amoco icon indicating copy to clipboard operation
amoco copied to clipboard
verified publisher icon bdcht

x64: error in parsing some MOVHPS opcodes

Open LRGH opened this issue 1 year ago • 1 comments 

from amoco.arch.x64 import cpu_x64 as cpu
i = cpu.disassemble(b'\x41\x0f\x16\x45\x68\x00\x00')
assert i.length==5
assert i.mnemonic=='MOVHPS'
assert str(i) == 'movhps      xmm0, qword ptr [r13+0x68]'

Fails because i.length is 6.

The hack at https://github.com/LRGH/amoco/commit/5609706f36fd3a24064950aecd0a0b39d6756998 solves the issue, but there should be a better fix.

LRGH avatar Mar 02 '24 15:03 LRGH

This is a good one! Actually, the MOVHPS has the exact same decoder spec as the MOVLHPS...except that when the ModRM is decoded the later requires a register ref whereas MOVHPS operates on memory.

With the current way these instructions are defined, amoco first tries to decode MOVLHPS which raises an InstructionError because the operand is not a reg, and then triggers MOVHPS decoder. However, since there is a REX prefix, the disassembler is stateful in the sense that the 'obj' passed to any triggered @ispec is the "current" partially decoded instruction (containing prefixes/REX). In such case, when an InstructionError is raised the current state must be correctly reverted. This was not the case for exception raised after a getModRM (only SSE was affected).

Fixed by 5bdc6ba.

bdcht avatar Mar 04 '24 16:03 bdcht