this is problem of Arminline which i will explain it to here.
this problem causses that ArmInline identify some jump wrong.
this bug is in ArmInline::IdentifyNano()
this is the source code:


LONG Offset = 0; 		=>Attention here!!
INT i = 0;
BOOL IsJMP = TRUE;	=>Attention here!!
// Calculate jump size:
1-Nano[CNano].Size = ConditionTable[0];
for (i = 1; i < 64; i++)
{
2-Offset = ConditionTable[i];	
3-if (Offset > 0)
{
4-	if (Offset != Nano[CNano].Size)
	{
5-		IsJMP = FALSE;
		if ((Offset < Nano[CNano].Size) || (Nano[CNano].Size < 0))
		{
			Nano[CNano].Size = Offset;
			break;
		}
	}
}
// Calculate jump destination & consistency
for (i = 0; i < 64; i++)
{
Offset = ConditionTable[i];
if (Offset == Nano[CNano].Size)
{
	
}
else
{
   if (Nano[CNano].Destination == 0)
   {
	Nano[CNano].Destination = (PVOID)((LONG64)(Nano[CNano].Address) + (LONG64)(Offset));
   }
  else
  {
	if (Nano[CNano].Destination != (PVOID)((LONG64)ConditionTable[i] + (LONG64)Nano[CNano].Address))
	{
		
	 }
}
}
}
if (IsJMP)
{
	if (Nano[CNano].Size < 0)
	{
		Nano[CNano].Size = -Nano[CNano].Size;
	}
	Nano[CNano].JumpType = JMP;
	Nano[CNano].Destination = (PVOID)((LONG64)(Nano[CNano].Address) + ConditionTable[0]);
	return;
}

here we think the ConditionTable array containe these byte:(i copy them from where the bug occured!)

0012E97C  00000002
0012E980  00000002
0012E984  00000002
0012E988  00000002
0012E98C  00000002
0012E990  00000002
0012E994  00000002
0012E998  00000002
0012E99C  00000002
0012E9A0  00000002
0012E9A4  00000002
0012E9A8  00000002
0012E9AC  00000002
0012E9B0  00000002
0012E9B4  00000002
0012E9B8  00000002
0012E9BC  FFFFFFE4
0012E9C0  FFFFFFE4
0012E9C4  FFFFFFE4
0012E9C8  FFFFFFE4
0012E9CC  FFFFFFE4
0012E9D0  FFFFFFE4
0012E9D4  FFFFFFE4
0012E9D8  FFFFFFE4
0012E9DC  FFFFFFE4
0012E9E0  FFFFFFE4
0012E9E4  FFFFFFE4
0012E9E8  FFFFFFE4
0012E9EC  FFFFFFE4
0012E9F0  FFFFFFE4
0012E9F4  FFFFFFE4
0012E9F8  FFFFFFE4
0012E9FC  00000002
0012EA00  00000002
0012EA04  00000002
0012EA08  00000002
0012EA0C  00000002
0012EA10  00000002
0012EA14  00000002
0012EA18  00000002
0012EA1C  00000002
0012EA20  00000002
0012EA24  00000002
0012EA28  00000002
0012EA2C  00000002
0012EA30  00000002
0012EA34  00000002
0012EA38  00000002
0012EA3C  FFFFFFE4
0012EA40  FFFFFFE4
0012EA44  FFFFFFE4
0012EA48  FFFFFFE4
0012EA4C  FFFFFFE4
0012EA50  FFFFFFE4
0012EA54  FFFFFFE4
0012EA58  FFFFFFE4
0012EA5C  FFFFFFE4
0012EA60  FFFFFFE4
0012EA64  FFFFFFE4
0012EA68  FFFFFFE4
0012EA6C  FFFFFFE4
0012EA70  FFFFFFE4
0012EA74  FFFFFFE4
0012EA78  FFFFFFE4
0012EA7C  00000000

Offset is long so its signed .
IsJmp = true until we detect it as none jmp.
1-Size=ConditionTable[0] -> offset = 2;
2-offset=ConditionTable[1] -> offset = 2;
offset > 2 so we go to line 4. Size is equal to offset so the condition is not true and the 
loop run until 0012E9BC . this address contain a negative number . this number shows us that 
this jump is reverse ( becuse of ConditionTable[i] = DestAddress - Source address ).
line 3 :offset is signed so (offset < 0) then the code run until 0012E9FC . and at this address
again offset = 2 and offset == Size . so the code never execute line 5 and we know this is not 
a jmp and this is not a forward jump (look at the code). when IsJmp = true , the jump size and jump destination calculated but 
the condition of if(IsJmp) is true and jump destination changed as wrong value.
for correcting this problem we have to change the Offset to a Unsigned Long value.then
in line 3 : 0xFFFFFFE4 > 0 and its different with Size so line 5 execute and the IsJmp = false.
we have to change the source code like this:

for (i = 1; i < 64; i++)
{
Offset = ConditionTable[i];	
if ((DWORD)Offset > 0)
{
	if (Offset != Nano[CNano].Size) // nothing important to change offset here.
	{
		IsJMP = FALSE;
		if (((DWORD)Offset < Nano[CNano].Size) || (Nano[CNano].Size < 0))
		{
			Nano[CNano].Size = Offset;
			break;
		}
	}
}



sorry for my bad english :)

Best Regard.

NeVaDa
UnREal-RCE
PersianCracker


