Closed KKomarov closed 3 years ago
Hi @KKomarov If I read correctly your assebmyl, it's:
26 48 48 89 10
which is composed of:
Maybe I am wrong here, but I think you can have only one (at maximum) REX prefix, so this instruction seems not to be legit as it's composed of two REX.
Have I missed something @KKomarov ?
Hum, I just get this on https://wiki.osdev.org/X86-64_Instruction_Encoding#REX_prefix:
The use of multiple REX prefixes is undefined, although processors seem to use only the last REX prefix.
The current Miasm implementation only take one prefix. Maybe we could to some modifications in order to interpret the last REX in case of multiple REX
@serpilliere I just take this from real binary. It seems like a part of anti-analysing feature. I tested Ida and Zydis they treat this fine
@serpilliere Is it an easy fix? If you can tell what should be done I can make a PR
Hi @KKomarov yep: the code here: https://github.com/cea-sec/miasm/blob/master/miasm/arch/x86/arch.py#L754 takes the last byte read, (which is not a prefix, so may be a rex) and if this is a rex it modify the instruciton value. Maybe it's around there. We may modify this to do a second loop and parse while it's a REX.
If you want to try the modification, go for it @KKomarov. If not, I may look t this by the end of the week
Fixed
Failed to disasm
mov qword ptr es:[rax], rdx
(26 48 48 89 10
in hex) Tested on recent master https://github.com/cea-sec/miasm/commit/42528eff158475d1eca930b06754003242d5f1c1