bitdefender / bddisasm

bddisasm is a fast, lightweight, x86/x64 instruction decoder. The project also features a fast, basic, x86/x64 instruction emulator, designed specifically to detect shellcode-like behavior.

Apache License 2.0

874 stars 112 forks source link

movsx eax,byte ptr ds:[rax] Only update al #47

Closed icyfox168168 closed 3 years ago

icyfox168168 commented 3 years ago

Only update al. I check the relevant instructions. In 64 mode, clean eax first. This is the code of strlen when vs2019 is not optimized, resulting in an endless loop

000000018002F8B2 | 0FBE00 | movsx eax,byte ptr ds:[rax] | 000000018002F8B5 | 85C0 | test eax,eax | 000000018002F8B7 | 74 02 | je virtualdll.18002F8BB | 000000018002F8B9 | EB E0 | jmp virtualdll.18002F89B |

icyfox168168 commented 3 years ago

__forceinline int strlen(const char psz) { int i = 0; for (; psz; psz++, i++) ; return i; }

pragma optimize( "", off )

int __test() { char str[] = { '0',0 }; return strlen(str); }

pragma optimize( "", on )

icyfox168168 commented 3 years ago

ND_INS_MOVZX Same problem

vlutas commented 3 years ago

MOVSX and MOVZX are both decoded and disassembled correctly. Please refer to the Intel SDM, Volume 2 (2A, 2B, 2C & 2D): Instruction Set Reference, A-Z, CHAPTER 4 INSTRUCTION SET REFERENCE, M-U for the MOVSX and MOVZX instructions specifications. MOVSX and MOVZX copy a smaller quantity (byte or word) into a larger register (word, double-word or quad-word) with sign or zero extension. It is normal for the destination operand to be larger than the source operand.