bnd retn not supported

[bannsec]

Making a brief detour into windows land i found errors when running the binary that related to an instruction not supported:

In [7]: pg.errored[0].error
Out[7]: angr.errors.AngrExitError('IR decoding error at 0x401d24. You can hook this instruction with a python replacement using project.hook(0x401d24, your_function, length=length_of_instruction).')

Turns out the command was bnd retn. Bytes as \xf2\xc3

[ltfish]

What is bnd retn? I've never seen it.

[bannsec]

Yeah me neither, and I can't find any info on googles. Perhaps it's something specific w/ Microsoft VisualC 14 runtime?

Attaching the file. Angr is having problems decoding instruction at 0x401d24. challenge1.zip

[schieb]

Looks like it is part of a relatively new instruction set extension called MPX (Memory Protection Extensions).

See here and here (§16.1) for details.

[ltfish]

@schieb Thanks! I don't think we will support it before VEX supports it.

[rhelmot]

So it looks like that instruction set extension hijacked the REPNE prefix - F2 is usually REPNE. Apparently using REPNE RETN is identical to a typical return, except that it fixes some issues with the branch predictor on AMD CPUs.

I have implemented this in a recent commit :)