search

bitdefender / bddisasm

bddisasm is a fast, lightweight, x86/x64 instruction decoder. The project also features a fast, basic, x86/x64 instruction emulator, designed specifically to detect shellcode-like behavior.
Apache License 2.0
888 stars 115 forks source link

CMPXCHG the pf flag bit? #67

Closed icyfox168168 closed 2 years ago

icyfox168168 commented 2 years ago

PF KO type 1 CMPXCHG cx, dx RAX = 0x0000000000002300 RCX = 0x0000000000002300 RDX = 0x0000000000002400 RBX = 0x0000000000000000 RSP = 0x000000000252dff0 RBP = 0x000000000252e020 RSI = 0x0000000000000000 RDI = 0x0000000000000000 R8 = 0x0000000000000000 R9 = 0x0000000000000000 R10 = 0x0000000000000000 R11 = 0x0000000000000000 R12 = 0x0000000000000000 R13 = 0x0000000000000000 R14 = 0x0000000000000000 R15 = 0x0000000000000000 RIP = 0x00000001400175e0 RFLAGS = 0x0000000000000202 EmuStart: 0x00000001400175e0 CMPXCHG cx, dx RAX = 0x0000000000002300 RCX = 0x0000000000002400 RDX = 0x0000000000002400 RBX = 0x0000000000000000 RSP = 0x000000000252dff0 RBP = 0x000000000252e020 RSI = 0x0000000000000000 RDI = 0x0000000000000000 R8 = 0x0000000000000000 R9 = 0x0000000000000000 R10 = 0x0000000000000000 R11 = 0x0000000000000000 R12 = 0x0000000000000000 R13 = 0x0000000000000000 R14 = 0x0000000000000000 R15 = 0x0000000000000000 RIP = 0x00000001400175e0 RFLAGS = 0x0000000000000246 Ture EmuEnd: 0x00000001400175e0 CMPXCHG cx, dx RAX = 0x0000000000002300 RCX = 0x0000000000002400 RDX = 0x0000000000002400 RBX = 0x0000000000000000 RSP = 0x000000000252dff0 RBP = 0x000000000252e020 RSI = 0x0000000000000000 RDI = 0x0000000000000000 R8 = 0x0000000000000000 R9 = 0x0000000000000000 R10 = 0x0000000000000000 R11 = 0x0000000000000000 R12 = 0x0000000000000000 R13 = 0x0000000000000000 R14 = 0x0000000000000000 R15 = 0x0000000000000000 RIP = 0x00000001400175e0 RFLAGS = 0x0000000000000242 Fuck EmuEnd: 0x00000001400175e0 CMPXCHG cx, dx

long long asmadc() { long long ret = 111; __asm { push 0x202 popf mov rax, 0x2300 mov rcx, 0x2300 mov rdx, 0x2400 cmpxchg CX, DX mov ret,rax

}
return ret;

}

icyfox168168 commented 2 years ago

"\x55\x50\x48\x89\xE5\x48\xC7\x45\x00\x6F\x00\x00\x00\x68\x02\x02\x00\x00\x9D\x48\xC7\xC0\x00\x23\x00\x00\x48\xC7\xC1\x00\x23\x00\x00\x48\xC7\xC2\x00\x24\x00\x00\x66\x0F\xB1\xD1\x48\x89\x45\x00\x48\x8B\x45\x00\x48\x83\xC4\x08\x5D\xC3"

vlutas commented 2 years ago

Hello,

This was left intentionally like this (i.e., only set the ZF for CMPXCHG). I modified it, however, to set all the other flags, since it's trivial. Fixed in https://github.com/bitdefender/bddisasm/commit/bf81c647e3a7cf1e84cb968b37c7e7f82d4ecf16.