dod-cyber-crime-center / rugosa Goto Github PK

The next generation of kordesii. This is a library (not a framework) for managing emulation and provides utilities for interfacing with decompiled malware samples using dragodis.

License: Other

Python 96.45% C 0.35% Java 3.21%

malware-analysis python automation string-decode malware-automation emulation

rugosa's Introduction

Rugosa

The next generation of kordesii. This is a library (not a framework) for managing emulation and provides utilities for interfacing with decompiled malware samples using dragodis.

Rugosa is meant to be used with an automation framework such as DC3-MWCP, but can also be used in one-off scripting.

Install

pip install rugosa

You will also need to setup a backend disassembler by following Dragodis's installation instructions.

Utilities

The following utilities are included with Rugosa:

Emulator Plugin

Rugosa includes a IDA and Ghidra plugin which provides a GUI for using the emulation utility. For more information on how to install and use the plugin please see the documentation.

rugosa's People

Contributors

Stargazers

Watchers

Forkers

kchason ddash-ct ethicalsecurity-agency

rugosa's Issues

ValueError for PUSH dword ptr FS:[EAX] instruction

Using Ghidra as the backend disassembler, with sample SHA256 83dc2f219779b1d025e839da05bc9b2b60f7555bb599c6a479737f1b75c25c39, encountering the following ValueError for an unidentified reason:

    [!] Failed to execute address 0x40810A: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810D: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810A: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810D: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810A: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810D: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810A: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810D: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810A: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810D: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810A: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40810D: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x4075AE: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x4075B1: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40721C: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40721F: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x407690: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x407693: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x407759: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x40775C: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x4077DA: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x4077DD: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x4079B4: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x4079B7: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x4079B4: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x4079B7: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x4079B4: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x4079B7: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x407C0C: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x407C0F: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x407CA8: PUSH dword ptr FS:[EAX]
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1330, in PUSH
        value = utils.unsigned(operand.value, operand.width)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 148, in value
        return super().value
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 169, in value
        addr = self.addr
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax
    [!] Failed to execute address 0x407CAB: MOV dword ptr FS:[EAX],ESP
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 202, in execute
        self._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/instruction.py", line 34, in _execute
        super()._execute()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/instruction.py", line 178, in _execute
        opcode_func(self._cpu_context, self)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/opcodes.py", line 1130, in _mov
        operands[0].value = opvalue2
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 178, in value
        super(x86_64Operand, self.__class__).value.__set__(self, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/operands.py", line 220, in value
        self._cpu_context.memory.write(self.addr, value)
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 105, in addr
        addr = self._calc_displacement()
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 28, in _calc_displacement
        addr = self.base + self.index * self.scale + self.offset
      File "/usr/local/lib/python3.9/site-packages/rugosa/emulation/x86_64/operands.py", line 91, in offset
        raise ValueError(f"Expected an integer offset. Got {type(offset)} for {offset}")
    ValueError: Expected an integer offset. Got <class 'dragodis.ghidra.operand_value.GhidraRegister'> for eax

TypeMap error on fld instruction in IDA

Using sample MD5 e7f46144892fe5bdef99bdf819d1b9a6, a KeyError and subsequent RuntimeError are thrown at address 0x4048d7 for a fld instruction when using IDA. This error is not observed when using Ghidra as the disassembler.

The following stack trace is observed:

Traceback (most recent call last):
  File "C:\Python\Python39\lib\site-packages\dragodis\ida\operand.py", line 71, in type
    return self._type_map[op_type]
KeyError: 11

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 8, in <module>
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\cpu_context.py", line 281, in execute
    self.instruction.execute()
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\instruction.py", line 208, in execute
    var = operand._operand.variable
  File "C:\Python\Python39\lib\site-packages\dragodis\ida\operand.py", line 101, in variable
    value = self.value
  File "C:\Python\Python39\lib\site-packages\dragodis\ida\operand.py", line 190, in value
    operand_type = self.type
  File "C:\Python\Python39\lib\site-packages\dragodis\ida\operand.py", line 175, in type
    type = super().type
  File "C:\Python\Python39\lib\site-packages\dragodis\ida\operand.py", line 73, in type
    raise RuntimeError(f"Unexpected operand type: {op_type}")
RuntimeError: Unexpected operand type: 11

Failed to execute address 0x4048D7: fld     ds:flt_66D9D4
Traceback (most recent call last):
  File "C:\Python\Python39\lib\site-packages\dragodis\ida\operand.py", line 71, in type
    return self._type_map[op_type]
KeyError: 11

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\instruction.py", line 202, in execute
    self._execute()
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\x86_64\instruction.py", line 34, in _execute
    super()._execute()
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\instruction.py", line 178, in _execute
    opcode_func(self._cpu_context, self)
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\x86_64\fpu_opcodes.py", line 247, in FLD
    value = orig_value = operands[0].value if operands else None
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\x86_64\operands.py", line 142, in value
    if self.type == OperandType.memory:
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\operands.py", line 69, in type
    return self._operand.type
  File "C:\Python\Python39\lib\site-packages\dragodis\ida\operand.py", line 175, in type
    type = super().type
  File "C:\Python\Python39\lib\site-packages\dragodis\ida\operand.py", line 73, in type
    raise RuntimeError(f"Unexpected operand type: {op_type}")
RuntimeError: Unexpected operand type: 11

Function Arguments Bug

Encountering a bug when pulling function arguments for 64-bit sample f70def4172a06ee201adc7500d464973 at 0x18000426C. The function signature for the function at 0x180003E88 referenced at 0x18000426C is _BYTE *__fastcall sub_180003E88(_BYTE *a1, int a2, char a3);.

While the second argument is type int, it should be interpreted as a 64-bit integer since the sample is 64-bit. Since the value in rdx is 0x180020350, this is being cut as a 32-bit integer 0x80020350 when pulling function arguments.

Support YARA 4.3.1 and up

When attempting to use rugosa with YARA 4.3.1, a TypeError is thrown on the yara.StringMatch object, which seems to have been changed as of 4.3.0.

Please modify rugosa YARA usage to enable the new version(s) of YARA.

ELF GoLang Emulation Failure

GobRAT samples (https://blogs.jpcert.or.jp/en/2023/05/gobrat.html) are x64 ELF binaries programmed in GoLang (example SHA256 hash ca6591e246e581af1411735df514a347c43d6d32663d2584420cbbee8c2388b9).

Rugosa does not currently support acquiring a context within the binary. e.g. context = emulator.context_at(0x619A16) results in a NoneType result.

The emulator appears to (correctly) select the x86_64ProcessorContext as the _context_class, and the following debug messages are obtained:

[*] Emulating call level 0 for function at 0x00619A16: follow_loops = False, exhaustive = True
[*] Iterating contexts for call level: 0

Request supporting the x86/x64 instruction set for these binaries.

Support Vector Packed Bitwise instructions

Malware such as Meduza leverage Vector Packed Bitwise instructions including vpxor, vmovdqa, vmovaps, and others for inline string decryption.

An example in Meduza Stealer sample 9022192413dda223b6e8afd73a22cfaa can be found in code starting at 0x419988.

Requesting addition of support for these instructions.

wsprintfW Call Hook Request

Using sample 96dbc2e2071158af3a025f9899bcd856 as an example, in the function at 0x401140, the Windows API wsprintfW is moved to the esi register at 0x4011af and called at 0x4011c9, 0x401f1f2, and 0x40120b.

In order to properly emulate the function, a hook as leveraged for snprintf, swprintf_s, etc. in libc would need to be implemented.

Testing with the existing _format_string revealed that it does not properly process wide strings, since the regex pattern fmt_val_re will only detect format values of type utf-8.

Requesting a feature for supporting wsprintfW hooks while fixing the libc _format_string implementation to support swprintf_s

TypeError thrown for mov instruction

Using IDA 8.1 as a backend disassembler, with sample SHA256 12331809c3e03d84498f428a37a28cf6cbb1dafe98c36463593ad12898c588c9, encountering the following error on a mov ebx, ds:SetFilePointer instruction.

[!] Failed to execute address 0x401724: mov     ebx, ds:SetFilePointer
Traceback (most recent call last):
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\instruction.py", line 202, in execute
    self._execute()
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\x86_64\instruction.py", line 34, in _execute
    super()._execute()
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\instruction.py", line 178, in _execute
    opcode_func(self._cpu_context, self)
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\x86_64\opcodes.py", line 1131, in _mov
    operands[0].value = opvalue2
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\x86_64\operands.py", line 178, in value
    super(x86_64Operand, self.__class__).value.__set__(self, value)
  File "C:\Python\Python39\lib\site-packages\rugosa\emulation\operands.py", line 214, in value
    self._cpu_context.registers[reg.name] = value
  File "C:\Python\Python39\lib\site-packages\dragodis\ida\operand_value.py", line 46, in name
    return self._ida._ida_idp.get_reg_name(self._reg, self._width).lower()
rpyc.core.netref.type: 'NoneType' object has no attribute 'lower'

Suspect something is wrong with the self._reg or self._width

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.