search

bitdefender / bddisasm

bddisasm is a fast, lightweight, x86/x64 instruction decoder. The project also features a fast, basic, x86/x64 instruction emulator, designed specifically to detect shellcode-like behavior.
Apache License 2.0
875 stars 112 forks source link

This shellcode gets inconsistent values #62

Closed icyfox168168 closed 2 years ago

icyfox168168 commented 2 years ago

1586A 15869

SHEMU_STATUS ShemuEmulate( SHEMU_CONTEXT* Context )

"\x68\x45\x02\x00\x00\x9D\x48\xBE\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x48\xC7\xC0\x68\x58\x01\x00\x40\x10\xF0\x14\x01\xC3"

attribute((naked)) long long asmadc() { __asm { push 0x245 popf mov rsi, 0x00000000ffffffff mov rax, 0x0000000000015868 ADC al, sil ADC al, 1 ret

}

}

icyfox168168 commented 2 years ago

98 99

"\x55\x50\x48\x89\xE5\x48\xC7\x45\x00\x00\x00\x00\x00\x68\x16\x02\x00\x00\x9D\x49\xBB\x00\x00\x00\x00\x00\x00\x01\x00\x41\x80\xD3\x6C\x9C\x58\x48\x89\x45\x00\x48\x89\xE8\xB9\x04\x00\x00\x00\x48\x0F\xA3\x08\xB8\x99\x00\x00\x00\x48\x83\xD0\xFF\x48\x83\xC4\x08\x5D\xC3"

long long asmadc() { long long ret = 0; __asm { push 0x0000000000000216 popf mov r11, 0x0001000000000000 ADC r11b, 0x6c pushf pop rax mov ret,rax

}

if (_bittest64((LONG64*)&ret, RFLAG_AF))
{
    ret = 0x99;
}
else
{
    ret = 0x98;
}
return ret;

}

icyfox168168 commented 2 years ago

FF01 FF00

"\x68\x83\x02\x00\x00\x9D\x48\xC7\xC0\xF8\xB0\x00\x00\x66\xC1\xF8\x77\x14\x01\xC3"

attribute((naked)) long long asmadc() {

__asm
{
    push 0x283
    popf
    mov rax, 0x000000000000b0f8
    SAR       ax, 0x77
    ADC       al, 1
    ret

}

}

icyfox168168 commented 2 years ago

99 98

long long asmadc() { long long ret = 0; __asm { push 0x217 popf mov rax, 0x0000000001000193 mov rdx, 0x00000000ffffff63 IMUL edx pushf pop rax mov ret, rax

}

if (_bittest64((LONG64*)&ret, RFLAG_OF))
{
    ret = 0x99;
}
else
{
    ret = 0x98;
}

return ret;

}

icyfox168168 commented 2 years ago

"\x55\x50\x48\x89\xE5\x48\xC7\x45\x00\x00\x00\x00\x00\x68\x17\x02\x00\x00\x9D\x48\xC7\xC0\x93\x01\x00\x01\x48\xBA\x63\xFF\xFF\xFF\x00\x00\x00\x00\xF7\xEA\x9C\x58\x48\x89\x45\x00\x48\x89\xE8\xB9\x0B\x00\x00\x00\x48\x0F\xA3\x08\xB8\x99\x00\x00\x00\x48\x83\xD0\xFF\x48\x83\xC4\x08\x5D\xC3"

icyfox168168 commented 2 years ago

Is it a bug? If it is a bug, is there a plan to fix it?

vlutas commented 2 years ago

The problems you reported are all fixed in https://github.com/bitdefender/bddisasm/commit/1805a9edec384bd9976e7f14dcfaf668a58ab37e. Please do note that the AF is not set for any instruction. This is by design.