Open VPaulV opened 8 years ago
What is ds? Why should be parsed?
On 19 May 2016, at 04:48, Paul notifications@github.com wrote:
parser.rs fails to parse esil expressions that contains DUP instruction: 0,zf,=,cf,401528,+,eax,+,0,cf,=,DUP,0xffffffff,<,?{,1,cf,=,},eax,=,=,0xffffffff,eax,&,!,?{,1,zf,=,}
Also expressions with 'ds' are not parsed: esp,[4],ds,=,4,esp,+
— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub
@radare Well, it was my first question that I asked in #radare xD One can get an expression containing 'ds' with this sample: malware_sample.zip - Password:infected
Which instiction produces ths esil?
On 19 May 2016, at 12:52, Paul notifications@github.com wrote:
@radare Well, it was my first question that I asked in #radare xD One can get 'ds' with this sample: malware_sample.zip - Password:infected
— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub
asm:
0x0042edc0 1e push ds
...
0x0042f5c4 1f pop ds
esil:
0x0042edc0 1e 4,esp,-=,ds,esp,=[4] ; esp=0xfffffffb -> 0xffffff00
...
0x0042f5c4 1f esp,[4],ds,=,4,esp,+=
ok its 16bit x86 code. this is ok, the problem is that ds
register is not in the regprofile, just needs to fix that thing.
ds is the data segment register
On 19 May 2016, at 15:40, Paul notifications@github.com wrote:
asm:
0x0042edc0 1e push ds ... 0x0042f5c4 1f pop ds esil:
0x0042edc0 1e 4,esp,-=,ds,esp,=[4] ; esp=0xfffffffb -> 0xffffff00 ... 0x0042f5c4 1f esp,[4],ds,=,4,esp,+= — You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/radare/radeco/issues/14#issuecomment-220327202
@kriw @HMPerson1 @chinmaydd please check if still is applicable. If not - close.
parser.rs fails to parse esil expressions that contain DUP opcode:
0,zf,=,cf,401528,+,eax,+,0,cf,=,DUP,0xffffffff,<,?{,1,cf,=,},eax,=,=,0xffffffff,eax,&,!,?{,1,zf,=,}
Also expressions with 'ds' are not parsed:
esp,[4],ds,=,4,esp,+