chyyuu / distorm

Automatically exported from code.google.com/p/distorm
GNU General Public License v3.0
0 stars 0 forks source link

Imm size is wrong for mov [dword ptr]rsp,0x42 #76

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
In what mode did you try to disassemble (16/32/64)?
64 bit

What is the input buffer (binary stream) you used to reproduce the problem?
Use hex.
C7 44 24 20 42 00 00 00 mov         dword ptr [rsp+20h],42h 

What is the expected output (or what instruction)?
mov         dword ptr [rsp+20h],42h 

Which tool did you use to see the expected output?
diStorm
What do you see instead?
diStorm disassembles the instruction correctly, but when going through the 
DecomposedInst, the Imm size is reported as 64 (bit I assume), it should be 32 
if I understand correctly

What version of diStorm are you using? On what platform (Python/EXE/other)?

Please provide any additional information below.

Original issue reported on code.google.com by d...@houmus.org on 22 Sep 2013 at 4:42

GoogleCodeExporter commented 9 years ago
I will check it out, might be a bug indeed. Normally it should be sign extended 
to 64.
Thanks

Original comment by distorm@gmail.com on 22 Sep 2013 at 9:27

GoogleCodeExporter commented 9 years ago
I have a very similar issue with this opcode/instruction:
4a c7 05 2a 00 01 00 20 00 00 00

This is:
mov cs:qword_1800109a2, 20h

From IDA. The 2nd operand should be 32-bits, and the dispSize 32-bits. diStorm 
incorrectly reports the immediate size as 64-bits (I guess because it's a mov 
qword).

I need this as I need to actually modify the 2nd operand. Without knowing the 
exact number of bytes of the operand itself I can't modify it correctly.

Original comment by crobe...@bongle.co.uk on 3 Aug 2014 at 12:03

GoogleCodeExporter commented 9 years ago
Fixed.
From now on imm32 will be sized as 32 bit with the FLAG_IMM_SIGNED flag marked 
too.

Original comment by distorm@gmail.com on 13 Dec 2014 at 4:46