Project

General

Profile

Emulator Issues #10350

Breakpoints causing different behavior

Added by Fullmetal5 about 3 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
% Done:

0%

Operating system:
N/A
Issue type:
Bug
Milestone:
Regression:
No
Relates to usability:
No
Relates to performance:
No
Easy:
No
Relates to maintainability:
No
Regression start:
Fixed in:

Description

Game Name?

Internet Channel

Game ID? (right click the game in the game list, properties, info tab)

HADE01

MD5 Hash? (right click the game in the game list, properties, info tab, MD5 Hash: Compute)

Well this is dumped from a wii so I dunno where the actual binary is for it but it's the latest release of the internet channel

What's the problem? Describe what went wrong.

Setting a breakpoint will change the outcome of a bug.

Ex.
No Breakpoint: Invalid read from (RANDOM), PC = 0x801ec8a0
Breakpoint set: This exception is skipped and instead the one I expect to happen is triggered.

What steps will reproduce the problem?

This might take some explaining.

I am currently looking into exploiting CVE-2011-0611 which is an old flash vulnerability that is present on the wii to allow people to load homebrew with only the internet channel.
To do this I understandably have to use dolphin's debugger alot. However, I have encountered several issues that make is super painful to work on.

This issue takes a little setup to reproduce.

First create some simple webserver (I am using darkhttpd) and make it serve the following files
index.html
realexploit.swf

Both of these I will attach to my post.

Next set the CPU Emulator to Interpreter (slowest).
The reason for this is to work around another bug that causes inaccurate like exceptions triggered on instructions that can't possibly cause that type of exception (ex. an MR instruction causing an "invalid read from address" exception)

Next loadup the Internet Channel and navigate to your site (make sure you have Panic Handlers enabled.)

After a few seconds of loading you should get an exception like this (Invalid read from 0xXXXXXXXX, PC = 0x801ec8a0) (The address seems to change each time however it is usually very close to 0x00000000)

Now comes the confusing part.
Click ok to the rest of the exception methods and the emulator back to right before you click ok to navigate to your site.
Pause it here and enable a breakpoint at address 0x80152e74. Now let the emulator go and load your site.
After a few seconds you should break at the breakpoint that was just set.
New manually step through the instructions untill you reach address 0x8017caf4. (It's only a couple instructions away.)
When getting you note that the instruction is "lwz r0, 0x0014 (r3)". I expect the game to crash here since r3 should be 0x00000000 and thus generate an exceptions.
And sure enought when you click step one more time you should get the exception popup.
This raises the question how did this exception we encountered earlier at 0x801ec8a0 happend when we can consistently make it to our expected crash at 0x8017caf4.
After trying a few times I consistently get the exepction at 0x801ec8a0 with no breakpoint but the exception at 0x8017caf4 when we do have a breakpoint.

This feels like an emulator bug but it might be something I overlooked. Can anybody confirm if this is a bug in the emulator or just I am just missing?

Which versions of Dolphin did you test on? Does using an older version of Dolphin solve your issue? If yes, which versions of Dolphin used to work?

git (e30484e8a7895a2a26f7e4e609c44c5b0d1c6331)
Issues has been present for as long as I have tried (2 months of git commits)

What are your PC specifications? (CPU, GPU, Operating System, more)

OS: Arch Linux x86-64
Graphics: Intel Integrated Graphics
RAM: 8GB
CPU: Intel® Core™ i7-4790K CPU @ 4.00GHz

Is there any other relevant information? (e.g. logs, screenshots,
configuration files)

More on request

index.html (106 Bytes) index.html Fullmetal5, 06/22/2017 07:43 PM
realexploit.swf (245 Bytes) realexploit.swf Fullmetal5, 06/22/2017 07:43 PM
index.html (106 Bytes) index.html Fullmetal5, 06/22/2017 11:00 PM
realexploit.swf (245 Bytes) realexploit.swf Fullmetal5, 06/22/2017 11:00 PM

History

#1 Updated by Fullmetal5 about 3 years ago

Game Name?

Internet Channel

Game ID? (right click the game in the game list, properties, info tab)

HADE01

MD5 Hash? (right click the game in the game list, properties, info tab, MD5 Hash: Compute)

Well this is dumped from a wii so I dunno where the actual binary is for it but it's the latest release of the internet channel

What's the problem? Describe what went wrong.

Setting a breakpoint will change the outcome of a bug.

Ex.
No Breakpoint: Invalid read from (RANDOM), PC = 0x801ec8a0
Breakpoint set: This exception is skipped and instead the one I expect to happen is triggered.

What steps will reproduce the problem?

This might take some explaining.

I am currently looking into exploiting CVE-2011-0611 which is an old flash vulnerability that is present on the wii to allow people to load homebrew with only the internet channel.
To do this I understandably have to use dolphin's debugger alot. However, I have encountered several issues that make is super painful to work on.

This issue takes a little setup to reproduce.

First create some simple webserver (I am using darkhttpd) and make it serve the following files
index.html
realexploit.swf

Both of these I will attach to my post.

Next set the CPU Emulator to Interpreter (slowest).
The reason for this is to work around another bug that causes inaccuracies like exceptions triggered on instructions that can't possibly cause that type of exception (ex. an MR instruction causing an "invalid read from address" exception)

Next loadup the Internet Channel and navigate to your site (make sure you have Panic Handlers enabled.)

After a few seconds of loading you should get an exception like this (Invalid read from 0xXXXXXXXX, PC = 0x801ec8a0) (The address seems to change each time however it is usually very close to 0x00000000)

Now comes the confusing part.
Click ok to the rest of the exception methods and set the emulator back to right before you click ok to navigate to your site.
Pause it here and enable a breakpoint at address 0x80152e74. Now let the emulator go and load your site.
After a few seconds you should break at the breakpoint that was just set.
New manually step through the instructions untill you reach address 0x8017caf4. (It's only a couple instructions away.)
When getting you note that the instruction is "lwz r0, 0x0014 (r3)". I expect the game to crash here since r3 should be 0x00000000 and thus generate an exceptions.
And sure enought when you click step one more time you should get the exception popup.
This raises the question how did this exception we encountered earlier at 0x801ec8a0 happend when we can consistently make it to our expected crash at 0x8017caf4.
After trying a few times I consistently get the exepction at 0x801ec8a0 with no breakpoint but the exception at 0x8017caf4 when we do have a breakpoint.

This feels like an emulator bug but it might be something I overlooked. Can anybody confirm if this is a bug in the emulator or am I just missing something?

Which versions of Dolphin did you test on? Does using an older version of Dolphin solve your issue? If yes, which versions of Dolphin used to work?

git (e30484e8a7895a2a26f7e4e609c44c5b0d1c6331)
Issues has been present for as long as I have tried (2 months of git commits)

What are your PC specifications? (CPU, GPU, Operating System, more)

OS: Arch Linux x86-64
Graphics: Intel Integrated Graphics
RAM: 8GB
CPU: Intel® Core™ i7-4790K CPU @ 4.00GHz

Is there any other relevant information? (e.g. logs, screenshots,
configuration files)

More on request

#2 Updated by Fullmetal5 about 3 years ago

Well dang,

I was just trying to edit a few typos. Didn't realize that it would just repost the whole thing. Can a mod please delete the old description and use the new one?

Also available in: Atom PDF