search

bitdefender / bddisasm

bddisasm is a fast, lightweight, x86/x64 instruction decoder. The project also features a fast, basic, x86/x64 instruction emulator, designed specifically to detect shellcode-like behavior.
Apache License 2.0
875 stars 112 forks source link

ROL ROR RegFlags OF , Possible problems #50

Closed icyfox168168 closed 3 years ago

icyfox168168 commented 3 years ago

Error engineering file bdshemu.c

Error function ShemuEmulate

// ROL edi, 0x0c //rdi 000000008EB56F68 // ROR esi, 0x0f // rsi 00000000B25D542F

OUT: -------------------------------

OUT: fucking ROL edi, 0x0c Old RegFlags 00000287 rdi 000000008EB56F68 cf 1 pf 1 af 0 zf 0 sf 1 tf 0 if 1 df 0 of 0

OUT: tureend ROL edi, 0x0c Old RegFlags 00000287 rdi 000000008EB56F68 cf 0 pf 1 af 0 zf 0 sf 1 tf 0 if 1 df 0 of 1

OUT: fuckend ROL edi, 0x0c Old RegFlags 00000287 rdi 000000008EB56F68 cf 0 pf 1 af 0 zf 0 sf 1 tf 0 if 1 df 0 of 0

OUT: -------------------------------

OUT: -------------------------------

OUT: fucking ROR esi, 0x0f Old RegFlags 00000287 rsi 00000000B25D542F cf 1 pf 1 af 0 zf 0 sf 1 tf 0 if 1 df 0 of 0

OUT: tureend ROR esi, 0x0f Old RegFlags 00000287 rsi 00000000B25D542F cf 1 pf 1 af 0 zf 0 sf 1 tf 0 if 1 df 0 of 1

OUT: fuckend ROR esi, 0x0f Old RegFlags 00000287 rsi 00000000B25D542F cf 1 pf 1 af 0 zf 0 sf 1 tf 0 if 1 df 0 of 0

OUT: -------------------------------

vlutas commented 3 years ago

I don't understand exactly what the problem is. You are trying to say that the OF flag is not set correctly during ROL/ROR emulation?

icyfox168168 commented 3 years ago

Yes, of is not set correctly

vlutas commented 3 years ago

If I understand your issue correctly, then this is not a problem - the OF flag is undefined for rotations greater than 1 (it is set only when the rotation count is 1), and you are rotating 0xC and 0xF, respectively.

If the masked count is 0, the flags are not affected. If the masked count is 1, then the OF flag is affected, otherwise (masked count is greater than 1) the OF flag is undefined. The CF flag is affected when the masked count is nonzero. The SF, ZF, AF, and PF flags are always unaffected.

icyfox168168 commented 3 years ago

I wrote a test program last night and compared the simulated value with the real CPU operation. I found that these instructions of are different, but I don't know why they are different. Maybe there is a bug in my test program. Thank you for your answer

icyfox168168 commented 3 years ago

Other instructions are not the same, and the simulation is perfect

vlutas commented 3 years ago

In general, an undefined flag may have any value after execution, and even after emulation. When comparing execution with emulation outputs, undefined values and undefined flags should be ignored, as they could technically be anything.