immediate sizes 64 bit

[GoogleCodeExporter]

I believe somewhere you've documented all immediates will be sextended to 64 
bit. I just find it a little strange so I dump it here just in case. Feel free 
to dismiss/ignore

In what mode did you try to disassemble (16/32/64)?
64
What is the input buffer (binary stream) you used to reproduce the problem?
Use hex.

What is the expected output (or what instruction)?
MOV ECX, 0xffffffff
OP:  Register 32
OP:  Immediate 32

Which tool did you use to see the expected output?
from distorm3 import Decompose, Decode32Bits, Decode64Bits

pc = 0x0418c10
text = "b9ffffffff".decode('hex')           # mov    ECX, 0xffffffff
instruction = Decompose(pc, text, Decode64Bits)[0]
print instruction
for op in instruction.operands:
    print "OP: ", op.type, op.size

What do you see instead?
MOV ECX, 0xffffffffffffffff
OP:  Register 32
OP:  Immediate 64

What version of diStorm are you using? On what platform (Python/EXE/other)?
3-3 (svn Revision: 243)

Please provide any additional information below.

Original issue reported on code.google.com by felipe.a...@gmail.com on 10 Jul 2013 at 6:02

[GoogleCodeExporter]

It might indeed be confusing if one doesn't know the rules of x64, but 
basically when you are moving an immediate to a 32 bits, it gets zero extended 
to 64 bits, and thus rewriting high dword of RCX too, as in your case. 
Therefore the idea was to aid the understanding that the register itself is 32 
bits, right, but it's supposed to be extended. Hope it helps, I will add it to 
documentation though.

Original comment by distorm@gmail.com on 2 Aug 2013 at 12:16

• Changed state: WontFix

[GoogleCodeExporter]

Zero extend a 64 bit immediate 0xffffffffffffffff to what? 128 bits?
The problem is that the immediate is reported to be a 64 bit value and not a 
zero extendible 32 bit value. 

Original comment by felipe.a...@gmail.com on 2 Aug 2013 at 2:56