Incorrect decoding of vp instructions

BeaEngine / beaengine

BeaEngine disasm project

515 stars 122 forks source link

Incorrect decoding of vp instructions #20

Closed john-8998 closed 4 years ago

john-8998 commented 4 years ago

The vp instructions does not decode well. For example: "c5 f1 ef c9" should be decoded to "vpxor xmm1,xmm1,xmm1" (instead of "lds..."). "c5 f5 74 01" should be decoded to "vpcmpeqb ymm0,ymm1,ymmword ptr [ecx]" (instead of "lds...").

BeaEngine commented 4 years ago

Hi, Did you defined the default architecture to be 64 bits ? (lds is used only for 32 bits architectures) I just tried following codes :

from BeaEnginePython import * buffer = 'c5f57401'.decode('hex') target = Disasm(buffer) target.read() print(target.repr())

and I get vpcmpeqb ymm0, ymm1, ymmword ptr [rcx]

from BeaEnginePython import * buffer = 'c5f1efc9'.decode('hex') target = Disasm(buffer) target.read() print(target.repr())

and I get vpxor xmm1,xmm1,xmm1

john-8998 commented 4 years ago

And now try your code in x86 architecture and see what you get... "lds.." which is wrong. For example, look at x86 version of ucrtcode.dll!strnlen() which uses a few vp instructions.

BeaEngine commented 4 years ago

aah you are right ! if MOD_ == 0x3, VEX is used instead of LDS on 32 bits architecture...my bad. I fix that. Thanks for the report.

BeaEngine commented 4 years ago

quick commit without any test yet, can you tell me if it is ok ?