search

howardjack / distorm

Automatically exported from code.google.com/p/distorm
GNU General Public License v3.0
0 stars 0 forks source link

PeekMessage Bug #57

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
In what mode did you try to disassemble (16/32/64)?
32 bit

What is the input buffer (binary stream) you used to reproduce the problem?
Use hex.
8B FF                                  mov     edi, edi
55                                     push    ebp
8B EC                                  mov     ebp, esp
64 A1 18 00 00 00                      mov     eax, large fs:18h 

What is the expected output (or what instruction)?
mov eax, large fs:18h instruction is disassembled as 64 bit.

Which tool did you use to see the expected output?
IDA.

What do you see instead?

What version of diStorm are you using? On what platform (Python/EXE/other)?
Distorm 3

Please provide any additional information below.
Please see PeekMessageW for testing.

Original issue reported on code.google.com by emre.tin...@zemana.com on 12 Nov 2012 at 11:35

GoogleCodeExporter commented 9 years ago 
I took your input and decoded it and I got your exact output as well.
So I don't see what's the problem, what does it have to do with 64 bits?
I even saw the PeekMessageW in IDA, and diStorm returns the same output.
So what is the problem exactly, can you give more info?

Original comment by distorm@gmail.com on 17 Nov 2012 at 11:39

GoogleCodeExporter commented 9 years ago 
- Test is performed on a Win7 x64 machine with a Wow64 process. 
- I confirm that "Decode32Bits" is used since it is a 32 bit process.
- I used VS2012 to perform the test.
- 2nd instruction's str representation is wrong.
- 4th instruction's second operand is treated as an r/m64 address.

Since 4th inst. is treated in a wrong way, this messes with the following 
instructions.

Please see the two output below :

DISTORM3 Output :
 1.2.1.293 - Disassembled => 8bff MOV EDI, EDI
*1.2.1.293 - Disassembled => 55 PUSH RBP
 1.2.1.293 - Disassembled => 8bec MOV EBP, ESP
*1.2.1.293 - Disassembled => 64a11800000053568bb0 MOV EAX, 
[FS:0xb08b565300000018]
 1.2.1.293 - Disassembled => 700f JO 0x20
 1.2.1.293 - Disassembled => 0000 ADD [RAX], AL

IDA Output:
 8B FF               mov     edi, edi
*55                  push    ebp
 8B EC               mov     ebp, esp
*64 A1 18 00 00 00   mov     eax, large fs:18h
 53                  push    ebx
 56                  push    esi

Original comment by emre.tin...@zemana.com on 17 Nov 2012 at 4:57

GoogleCodeExporter commented 9 years ago 
Please send me your code privately to distorm@gmail.com.
Thanks!

Original comment by distorm@gmail.com on 18 Nov 2012 at 2:49

GoogleCodeExporter commented 9 years ago 
Latest version from Python:

distorm3.Decode(0, "8bff558bec64a118000000".decode('hex'), 1)

(0L, 2L, 'MOV EDI, EDI', '8bff')
(2L, 1L, 'PUSH EBP', '55')
(3L, 2L, 'MOV EBP, ESP', '8bec')
(5L, 6L, 'MOV EAX, [FS:0x18]', '64a118000000')

I am pretty convinced you have a problem in your code. But who knows... bugs 
are always surprising.

Original comment by distorm@gmail.com on 18 Nov 2012 at 2:59

GoogleCodeExporter commented 9 years ago 
Confirmed that the problem was with using diStorm.

Original comment by distorm@gmail.com on 19 Nov 2012 at 5:41