zydis icon indicating copy to clipboard operation
zydis copied to clipboard

Published 20 hours ago verified publisher icon zyantific

Operand Visibility Bug

Open fred26 opened this issue 3 years ago • 4 comments

I have tested 2 types of AND operations providing 2 different decoded results:

Just to test this, in the formatter01.c sample, I redefined ZyanU8 data[] to these:

ZyanU8 data[] = { 0x25, 0xFF, 0x03, 0x00, 0x00, // and eax, 000003FF 0x83, 0xE0, 0x0F // and eax, 0F };

The first decoded instruction (and eax, 000003FF) decodes first operand ZYDIS_REGISTER_EAX with visibility == ZYDIS_OPERAND_VISIBILITY_IMPLICIT

However, second instruction (and eax, 0F) decodes first operand ZYDIS_REGISTER_EAX with visibility == ZYDIS_OPERAND_VISIBILITY_EXPLICIT

To replicate this just use the formatter01.c sample and change the ZyanU8 data[] to the above.

Thanks

fred26 avatar Mar 07 '21 19:03 fred26

Hi @fred26!

This is expected behavior. ZYDIS_OPERAND_VISIBILITY_IMPLICIT and ZYDIS_OPERAND_VISIBILITY_EXPLICIT have a bit of a misleading name. What "implicit" means here is that the operand is specified in the instruction itself (the opcode) rather than being chosen through a generic means such as ModRM encoding.

For 0x25, 0xFF, 0x03, 0x00, 0x00 the instruction structure looks like this:

25 FF 03 00 00
:  :..IMM
:..OPCODE

For 0x83, 0xE0, 0x0F, it looks like this:

83 E0 0F
:  :  :..IMM
:  :..MODRM
:..OPCODE

The first instruction has the eax hardcoded in the opcode, the second one has it set via the ModRM portion of the instruction.

@flobernd since we've now heard this question twice in a rather short period of time, we should probably think about renaming these (and make the old constants a deprecated alias).

athre0z avatar Mar 07 '21 20:03 athre0z

@athre0z thanks for the explanation, makes sense. Yes if you could rename this will be much clearer. Regards,

fred26 avatar Mar 07 '21 21:03 fred26

@athre0z Sure, meanwhile we could improve the documentation for these values. Although I think it already is quite understandable 😛

/**
 * The operand is explicitly encoded in the instruction.
 */
ZYDIS_OPERAND_VISIBILITY_EXPLICIT,
/**
 * The operand is part of the opcode, but listed as an operand.
 */
ZYDIS_OPERAND_VISIBILITY_IMPLICIT,
/**
 * The operand is part of the opcode, and not typically listed as an operand.
 */
ZYDIS_OPERAND_VISIBILITY_HIDDEN,

flobernd avatar Mar 08 '21 07:03 flobernd

Yeah, I think the documentation is fine -- it's just the names that are confusing.

athre0z avatar Mar 10 '21 00:03 athre0z