Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

NeLoader: AddressOverflowException

See original GitHub issue

Describe the bug AddressOverflowException when importing an old 16-bit game

To Reproduce Steps to reproduce the behavior:

Download shareware Stars!: http://wiki.starsautohost.org/files/stars26jrc4.zip
Extract the EXE
Start a new ghidra project
Import the starsjrc4.exe with default options

Expected behavior I expect it not to crash.

Error Output

Error importing file: starsjrc4.exe
java.lang.RuntimeException: ghidra.program.model.address.AddressOverflowException: Address Overflow in add: fb1c:0000 + 0x2043f
	at ghidra.app.util.opinion.NeLoader.processResourceTable(NeLoader.java:344)
	at ghidra.app.util.opinion.NeLoader.load(NeLoader.java:130)
	at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:346)
	at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:83)
	at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:114)
	at ghidra.plugin.importer.ImporterUtilities.doSingleImport(ImporterUtilities.java:360)
	at ghidra.plugin.importer.ImporterDialog.lambda$okCallback$6(ImporterDialog.java:363)
	at ghidra.util.task.TaskLauncher$1.run(TaskLauncher.java:93)
	at ghidra.util.task.Task.monitoredRun(Task.java:128)
	at ghidra.util.task.TaskLauncher.lambda$startBackgroundThread$2(TaskLauncher.java:315)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: ghidra.program.model.address.AddressOverflowException: Address Overflow in add: fb1c:0000 + 0x2043f
	at ghidra.program.model.address.AbstractAddressSpace.addNoWrap(AbstractAddressSpace.java:455)
	at ghidra.program.model.address.GenericAddressSpace.addNoWrap(GenericAddressSpace.java:21)
	at ghidra.program.model.address.GenericAddress.addNoWrap(GenericAddress.java:218)
	at ghidra.program.database.mem.MemoryMapDB.checkRange(MemoryMapDB.java:1743)
	at ghidra.program.database.mem.MemoryMapDB.createInitializedBlock(MemoryMapDB.java:468)
	at ghidra.app.util.MemoryBlockUtil.createInitializedBlock(MemoryBlockUtil.java:249)
	at ghidra.app.util.MemoryBlockUtil.createInitializedBlock(MemoryBlockUtil.java:186)
	at ghidra.app.util.opinion.NeLoader.processResourceTable(NeLoader.java:339)
	... 10 more

---------------------------------------------------
Build Date: 2019-Feb-28 1236 EST
Ghidra Version: 9.0
Java Home: ~/apps/java/jdk-11.0.2
JVM Version: Oracle Corporation 11.0.2
OS: Linux 4.12.14-lp150.12.48-default amd64
Workstation: ~

Issue Analytics

State:
Created 5 years ago
Comments:8

Top GitHub Comments

2reactions

ryanmkurtzcommented, Sep 6, 2019

@caheckman fixed this!

0reactions

sirus20x6commented, Aug 13, 2019

I’m pushing the limits of my knowledge here with disassembly / low level executable details. I’ve only ever patched a few windows and android programs. Nothing like this before.

I can tell you that Ghidra detects it as x86:LE:16:Real Mode:default

It’s 5,142,358 bytes. The original system that came with this software was a pentium 1 running at 66mhz on a 630 megabyte hard drive. it seems to have dos 6.22 on it but that is almost certainly an upgrade. There are checks in the software to make sure you’re on at least dos 2 and a few checks for 286 / 386 in there. I saw the references to Phar Lap in the executable and researched them. They appear to have made the first / one of the first dos extenders so there is some sort of virtual memory thing going on here. I’m on linux, but I have the original machine, dosbox, and freedos to run any tool or check on the exe that you might want.

binwalk entropy graph https://svgshare.com/i/EXB.svg

ida segments

Name	Start	End	R	W	X	D	L	Align	Base	Type	Class	AD	es	ss	ds	fs	gs
seg000	00000000	00000200	?	?	?	.	L	byte	1000	public	UNK	16	FFFFFFFF	FFFFFFFF	11FF	FFFFFFFF	FFFFFFFF
seg001	00000000	00001DE0	?	?	?	.	L	byte	1020	public	CODE	16	FFFFFFFF	FFFFFFFF	11FF	FFFFFFFF	FFFFFFFF
seg002	00000000	00000010	?	?	?	.	L	byte	11FE	public	UNK	16	FFFFFFFF	FFFFFFFF	11FF	FFFFFFFF	FFFFFFFF
dseg	00000000	00000980	?	?	?	.	L	para	11FF	public	DATA	16	FFFFFFFF	FFFFFFFF	11FF	FFFFFFFF	FFFFFFFF
seg004	00000000	00002000	?	?	?	.	L	byte	1297	stack	STACK	16	FFFFFFFF	FFFFFFFF	11FF	FFFFFFFF	FFFFFFFF

ida segment registers

Name	Address	Public
aCopyrightC1986	00010000	
_main	000102F0	
start	000104CC	P
__cintDIV	00010584	
__amsg_exit	00010594	
__dataseg	000105B3	
__cinit	000105B6	
_exit	00010684	
__exit	0001068B	
__cexit	00010693	
__c_exit	0001069D	
__ctermsub	00010705	
__FF_MSGBANNER	00010754	
__fptrap	00010774	
__aNchkstk	0001077A	
__nullcheck	00010792	
__setargv	000107B4	
__setenvp	00010942	
__NMSG_TEXT	000109C0	
__NMSG_WRITE	000109EB	
__myalloc	00010A20	
__dosret0	00010A44	
__dosreturn	00010A4C	
__dosretax	00010A59	
__maperror	00010A66	
_close	00010A9A	
_lseek	00010ABA	
_sopen	00010B34	
_open	00010B4E	
__cXENIXtoDOSmode	00010CDF	
_read	00010CF0	
j___nmalloc	00010DDA	
j___nfree	00010DDE	
__nfree	00010DE2	
__nmalloc	00010E03	
__searchseg	00010E2C	
__growseg	00010EA8	
__incseg	00010F34	
__findlast	00010F85	
_strcat	00010FA6	
_strcpy	00010FE6	
_strlen	00011018	
_strncpy	00011034	
_strncmp	0001105C	
_getenv	00011096	
_putenv	000110F0	
findenv	000111C0	
__nrealloc	00011226	
j___nrealloc	0001128A	
__resize	0001128E	
_strchr	00011356	
_stricmp	00011380	
_strrchr	000113C2	
__splitpath	000113EE	
__makepath	00011538	
__cenvarg	000115C0	
__doexec	00011816	
_execlp	00011BB0	
comexebat	00011BC2	
_execve	00011D3C	
_execvp	00011E34	
_execvpe	00011E4E	
_access	00011F8E	
__dos_read	00011FAE	
__dos_write	00011FB5	
aGorun286	00012422	
aSeeBind286ForI	0001242B	
aRealModeStubLo	0001244A	
aFatalError2864	00012482	
aRun286bBound	000124B4	
aFatalError2864_0	000124C4	
aThisProgramReq	000124F8	
aUnknownError	0001252C	
aFatalError2864_1	0001253F	
aFileInfo	00012582	
argc	000125BF	
argv	000125C1	
aError0	00012604	
aComspec	00012798	
aBat	000127A0	
aExe	000127A5	
aCom	000127AA	
aUOPath	000127B2	
aNmsg	000127DC	
aR6000StackOver	000127E8

IDA list of applied library modules

File	State	#func	Library name
mv16rdos	Applied	56	MSC v6.0/v7.0 & MSVC v1.0/v1.5 DOS runtime

IDA strings window

Address	Length	Type	String
seg000:0000	00000030	C	Copyright (C) 1986-1994 Phar Lap Software, Inc.
seg000:0032	00000008	C	C5S2S2PK
seg000:007D	00000009	C	Üu+Ãò=Ñ8Ò
seg000:00A3	00000005	C	Zºkdy
seg000:00A9	00000005	C	ÇæQ*\"
seg000:00C2	00000007	C	Û3ÍÕ\x1B,u
seg000:00D1	0000000C	C	!D]lØ]ãe#ºòQ
seg000:00F9	00000005	C	Ï[WßS
seg000:011C	00000008	C	þ'ÍÖbþ.z
seg000:012A	00000005	C	0š\\š
seg000:0134	00000007	C	.\nc`Ñ8Ò
seg000:0155	00000006	C	*ò>ÒNñ
seg000:0174	00000006	C	 \"ŠÙƒŸ
seg000:018B	0000000C	C	ÛvÄø~{ dóZÔ)
seg000:01A3	00000009	C	á\rzßÐd&ñx
seg000:01AD	00000006	C	Ñ#µÃx\"
seg000:01B4	00000008	C	%UØŸLæsD
seg000:01BD	00000007	C	æ_n^RF:
seg000:01C8	00000005	C	XšúeS
seg000:01F2	00000005	C	ÌõiÉg
dseg:0008	00000038	C	MS Run-Time Library - Copyright (c) 1990, Microsoft Corp
dseg:024E	00000008	C	šñ10636
dseg:0259	00000007	C	Ü-Ê3.1
dseg:02DE	0000000B	C	run286.exe
dseg:03E1	0000002E	C	Copyright (C) 1986-94 Phar Lap Software, Inc.
dseg:040F	00000005	C	 -- 
dseg:0414	0000000B	C	GORUN286: 
dseg:0421	0000000F	C	Serial Number 
dseg:0432	00000009	C	GORUN286
dseg:043B	0000001F	C	See BIND286 for instructions\r\n
dseg:045A	00000038	C	Real mode stub loader for Phar Lap's 286|DOS-Extender\r\n
dseg:0492	00000030	C	Fatal Error 286.4010: No memory for switches.\r\n
dseg:04C4	00000010	C	RUN286B=-bound 
dseg:04D4	00000034	C	Fatal Error 286.4020: No memory for command tail.\r\n
dseg:0508	00000034	C	This program requires Phar Lap's 286|DOS-Extender\r\n
dseg:053C	0000000E	C	Unknown error
dseg:054A	00000005	C	 -- 
dseg:054F	00000022	C	Fatal Error 286.4000: Can't load 
dseg:0592	0000000C	C	_FILE_INFO=
dseg:0614	00000008	C	Error 0
dseg:061D	0000001A	C	No such file or directory
dseg:063B	00000012	C	Arg list too long
dseg:064D	00000012	C	Exec format error
dseg:065F	00000010	C	Bad file number
dseg:0671	00000010	C	Not enough core
dseg:0681	00000012	C	Permission denied
dseg:0696	0000000C	C	File exists
dseg:06A2	00000012	C	Cross-device link
dseg:06B7	00000011	C	Invalid argument
dseg:06C9	00000014	C	Too many open files
dseg:06E0	00000018	C	No space left on device
dseg:06FC	0000000E	C	Math argument
dseg:070A	00000011	C	Result too large
dseg:071C	0000001E	C	Resource deadlock would occur
dseg:073A	0000000E	C	Unknown error
dseg:07A8	00000008	C	COMSPEC
dseg:07B0	00000005	C	.bat
dseg:07B5	00000005	C	.exe
dseg:07BA	00000005	C	.com
dseg:07C2	00000009	C	µ\aº\aPATH
dseg:07EC	0000000B	C	<\x1B<<NMSG>>
dseg:07F8	0000001A	C	R6000\r\n- stack overflow\r\n
dseg:0814	0000001F	C	R6003\r\n- integer divide by 0\r\n
dseg:0835	0000002C	C	R6009\r\n- not enough space for environment\r\n
dseg:0868	00000010	C	run-time error 
dseg:087A	0000002D	C	R6002\r\n- floating-point support not loaded\r\n
dseg:08A9	00000023	C	R6001\r\n- null pointer assignment\r\n
dseg:08CE	00000037	C	\r\nrun-time error R6005\r\n- not enough memory on exec\r\n$
dseg:0907	00000034	C	\r\nrun-time error R6006\r\n- invalid format on exec\r\n$
dseg:093D	00000039	C	\r\nrun-time error R6007\r\n- invalid environment on exec\r\n$

IDA problems window

Address	Type	Instruction
seg001:03B5	NODISASM	db 0
seg001:03B5	ALREADY 	db 0
dseg:07A4	ALREADY 	db    0
dseg:07E8	ALREADY 	db    0
seg001:02CC	BADSTACK	mov     ah, 30h
seg001:03B6	BADSTACK	mov     ax, 3500h
seg001:048B	BADSTACK	push    bp
seg001:057A	BADSTACK	pop     cx
seg001:05B4	BADSTACK	pop     word_125D8
seg001:0820	BADSTACK	push    bx
seg001:08BA	BADSTACK	push    bp
seg001:0934	BADSTACK	push    bp
seg001:0AF0	BADSTACK	push    bp
seg001:1616	BADSTACK	push    bp
seg001:0000	DECISION	db 10h dup(0)
seg001:0384	DECISION	mov     ax, word ptr cs:__dataseg
seg001:03B5	DECISION	db 0
seg001:0866	DECISION	xor     ah, ah
seg001:0D83	DECISION	stc
seg001:18CE	DECISION	db 0Eh, 1Fh, 0CDh, 21h, 73h, 3Eh, 0BBh, 1, 0, 3Ch, 1, 74h
seg001:18CE	ROLLBACK	db 0Eh, 1Fh, 0CDh, 21h, 73h, 3Eh, 0BBh, 1, 0, 3Ch, 1, 74h
seg001:18CF	ROLLBACK	db 0Eh, 1Fh, 0CDh, 21h, 73h, 3Eh, 0BBh, 1, 0, 3Ch, 1, 74h
seg001:18D0	ROLLBACK	db 0Eh, 1Fh, 0CDh, 21h, 73h, 3Eh, 0BBh, 1, 0, 3Ch, 1, 74h
seg001:199A	SIGFNREF	18 defined bytes match; Xref candidates: __environ @ 0x11B9F, _environ @ 0x11B9F
seg001:19B0	SIGFNREF	16 defined bytes match; Xref candidates: __execvp @ 0x11BBB, _execvp @ 0x11BBB