:[diStorm}: REP+REX prefix ordering

Sanjay Patel sanjay3000 at yahoo.com
Tue Feb 13 12:46:58 EST 2007 

Hi Gil,

You are correct that diStorm is getting the mnemonic right - I checked using
your pre-built exe as well as stepping through with a debugger. 

The double 0x48 problem was due to my caller code which goes through a byte
buffer only using the 1st instruction returned by diStorm before advancing
the buffer pointer:

1. diStorm decoded the CVTSI2SD, but returned 0x48 as the 1 byte first
"instruction" even though this was byte 0xf2.
2. My calling function advanced the pointer by 1 byte and called diStorm
again.
3. This time the byte stream starts at 0x48, so diStorm again returned a 1
byte instruction "0x48".
4. My calling function advanced the pointer by 1 byte again and called
diStorm with the starting byte 0xf - now diStorm decodes the instruction as
CVTPI2PS, and this is correct since the previous 0xf2 prefix is unknown.

I think the problem will be resolved if diStorm is not dropping the 0x48
prefix now. And I will improve my caller code. It is rather abusive to call
diStorm as my code was doing. :)

Thanks,
Sanjay


--- Gil Dabah <arkon at ragestorm.net> wrote:

> Hey Sanjay
> 
> I'm afraid you're using an old version of diStorm.
> Even in version 1.5.16 in Python I get:
> [(0L, 1, 'PUSH RBP', '55'), (1L, 3, 'MOV RBP, RSP', '48 89e5'), (4L, 4,
> 'MOV
> [RBP-0x8], RDI', '48 897d f8'), (8L, 1, 'DB 0x48', '48'), (8L, 6, 'CVTSI2SD
> XMM1, DWORD [RBP-0x8]', 'f2 48 0f2a4d f8')]
> 
> The 48 rex prefix isn't supposed to be dropped, and I fixed it locally.
> As well as the DWORD is supposed to be a QWORD, which was corrected in the
> same fix.
> But in both cases, even if you remove the 0x48, you get the correct
> *instruction* mnemonic, CVTSI2SD.
> And not what you mention, CVTPI2PS. And diStorm won't output the db 0x48
> twice... so that's another weird behaviour, or a bad copy/paste.
> 
> I will release the new bug fix when we are both sure you don't have a
> problem, or after it's fixed.
> Please download the latest version and give it a shot.
> I would like you to check the stream you showed me in this email in Python
> too (just for making sure it's correct).
> 
> Waiting for your reply-
> Thanks,
> Gil
> 
> 
> On 2/12/07, Sanjay Patel <sanjay3000 at yahoo.com> wrote:
> >
> >
> > Sorry - I made some mistakes with the output disassembly. This is what
> > GCC/GDB show:
> >
> > push rbp
> > mov rbp, rsp
> > mov [rbp-0x8], rdi
> > cvtsi2sd xmm1, [rbp-0x8]
> >
> > I'm getting this output from diStorm currently:
> >
> > push rbp
> > mov rbp, rsp
> > mov [rbp-0x8], rdi
> > db 0x48
> > db 0x48
> > cvtpi2ps xmm1, [rbp-0x8]
> >
> > --Sanjay
> >
> >
> > --- Sanjay Patel <sanjay3000 at yahoo.com> wrote:
> >
> > > I just found a bit of a problem decoding a multi-prefix SSE instruction
> > > from
> > > GCC. It produced this byte sequence:
> > >
> > > 0x55,
> > > 0x48, 0x89, 0xe5,
> > > 0x48, 0x89, 0x7d, 0xf8,
> > > 0xf2, 0x48, 0x0f, 0x2a, 0x4d, 0xf8,
> > >
> > > Which should be:
> > > push rbbp
> > > mov rbp, rsp
> > > cvtsi2sd xmm1, -8(rbp)
> > >
> > > DiStorm got confused by the 0xf2, 0x48 prefix sequence, so it decoded
> > the
> > > last instruction as a 'cvtpi2ps'.
> > >
> > > Note that the REX prefix and the SSE prefix are swapped from the normal
> > way
> > > you would expect...but it appears this is legal codegen.
> > >
> > > --Sanjay
> > >


 
____________________________________________________________________________________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index

More information about the diStorm mailing list