athre0z
commented
3 years ago Hi @fred26!
This is expected behavior. ZYDIS_OPERAND_VISIBILITY_IMPLICIT and ZYDIS_OPERAND_VISIBILITY_EXPLICIT have a bit of a misleading name. What "implicit" means here is that the operand is specified in the instruction itself (the opcode) rather than being chosen through a generic means such as ModRM encoding.
For 0x25, 0xFF, 0x03, 0x00, 0x00 the instruction structure looks like this:
25 FF 03 00 00
: :..IMM
:..OPCODEFor 0x83, 0xE0, 0x0F, it looks like this:
83 E0 0F
: : :..IMM
: :..MODRM
:..OPCODEThe first instruction has the eax hardcoded in the opcode, the second one has it set via the ModRM portion of the instruction.
@flobernd since we've now heard this question twice in a rather short period of time, we should probably think about renaming these (and make the old constants a deprecated alias).
fred26
flobernd
I have tested 2 types of AND operations providing 2 different decoded results:
Just to test this, in the formatter01.c sample, I redefined ZyanU8 data[] to these:
ZyanU8 data[] = { 0x25, 0xFF, 0x03, 0x00, 0x00, // and eax, 000003FF 0x83, 0xE0, 0x0F // and eax, 0F };
The first decoded instruction (and eax, 000003FF) decodes first operand ZYDIS_REGISTER_EAX with visibility == ZYDIS_OPERAND_VISIBILITY_IMPLICIT
However, second instruction (and eax, 0F) decodes first operand ZYDIS_REGISTER_EAX with visibility == ZYDIS_OPERAND_VISIBILITY_EXPLICIT
To replicate this just use the formatter01.c sample and change the ZyanU8 data[] to the above.
Thanks