, u8, rd
@context "mem64[0x7ffd6de3b194]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b195]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b196]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b197]" = 0x0, -1, u8, rd
addr 0x405c91 @asm "lea edx,[r13-0x1]" @tid "0"
@context "R_RDX" = 0x0, 0, u64, wr
@context "R_R13" = 0xffffdbef, -1, u64, rd
addr 0x405c98 @asm "movsxd rdx,edx" @tid "0"
@context "R_RDX" = 0xffffdbee, -1, u64, wr
@context "R_RDX" = 0xffffdbee, -1, u64, rd
addr 0x405c9b @asm "shl rdx,0x5" @tid "0"
@context "R_RDX" = 0xffffffffffffdbee, -1, u64, rw
@context "R_RFLAGS" = 0x286, -1, u64, wr
addr 0x405c9f @asm "lea rsi,[rdx+0x610920]" @tid "0"
@context "R_RSI" = 0x4000000, 0, u64, wr
@context "R_RDX" = 0xfffffffffffb7dc0, -1, u64, rd
addr 0x7fcdf4d9d582 @asm "mov QWORD PTR [rsp+0x18],rsi" @tid "0"
@context "R_RSP" = 0x7ffd6de3b180, 0, u64, rd
@context "R_RSI" = 0x5c86e0, -1, u64, rd
@context "mem64[0x7ffd6de3b198]" = 0x10, -1, u8, wr
@context "mem64[0x7ffd6de3b199]" = 0x0, -1, u8, wr
@context "mem64[0x7ffd6de3b19a]" = 0x0, -1, u8, wr
@context "mem64[0x7ffd6de3b19b]" = 0x0, -1, u8, wr
@context "mem64[0x7ffd6de3b19c]" = 0x0, -1, u8, wr
@context "mem64[0x7ffd6de3b19d]" = 0x0, -1, u8, wr
@context "mem64[0x7ffd6de3b19e]" = 0x0, -1, u8, wr
@context "mem64[0x7ffd6de3b19f]" = 0x0, -1, u8, wr
addr 0x7fcdf4d9d5b7 @asm "mov rsi,QWORD PTR [rsp+0x18]" @tid "0"
@context "R_RSI" = 0x7fcdc5dcb678, 0, u64, wr
@context "R_RSP" = 0x7ffd6de3b180, 0, u64, rd
@context "mem64[0x7ffd6de3b198]" = 0xe0, -1, u8, rd
@context "mem64[0x7ffd6de3b199]" = 0x86, -1, u8, rd
@context "mem64[0x7ffd6de3b19a]" = 0x5c, -1, u8, rd
@context "mem64[0x7ffd6de3b19b]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b19c]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b19d]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b19e]" = 0x0, -1, u8, rd
@context "mem64[0x7ffd6de3b19f]" = 0x0, -1, u8, rd
[+] Getting context for first instruction tainted by dsa_R_RSI_1_15419..
addr 0x7fcdc5e52b30 @asm "movzx eax,BYTE PTR [rsi]" @tid "0"
@context "mem64[0x7fcdc5c4e016]" = 0xef, 23, u8, rd
[*] Tainted offsets found!
[*] Byte offset 22 with value 0xef in crash.wav influenced the crash
@vanhauser-thc
Copy link

that is nice!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment