Exception: prev_insn failed

[voidm4p]

@meck-gd

I cloned the repo, installed the following dependencies:

capstone==5.0.6
keystone-engine==0.9.2
pefile==2024.8.26

I unpacked the following hash from the sample shared in the blog: bb1120211dac313771c3f0ef0fc3c9fbd9b5171d0478c8b9704ef69b4e9488f1. Which VT confirms is the Rhad loader.

When I run the tool python deob.py bb1120211dac313771c3f0ef0fc3c9fbd9b5171d0478c8b9704ef69b4e9488f1 I get the following output:

Applicable functions:
0x127510
0x127810
0x127af0
0x127db0
0x128090
0x128380
0x1286a0
0x1289b0
0x128cb0
0x128f90
0x129280
0x129580
0x129860
0x129b50
0x129e50
0x12a140
0x12a560
0x12c8b0
0x12cda0
0x12d200
0x12f830
0x12fbe0
0x12fe40
0x131850
0x132470
0x132d50
0x133050
0x133ef0
0x1342d0
0x134890
0x1350e0
0x136790
0x1385e0

=== BEGIN JUMP DEOBFUSCATION ===
Traceback (most recent call last):
  File "deob.py", line 123, in <module>
    main()
  File "deob.py", line 111, in main
    new_bin = deobfuscate(sys.argv[1])
              ^^^^^^^^^^^^^^^^^^^^^^^^
  File "deob.py", line 101, in deobfuscate
    do_steps(blob, pe)
  File "deob.py", line 80, in do_steps
    deobfuscate_function_jumps(blob, pe, func)
  File "deob_jumps.py", line 484, in deobfuscate_function
    inliner.deobfuscate()
  File "deob_jumps.py", line 158, in deobfuscate
    self.data_slice(insn.address, {jmp_reg}, slices)
  File "deob_jumps.py", line 130, in data_slice
    insn = prev_insn(self.insn_map, insn.address)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "deob_util.py", line 73, in prev_insn
    raise Exception("prev_insn failed")
Exception: prev_insn failed

Is it dependencies error? If so could you please provide the correct requirements.txt with explicit versioning? If not, I'm just leaving this error here so you can take a look. I also tried with another Rhad loader sample and I get the same error: ed4fb2768f362102a20c8b318caf811a9abac250a0b3fb82ea2af37c6896a2be

[meck-gd]

My bad about the dependencies, I forgot to stage the requirements file. Added now.

As for your issue: It was caused by the fact that I was working with a memory dump where sections' virtual address equaled raw address. This allowed for some shortcuts when calculating offsets. Should be fixed with 21b0d47.

Please try again.