search

capstone-engine / capstone

Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.
http://www.capstone-engine.org
7.19k stars 1.53k forks source link

bnd jne instruction #955

Open Levimocun opened 7 years ago

Levimocun commented 7 years ago

I use IDA and capstone to disassemble a PE file. But there's a difference, which is bnd jne in capstone but repne jnz short in IDA. Would you please tell the reason?

aquynh commented 7 years ago

Is this from master, or next branch?

Can you provide the input of this case?

Levimocun commented 7 years ago

@aquynh the result disassembled by capstone 0x1400010a0: cmp rcx, qword ptr [rip + 0x1f61] 0x1400010a7: bnd jne 0x1400010bc 0x1400010aa: rol rcx, 0x10 0x1400010ae: test cx, 0xffff 0x1400010b3: bnd jne 0x1400010b8 0x1400010b6: bnd ret

the result disassembled by IDA .text:00000001400010A0 cmp rcx, cs:__security_cookie . text:00000001400010A7 repne jnz short loc_1400010BC .text:00000001400010AA rol rcx, 10h .text:00000001400010AE test cx, 0FFFFh .text:00000001400010B3 repne jnz short loc_1400010B8 .text:00000001400010B6 repne retn

aquynh commented 7 years ago

ok, but you havent provided the input code yet: what you gave is only assembly & instruction address.

you can enable Opcode output from menu "Options" -> "General ..." -> "Number of opcode bytes" . You can put 8 in this box, press OK, then paste the output here again.

Levimocun commented 7 years ago

@aquynh .text:00000001400010A0--- 48 3B 0D 61 1F 00 00------- cmp rcx, cs:__security_cookie .text:00000001400010A7--- F2 75 12--------------------- repne jnz short loc_1400010BC .text:00000001400010AA--- 48 C1 C1 10----------------- rol rcx, 10h .text:00000001400010AE--- 66 F7 C1 FF FF-------------- test cx, 0FFFFh .text:00000001400010B3--- F2 75 02-------------------- repne jnz short loc_1400010B8 .text:00000001400010B6--- F2 C3----------------------- repne retn

aquynh commented 7 years ago

all jump instructions should not associate with REP prefix, so IDA is confused here.

ping @radare.

radare commented 7 years ago

i should check the intel manual to confirm that behaviour, but it will be good to compare with other disassemblers too.

On 6 Jul 2017, at 07:19, Nguyen Anh Quynh notifications@github.com wrote:

all jump instructions should not associate with REP prefix, so IDA is confused here.

ping @radare https://github.com/radare.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aquynh/capstone/issues/955#issuecomment-313297631, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lhlXXympcb8uH4H_GLOw22nEEVuvks5sLG5mgaJpZM4OPEB3.

sanguinawer commented 7 years ago

https://en.wikipedia.org/wiki/Intel_MPX

aquynh commented 7 years ago

according to Intel manual, REP prefix is only relevant for string instructions + IN/OUT. it is wrong to have REP with jump instructions.

fay59 commented 7 years ago

Some old AMD CPUs exhibit a branch prediction bug when you have a jump going straight to another jump (or return). Jumping to the rep prefix instead is a workaround for it. Both Intel and AMD CPUs tolerate it without any adverse effects.

aquynh commented 7 years ago

yes, but i mean it is better to remove REP in the disassembly output in such a case.