capstone icon indicating copy to clipboard operation
capstone copied to clipboard
verified publisher icon capstone-engine

bnd jne instruction

Open Levimocun opened this issue 8 years ago • 10 comments

I use IDA and capstone to disassemble a PE file. But there's a difference, which is bnd jne in capstone but repne jnz short in IDA. Would you please tell the reason?

Levimocun avatar Jul 06 '17 01:07 Levimocun

Is this from master, or next branch?

Can you provide the input of this case?

aquynh avatar Jul 06 '17 01:07 aquynh

@aquynh the result disassembled by capstone 0x1400010a0: cmp rcx, qword ptr [rip + 0x1f61] 0x1400010a7: bnd jne 0x1400010bc 0x1400010aa: rol rcx, 0x10 0x1400010ae: test cx, 0xffff 0x1400010b3: bnd jne 0x1400010b8 0x1400010b6: bnd ret

the result disassembled by IDA .text:00000001400010A0 cmp rcx, cs:__security_cookie . text:00000001400010A7 repne jnz short loc_1400010BC .text:00000001400010AA rol rcx, 10h .text:00000001400010AE test cx, 0FFFFh .text:00000001400010B3 repne jnz short loc_1400010B8 .text:00000001400010B6 repne retn

Levimocun avatar Jul 06 '17 02:07 Levimocun

ok, but you havent provided the input code yet: what you gave is only assembly & instruction address.

you can enable Opcode output from menu "Options" -> "General ..." -> "Number of opcode bytes" . You can put 8 in this box, press OK, then paste the output here again.

aquynh avatar Jul 06 '17 04:07 aquynh

@aquynh .text:00000001400010A0--- 48 3B 0D 61 1F 00 00------- cmp rcx, cs:__security_cookie .text:00000001400010A7--- F2 75 12--------------------- repne jnz short loc_1400010BC .text:00000001400010AA--- 48 C1 C1 10----------------- rol rcx, 10h .text:00000001400010AE--- 66 F7 C1 FF FF-------------- test cx, 0FFFFh .text:00000001400010B3--- F2 75 02-------------------- repne jnz short loc_1400010B8 .text:00000001400010B6--- F2 C3----------------------- repne retn

Levimocun avatar Jul 06 '17 05:07 Levimocun

all jump instructions should not associate with REP prefix, so IDA is confused here.

ping @radare.

aquynh avatar Jul 06 '17 05:07 aquynh

i should check the intel manual to confirm that behaviour, but it will be good to compare with other disassemblers too.

On 6 Jul 2017, at 07:19, Nguyen Anh Quynh [email protected] wrote:

all jump instructions should not associate with REP prefix, so IDA is confused here.

ping @radare https://github.com/radare.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aquynh/capstone/issues/955#issuecomment-313297631, or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lhlXXympcb8uH4H_GLOw22nEEVuvks5sLG5mgaJpZM4OPEB3.

radare avatar Jul 06 '17 11:07 radare

https://en.wikipedia.org/wiki/Intel_MPX

retauks avatar Jul 06 '17 11:07 retauks

according to Intel manual, REP prefix is only relevant for string instructions + IN/OUT. it is wrong to have REP with jump instructions.

aquynh avatar Jul 06 '17 12:07 aquynh

Some old AMD CPUs exhibit a branch prediction bug when you have a jump going straight to another jump (or return). Jumping to the rep prefix instead is a workaround for it. Both Intel and AMD CPUs tolerate it without any adverse effects.

fay59 avatar Jul 06 '17 23:07 fay59

yes, but i mean it is better to remove REP in the disassembly output in such a case.

aquynh avatar Jul 07 '17 01:07 aquynh