search

cmpham / distorm

Automatically exported from code.google.com/p/distorm
GNU General Public License v3.0
0 stars 0 forks source link

opcode == 83 on OSX but opcode == 462 on Windows? #25

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I'm seeing some different results from distorm3.Decompose depending on the 
platform where it runs. Below is output from a Windows and OSX machine, both 
running the same revision of code (186) and both given the same input buffer. 
Note opcode == 83 on OSX but opcode == 462 on Windows. 

On my OSX machine, sys.maxint is 9223372036854775807. On Windows, sys.maxint is 
2147483647...not sure if that's part of the cause. 

C:\volatility20>python
Python 2.6.5 (r265:79096, Mar 19 2010, 21:48:26) [MSC v.1500 32 bit (Intel)] on 
win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import distorm3
>>> for op in distorm3.Decompose(0, "\xe9\x91\xbf=\x8f", distorm3.Decode32Bits):
...     print op.__dict__
...
{'mnemonic': 'JMP', 'operands': [<distorm3.Operand object at 0x01850530>], 
'flowControl': 'FC_UNC_BRANCH', 'instructionClass': 'ISC_INTEGER', 'flags': [], 
'rawFlags': 1280, 'opcode': 462, 'address': 0L, 'unusedPrefixesMask': 0, 
'instructionBytes': '\xe9\x91\xbf=\x8f', 'dt': 1, 'segment': 255, 'valid': 
True, 'isSegmentDefault': False, 'size': 5}
>>> print distorm3.__revision__
$Id: distorm.py 186 2010-05-01 14:20:41Z gdabah $

$ python
Python 2.6.1 (r261:67515, Jun 24 2010, 21:47:49) 
[GCC 4.2.1 (Apple Inc. build 5646)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import distorm3
>>> for op in distorm3.Decompose(0, "\xe9\x91\xbf=\x8f", distorm3.Decode32Bits):
...     print op.__dict__
... 
{'mnemonic': 'JMP', 'operands': [<distorm3.Operand object at 0x1004e3c50>], 
'flowControl': 'FC_UNC_BRANCH', 'instructionClass': 'ISC_INTEGER', 'flags': [], 
'rawFlags': 1280, 'opcode': 83, 'address': 0L, 'instructionBytes': 
'\xe9\x91\xbf=\x8f', 'dt': 1, 'valid': True, 'size': 5}
>>> print distorm3.__revision__
$Id: distorm.py 186 2010-05-01 14:20:41Z gdabah $

Original issue reported on code.google.com by michael.hale@gmail.com on 15 Aug 2011 at 1:33

GoogleCodeExporter commented 9 years ago 
Hey MH

You need to use the definitions of the instructions enum, they start with I_ 
and following is the name of the mnemonic.
See mnemonics.h or for Python look it up from Mnemonics["XOR"] for instance.

It's because I changed the internal way opcode-ids work and you used something 
hardcoded rather than using the mnemonic tables too :(

Let me know if you managed to fix it.
Thanks

Original comment by distorm@gmail.com on 15 Aug 2011 at 2:18

GoogleCodeExporter commented 9 years ago 
Great, thank you. I fixed the check in my code by using op.mnemonic == "CALL" 
instead of op.opcode == 83.

Original comment by michael.hale@gmail.com on 15 Aug 2011 at 2:58

GoogleCodeExporter commented 9 years ago

Original comment by distorm@gmail.com on 19 Aug 2011 at 10:20