Ghidra: NeLoader: AddressOverflowException

Temporary solution. Just load binary as raw and setup language as x86:LE:16:Real Mode
https://imgur.com/a/D5wyKrr

This temporary solution doesn't show imports and some of the functions names so it's hard to dig deeper. I found this issue doing the same thing, ironically. It looks like the resources don't fit into the segmented address space which is not surprising: a segment number could be from 0x0000 to 0xffff, each segment is 16 bytes so it's 1 Mb of addressable RAM at most and Stars! binary is 3 Mb. But we certainly are not interested in graphics which take most of the space so we can turn them off in the loader:

diff --git a/Ghidra/Features/Base/src/main/java/ghidra/app/util/opinion/NeLoader.java b/Ghidra/Features/Base/src/main/java/ghidra/app/util/opinion/NeLoader.java
index 7ebf47a..c4c1041 100644
--- a/Ghidra/Features/Base/src/main/java/ghidra/app/util/opinion/NeLoader.java
+++ b/Ghidra/Features/Base/src/main/java/ghidra/app/util/opinion/NeLoader.java
@@ -326,6 +326,9 @@ public class NeLoader extends AbstractLibrarySupportLoader {
                ResourceType[] types = rt.getResourceTypes();
                for (ResourceType type : types) {
                        //String type = types[t].toString();
+                       if ((type.getTypeID()&0x7fff) == ResourceType.RT_BITMAP) {
+                               continue;
+                       }
                        Resource[] resources = type.getResources();
                        for (Resource resource : resources) {

After this the binary should load correctly and have all the sections it should have. Now the problem is that WinAPI calls are not resolved correctly (I added Win3.1 libraries and executables to the project like USER.EXE, GDI.DLL and so on, everything the game uses), bound the libraries to the imports but the functions still don't have the proper names. The argument order in those calls is also wrong. But that's another bug I think and I'll do more research first.

I am also suffering from this. This is an old dos exe and I believe it uses some borland stuff for menus

Error importing file: 3S.EXE
java.lang.RuntimeException: ghidra.program.model.address.AddressOverflowException: Address Overflow in add: ffff:ca90 + 0xa178
    at ghidra.app.util.opinion.NeLoader.processSegmentTable(NeLoader.java:307)
    at ghidra.app.util.opinion.NeLoader.load(NeLoader.java:120)
    at ghidra.app.util.opinion.AbstractLibrarySupportLoader.doLoad(AbstractLibrarySupportLoader.java:346)
    at ghidra.app.util.opinion.AbstractLibrarySupportLoader.loadProgram(AbstractLibrarySupportLoader.java:83)
    at ghidra.app.util.opinion.AbstractProgramLoader.load(AbstractProgramLoader.java:114)
    at ghidra.plugin.importer.ImporterUtilities.importSingleFile(ImporterUtilities.java:402)
    at ghidra.plugin.importer.ImporterDialog.lambda$okCallback$7(ImporterDialog.java:351)
    at ghidra.util.task.TaskLauncher$1.run(TaskLauncher.java:90)
    at ghidra.util.task.Task.monitoredRun(Task.java:126)
    at ghidra.util.task.TaskRunner.lambda$startTaskThread$1(TaskRunner.java:94)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: ghidra.program.model.address.AddressOverflowException: Address Overflow in add: ffff:ca90 + 0xa178
    at ghidra.program.model.address.AbstractAddressSpace.addNoWrap(AbstractAddressSpace.java:455)
    at ghidra.program.model.address.GenericAddressSpace.addNoWrap(GenericAddressSpace.java:21)
    at ghidra.program.model.address.GenericAddress.addNoWrap(GenericAddress.java:218)
    at ghidra.program.database.mem.MemoryMapDB.checkRange(MemoryMapDB.java:1743)
    at ghidra.program.database.mem.MemoryMapDB.createInitializedBlock(MemoryMapDB.java:468)
    at ghidra.app.util.MemoryBlockUtil.createInitializedBlock(MemoryBlockUtil.java:249)
    at ghidra.app.util.MemoryBlockUtil.createInitializedBlock(MemoryBlockUtil.java:186)
    at ghidra.app.util.opinion.NeLoader.processSegmentTable(NeLoader.java:252)
    ... 12 more

---------------------------------------------------
Build Date: 2019-Jul-13 1414 CEST
Ghidra Version: 9.1
Java Home: /usr/lib/jvm/java-11-openjdk
JVM Version: Oracle Corporation 11.0.4
OS: Linux 5.2.0-rc5-amd-git-00004-g6edb98330e88 amd64
Workstation: thread

This is not my area of expertise, but I believe this happens because the exe is 5 megs and uses Phar Lap dos extender

First 64 bytes

4D 5A 69 01 16 00 0A 00 20 00 00 00 FF FF 97 02 00 20 C6 ED CC 02 20 00 40 00 00 00 01 00 3C 00 00 00 40 00 00 00 44 00 00 00 48 00 00 00 4C 00 00 00 0C 00 7C 02 DA 02 20 00 B3 03 70 2B 00 00 3C 00 00 00 40

Binwalk
`> binwalk /mnt/cs3/cs3s/3S.EXE

DECIMAL HEXADECIMAL DESCRIPTION

512 0x200 Copyright string: "Copyright (C) 1986-1994 Phar Lap Software, Inc."
9681 0x25D1 Copyright string: "Copyright (C) 1986-94 Phar Lap Software, Inc."
1134507 0x114FAB MySQL ISAM index file Version 6
2828813 0x2B2A0D VxWorks symbol table, little endian, first entry: [type: function, code address: 0x6FFFF00, symbol address: 0x500]
4942866 0x4B6C12 Copyright string: "Copyright 1991 Borland Intl."
`

Thanks for investigating. So is this not a 16-bit real mode executable? Is it something like big real/unreal mode?

I'm pushing the limits of my knowledge here with disassembly / low level executable details. I've only ever patched a few windows and android programs. Nothing like this before.

I can tell you that Ghidra detects it as x86:LE:16:Real Mode:default

It's 5,142,358 bytes. The original system that came with this software was a pentium 1 running at 66mhz on a 630 megabyte hard drive. it seems to have dos 6.22 on it but that is almost certainly an upgrade. There are checks in the software to make sure you're on at least dos 2 and a few checks for 286 / 386 in there. I saw the references to Phar Lap in the executable and researched them. They appear to have made the first / one of the first dos extenders so there is some sort of virtual memory thing going on here. I'm on linux, but I have the original machine, dosbox, and freedos to run any tool or check on the exe that you might want.

binwalk entropy graph
https://svgshare.com/i/EXB.svg

ida segments

Name    Start   End R   W   X   D   L   Align   Base    Type    Class   AD  es  ss  ds  fs  gs
seg000  00000000    00000200    ?   ?   ?   .   L   byte    1000    public  UNK 16  FFFFFFFF    FFFFFFFF    11FF    FFFFFFFF    FFFFFFFF
seg001  00000000    00001DE0    ?   ?   ?   .   L   byte    1020    public  CODE    16  FFFFFFFF    FFFFFFFF    11FF    FFFFFFFF    FFFFFFFF
seg002  00000000    00000010    ?   ?   ?   .   L   byte    11FE    public  UNK 16  FFFFFFFF    FFFFFFFF    11FF    FFFFFFFF    FFFFFFFF
dseg    00000000    00000980    ?   ?   ?   .   L   para    11FF    public  DATA    16  FFFFFFFF    FFFFFFFF    11FF    FFFFFFFF    FFFFFFFF
seg004  00000000    00002000    ?   ?   ?   .   L   byte    1297    stack   STACK   16  FFFFFFFF    FFFFFFFF    11FF    FFFFFFFF    FFFFFFFF

ida segment registers

Name    Address Public
aCopyrightC1986 00010000    
_main   000102F0    
start   000104CC    P
__cintDIV   00010584    
__amsg_exit 00010594    
__dataseg   000105B3    
__cinit 000105B6    
_exit   00010684    
__exit  0001068B    
__cexit 00010693    
__c_exit    0001069D    
__ctermsub  00010705    
__FF_MSGBANNER  00010754    
__fptrap    00010774    
__aNchkstk  0001077A    
__nullcheck 00010792    
__setargv   000107B4    
__setenvp   00010942    
__NMSG_TEXT 000109C0    
__NMSG_WRITE    000109EB    
__myalloc   00010A20    
__dosret0   00010A44    
__dosreturn 00010A4C    
__dosretax  00010A59    
__maperror  00010A66    
_close  00010A9A    
_lseek  00010ABA    
_sopen  00010B34    
_open   00010B4E    
__cXENIXtoDOSmode   00010CDF    
_read   00010CF0    
j___nmalloc 00010DDA    
j___nfree   00010DDE    
__nfree 00010DE2    
__nmalloc   00010E03    
__searchseg 00010E2C    
__growseg   00010EA8    
__incseg    00010F34    
__findlast  00010F85    
_strcat 00010FA6    
_strcpy 00010FE6    
_strlen 00011018    
_strncpy    00011034    
_strncmp    0001105C    
_getenv 00011096    
_putenv 000110F0    
findenv 000111C0    
__nrealloc  00011226    
j___nrealloc    0001128A    
__resize    0001128E    
_strchr 00011356    
_stricmp    00011380    
_strrchr    000113C2    
__splitpath 000113EE    
__makepath  00011538    
__cenvarg   000115C0    
__doexec    00011816    
_execlp 00011BB0    
comexebat   00011BC2    
_execve 00011D3C    
_execvp 00011E34    
_execvpe    00011E4E    
_access 00011F8E    
__dos_read  00011FAE    
__dos_write 00011FB5    
aGorun286   00012422    
aSeeBind286ForI 0001242B    
aRealModeStubLo 0001244A    
aFatalError2864 00012482    
aRun286bBound   000124B4    
aFatalError2864_0   000124C4    
aThisProgramReq 000124F8    
aUnknownError   0001252C    
aFatalError2864_1   0001253F    
aFileInfo   00012582    
argc    000125BF    
argv    000125C1    
aError0 00012604    
aComspec    00012798    
aBat    000127A0    
aExe    000127A5    
aCom    000127AA    
aUOPath 000127B2    
aNmsg   000127DC    
aR6000StackOver 000127E8    

IDA list of applied library modules

File    State   #func   Library name
mv16rdos    Applied 56  MSC v6.0/v7.0 & MSVC v1.0/v1.5 DOS runtime

IDA strings window

Address Length  Type    String
seg000:0000 00000030    C   Copyright (C) 1986-1994 Phar Lap Software, Inc.
seg000:0032 00000008    C   C5S2S2PK
seg000:007D 00000009    C   Üu+Ãò=Ñ8Ò
seg000:00A3 00000005    C   Zºkdy
seg000:00A9 00000005    C   ÇæQ*\"
seg000:00C2 00000007    C   Û3ÍÕ\x1B,u
seg000:00D1 0000000C    C   !D]lØ]ãe#ºòQ
seg000:00F9 00000005    C   Ï[WßS
seg000:011C 00000008    C   þ'ÍÖbþ.z
seg000:012A 00000005    C   0š\\š
seg000:0134 00000007    C   .\nc`Ñ8Ò
seg000:0155 00000006    C   *ò>ÒNñ
seg000:0174 00000006    C    \"ŠÙƒŸ
seg000:018B 0000000C    C   ÛvÄø~{ dóZÔ)
seg000:01A3 00000009    C   á\rzßÐd&ñx
seg000:01AD 00000006    C   Ñ#µÃx\"
seg000:01B4 00000008    C   %UØŸLæsD
seg000:01BD 00000007    C   æ_n^RF:
seg000:01C8 00000005    C   XšúeS
seg000:01F2 00000005    C   ÌõiÉg
dseg:0008   00000038    C   MS Run-Time Library - Copyright (c) 1990, Microsoft Corp
dseg:024E   00000008    C   šñ10636
dseg:0259   00000007    C   Ü-Ê3.1
dseg:02DE   0000000B    C   run286.exe
dseg:03E1   0000002E    C   Copyright (C) 1986-94 Phar Lap Software, Inc.
dseg:040F   00000005    C    -- 
dseg:0414   0000000B    C   GORUN286: 
dseg:0421   0000000F    C   Serial Number 
dseg:0432   00000009    C   GORUN286
dseg:043B   0000001F    C   See BIND286 for instructions\r\n
dseg:045A   00000038    C   Real mode stub loader for Phar Lap's 286|DOS-Extender\r\n
dseg:0492   00000030    C   Fatal Error 286.4010: No memory for switches.\r\n
dseg:04C4   00000010    C   RUN286B=-bound 
dseg:04D4   00000034    C   Fatal Error 286.4020: No memory for command tail.\r\n
dseg:0508   00000034    C   This program requires Phar Lap's 286|DOS-Extender\r\n
dseg:053C   0000000E    C   Unknown error
dseg:054A   00000005    C    -- 
dseg:054F   00000022    C   Fatal Error 286.4000: Can't load 
dseg:0592   0000000C    C   _FILE_INFO=
dseg:0614   00000008    C   Error 0
dseg:061D   0000001A    C   No such file or directory
dseg:063B   00000012    C   Arg list too long
dseg:064D   00000012    C   Exec format error
dseg:065F   00000010    C   Bad file number
dseg:0671   00000010    C   Not enough core
dseg:0681   00000012    C   Permission denied
dseg:0696   0000000C    C   File exists
dseg:06A2   00000012    C   Cross-device link
dseg:06B7   00000011    C   Invalid argument
dseg:06C9   00000014    C   Too many open files
dseg:06E0   00000018    C   No space left on device
dseg:06FC   0000000E    C   Math argument
dseg:070A   00000011    C   Result too large
dseg:071C   0000001E    C   Resource deadlock would occur
dseg:073A   0000000E    C   Unknown error
dseg:07A8   00000008    C   COMSPEC
dseg:07B0   00000005    C   .bat
dseg:07B5   00000005    C   .exe
dseg:07BA   00000005    C   .com
dseg:07C2   00000009    C   µ\aº\aPATH
dseg:07EC   0000000B    C   <\x1B<<NMSG>>
dseg:07F8   0000001A    C   R6000\r\n- stack overflow\r\n
dseg:0814   0000001F    C   R6003\r\n- integer divide by 0\r\n
dseg:0835   0000002C    C   R6009\r\n- not enough space for environment\r\n
dseg:0868   00000010    C   run-time error 
dseg:087A   0000002D    C   R6002\r\n- floating-point support not loaded\r\n
dseg:08A9   00000023    C   R6001\r\n- null pointer assignment\r\n
dseg:08CE   00000037    C   \r\nrun-time error R6005\r\n- not enough memory on exec\r\n$
dseg:0907   00000034    C   \r\nrun-time error R6006\r\n- invalid format on exec\r\n$
dseg:093D   00000039    C   \r\nrun-time error R6007\r\n- invalid environment on exec\r\n$

IDA problems window

Address Type    Instruction
seg001:03B5 NODISASM    db 0
seg001:03B5 ALREADY     db 0
dseg:07A4   ALREADY     db    0
dseg:07E8   ALREADY     db    0
seg001:02CC BADSTACK    mov     ah, 30h
seg001:03B6 BADSTACK    mov     ax, 3500h
seg001:048B BADSTACK    push    bp
seg001:057A BADSTACK    pop     cx
seg001:05B4 BADSTACK    pop     word_125D8
seg001:0820 BADSTACK    push    bx
seg001:08BA BADSTACK    push    bp
seg001:0934 BADSTACK    push    bp
seg001:0AF0 BADSTACK    push    bp
seg001:1616 BADSTACK    push    bp
seg001:0000 DECISION    db 10h dup(0)
seg001:0384 DECISION    mov     ax, word ptr cs:__dataseg
seg001:03B5 DECISION    db 0
seg001:0866 DECISION    xor     ah, ah
seg001:0D83 DECISION    stc
seg001:18CE DECISION    db 0Eh, 1Fh, 0CDh, 21h, 73h, 3Eh, 0BBh, 1, 0, 3Ch, 1, 74h
seg001:18CE ROLLBACK    db 0Eh, 1Fh, 0CDh, 21h, 73h, 3Eh, 0BBh, 1, 0, 3Ch, 1, 74h
seg001:18CF ROLLBACK    db 0Eh, 1Fh, 0CDh, 21h, 73h, 3Eh, 0BBh, 1, 0, 3Ch, 1, 74h
seg001:18D0 ROLLBACK    db 0Eh, 1Fh, 0CDh, 21h, 73h, 3Eh, 0BBh, 1, 0, 3Ch, 1, 74h
seg001:199A SIGFNREF    18 defined bytes match; Xref candidates: __environ @ 0x11B9F, _environ @ 0x11B9F
seg001:19B0 SIGFNREF    16 defined bytes match; Xref candidates: __execvp @ 0x11BBB, _execvp @ 0x11BBB

@caheckman fixed this!