search

x64dbg / x64dbg

An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis.
http://x64dbg.com
Other
44.79k stars 2.44k forks source link

Some immediate args are assembled incorrectly (XEDParse only) #539

Open prolium opened 8 years ago

prolium commented 8 years ago

Example, try assembling the following: cmp dword ptr [eax], 0x780 opcodes: 81 38 80 07 00 00 it will be assembled as: cmp dword ptr [eax], FFFFFF80 opcodes: 83 38 80

prolium commented 8 years ago

another 2 examples:

cmp dword ptr [eax], 0x1E00 ---> cmp dword ptr [eax], 0 cmp dword ptr [eax], 0x1E0 ---> cmp dword ptr [eax], 0xFFFFFFE0

EDIT: also cmp dword ptr [eax], 0x1F00 ---> cmp dword ptr [eax], 0

actually the immediates 1E??, 1F??, and 7?? will always be truncated to ?? until ?? = 7F, then it flips to -ve values as shown in the 1st post. so: cmp dword ptr [eax], 0x1E00 ---> cmp dword ptr [eax], 0 cmp dword ptr [eax], 0x1E01 ---> cmp dword ptr [eax], 1 cmp dword ptr [eax], 0x1E7F ---> cmp dword ptr [eax], 7F cmp dword ptr [eax], 0x1E80 ---> cmp dword ptr [eax], FFFFFF80 cmp dword ptr [eax], 0x1E99 ---> cmp dword ptr [eax], FFFFFF99 etc...

prolium commented 8 years ago

As of the introduction of Keystone, this issue is now related to XEDParse only.

mrexodia commented 8 years ago

This issues should be fixed somewhere in an upcoming build, if you want to try it right now, download the latest XEDParse release from https://github.com/x64dbg/XEDParse/releases/download/1.0.24/release.zip

Op ma 13 jun. 2016 om 07:26 schreef wk notifications@github.com:

As of the introduction of Keystone, this issue is now related to XEDParse only.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/x64dbg/x64dbg/issues/539#issuecomment-225491745, or mute the thread https://github.com/notifications/unsubscribe/ACWCmeQoIZz1QxeUWXLgToJBhtgvClk_ks5qLOn0gaJpZM4HbO96 .

prolium commented 8 years ago

Most of it is solved, but the following cases are still failing: cmp dword ptr ds:[eax], 0x80 ---> cmp dword ptr ds:[eax], FFFFFF80 cmp dword ptr ds:[eax], 0x8F ---> cmp dword ptr ds:[eax], FFFFFF8F cmp dword ptr ds:[eax], 0x90 ---> cmp dword ptr ds:[eax], FFFFFF90 cmp dword ptr ds:[eax], 0x9F ---> cmp dword ptr ds:[eax], FFFFFF9F

So basically the whole range of 0x80 and 0x90