Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: Which tool is correct:

  1. #1
    Programmer Run Amock... Bengaly's Avatar
    Join Date
    Aug 2001
    Location
    Somewhere over the Rainbow
    Posts
    289
    Blog Entries
    1

    Which tool is correct:

    I'm testing and adding / fixing correct disassembly in my pvdasm engine, and lately i've found out that all disassemblers are have problems decoding this (And i guess some others which I have not yet investigated) opcodes:

    consider the following bytes:

    IDA:
    Code:
    F3 0F D6 4C 24 04         movq2dq xmm1, qword ptr [esp+4]
    F2 0F D6 04 24            movdq2q mm0, xmm4
    F2 0F D6 8F 05 F2 0F D6   movdq2q mm1, xmm7
    OllyDbg:
    Code:
    F3                        REP
    0F                        DB 0F ; Unknown command
    D6                        SALC  ;Undocumented instruction or encoding
    4C                        DEC ESP
    24 04                     AND AL,04
    F2 0F D6 04 24            MOVDQ2Q MM0,QWORD PTR SS:[ESP]
    F2 0F D6 8F 05 F2 0F D6   MOVDQ2Q MM1,QWORD PTR DS:[EDI+D60FF205]
    PVDasm
    Code:
    F3 0F D6 4C 24 04        MOVQ2DQ XMM1,QWORD PTR SS:[ESP+04]
    F2 0F D6 04 24           MOVDQ2Q XMM0,QWORD PTR SS:[ESP] ; wrong register, should be mm0
    F2 0F D6 8F 05 F2 0F D6  MOVDQ2Q QWORD PTR DS:[EDI+D60FF205],XMM1  ; bit d is incorrect and wrong register, should be mm1
    WinDbg
    shows different results too


    As you can see, Ollydbg cannot decode the 0xF3 prefix, however, check out the next two instructions.. they are completely different (from IDA, and look alike PVDasm and WinDBg), Now, logically, ollydbg/PVDasm/WinDbg..etc, as appose to IDA, follows the ModR/M+SIB (If exists) and perform the decoding according to the opcode's decoding bits.
    Intel, sometimes likes to play with their opcodes and force opcode operation, disregarding the bit tables so i guess that may be the reason ?.

    Can someone please test those 3 operations (opcodes) on Softice? (don't have it installed here) to see what they come up with? (Maybe bastard or even run it at linux disassembler?)

    I just want to know which one is the correct one
    Last edited by Bengaly; April 9th, 2009 at 06:41.
    "knowledge is now free at last, everything should be free from now on, enjoy knowledge and life and never work for everybody else"

  2. #2
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    I can't check Softice right now, but my disasm engine is not able to decode "F3 0F D6 4C 24 04" and "F2 0F D6 04 24" sequences too. From a first glance it appears to me that the problem resides on the SIB byte which is 0x24 in both cases; according to Intel manual an instruction with that specific SIB value should not be defined.. Maybe my engine is bugged too, don't know. Just wait for a Softice dump

    Anyway, I have learned to not fully trust in Ida's disasm engine (I did blog something about it...)
    A mind is like a parachute. It doesnt work if it's not open.

  3. #3
    Programmer Run Amock... Bengaly's Avatar
    Join Date
    Aug 2001
    Location
    Somewhere over the Rainbow
    Posts
    289
    Blog Entries
    1
    ZaiRon, hey buddy

    Include a prefixes check before you decode the 0FD6 extended opcodes in your engine, and it should be fine then pass it to your modRm/sib function :P

    Yes, very weird indeed why IDA acts that way..

    Softice dump would be fabulous!

    I will also try to get a disasm from Visual Studio. (which will most likely be like WinDbg I guess)
    "knowledge is now free at last, everything should be free from now on, enjoy knowledge and life and never work for everybody else"

  4. #4
    I might propose doing an experiment. Rather than seeing what other engines do, why not just create a test and single step through it using the native processor? The side effects of running the code in these 3 examples should be just different enough to tell you what the underlying hardware is wired up to actually perform. Whatever the hardware actually does is the way the disassembly should be produced. Just write known/unique values to all the possible source locations being read and step through to see what bit pattern values actually get moved to their respective destinations. Just my 2 cents ( as valued in today's economy .

  5. #5
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hey Ben, forgot to say hello.. .Sorry

    Include a prefixes check before you decode the 0FD6 extended opcodes in your engine, and it should be fine then pass it to your modRm/sib function :P
    It's exactly what it does but if there's an inconsistency it stops analyzing it..
    A mind is like a parachute. It doesnt work if it's not open.

  6. #6
    Registered User
    Join Date
    Nov 2003
    Location
    .hr
    Posts
    40
    They are all wrong.
    Quote Originally Posted by Instruction Set Reference - Table A-1. Notes on Instruction Encoding in Opcode Map Tables
    1H The instruction represented by this opcode expression does not support any operand to be a
    memory location.

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,125
    Blog Entries
    5
    Hey Bengaly,

    Whoa, let's not impede Pvdasm development

    Softice:

    Code:
    F3 0F D6 4C 24 04          MOVQ2DQ   XMM1,[ESP+04]
    F2 0F D6 04 24             MOVDQ2Q   XMM0,[ESP]
    F2 0F D6 8F 05 F2 0F D6    MOVDQ2Q   XMM1,[EDI+D60FF205]

  8. #8
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    but when assembled
    movdq2q mm0,xmm4 > F2 0F D6 C4
    movdq2q mm1,xmm7 > F2 0F D6 CF

    ??

  9. #9
    Programmer Run Amock... Bengaly's Avatar
    Join Date
    Aug 2001
    Location
    Somewhere over the Rainbow
    Posts
    289
    Blog Entries
    1
    Quote Originally Posted by Kayaker View Post
    Hey Bengaly,

    Whoa, let's not impede Pvdasm development

    Softice:

    Code:
    F3 0F D6 4C 24 04          MOVQ2DQ   XMM1,[ESP+04]
    F2 0F D6 04 24             MOVDQ2Q   XMM0,[ESP]
    F2 0F D6 8F 05 F2 0F D6    MOVDQ2Q   XMM1,[EDI+D60FF205]


    Thanks kayaker,
    Seems like PVDasm is doing its thing well.

    * Just need to fix the direction of the last instruction and its done.
    "knowledge is now free at last, everything should be free from now on, enjoy knowledge and life and never work for everybody else"

  10. #10
    Registered User
    Join Date
    Nov 2003
    Location
    .hr
    Posts
    40
    Quote Originally Posted by evaluator View Post
    but when assembled
    movdq2q mm0,xmm4 > F2 0F D6 C4
    movdq2q mm1,xmm7 > F2 0F D6 CF

    ??
    F2 0F D6 C4

    ModRM = C4(16) = 11000100(2)

    This instruction is only valid if both operands are registers (bits 7 & 8 = 1; 11000100)

    And apparently none of the tools listed know this.

  11. #11
    IDA 5.4 refuses to disassemble these opcodes, which, as noted by several posters above, is the correct behavior.

  12. #12
    Programmer Run Amock... Bengaly's Avatar
    Join Date
    Aug 2001
    Location
    Somewhere over the Rainbow
    Posts
    289
    Blog Entries
    1
    Quote Originally Posted by drizz View Post
    F2 0F D6 C4

    ModRM = C4(16) = 11000100(2)

    This instruction is only valid if both operands are registers (bits 7 & 8 = 1; 11000100)

    And apparently none of the tools listed know this.
    This is true, indeed, when the question was if the opcodes are valid during run time in the cpu (I guess it will be restricted during assembly time ??).

    However, the fact that IDA appose to others, forcefully induce mmX,xmmX (for any kind of opcodes combination under that opcode set F20FD6) is the different, it could on the other hand display the mmX,xmmX only if the opcodes were valid and either show db XX (or the regular decode with a 'invalid' remark).

    If Softice and the rest shows the instructions (whatever valid or not) the way "they should be", than who's to be blame?
    "knowledge is now free at last, everything should be free from now on, enjoy knowledge and life and never work for everybody else"

  13. #13
    Registered User
    Join Date
    Nov 2003
    Location
    .hr
    Posts
    40
    Ben, then you should have said that you don't have SSE2 capable cpu to test it yourself.
    I have tested it and all non-reg,reg combinations raise:
    The exception Illegal Instruction (0xc000001d)

  14. #14
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    ya! i also not have SSE2, but just read manual..

    F3 0F D6
    MOVQ2DQ xmm, mm
    Move quadword from mmx to low quadword of xmm.

    that's all falks?!?!

  15. #15
    Programmer Run Amock... Bengaly's Avatar
    Join Date
    Aug 2001
    Location
    Somewhere over the Rainbow
    Posts
    289
    Blog Entries
    1
    Ben, then you should have said that you don't have SSE2 capable cpu to test it yourself.
    I have tested it and all non-reg,reg combinations raise:
    The exception Illegal Instruction (0xc000001d)
    Naa, my AMD Athlon 64 X2 3800+ is well capable of SSE2 and, I'm well aware of the fact that other non reg,reg are invalid.

    I was just wondering if I should impose MOVDQ2Q mm, xmm / MOVQ2DQ xmm, mm (on all opcode combinations) like IDA does, or only at the ones that are valid and keep the rest like Softice shows.

    It's a matter of keeping it well decoded with what we should expect
    "knowledge is now free at last, everything should be free from now on, enjoy knowledge and life and never work for everybody else"

Similar Threads

  1. what is the correct path
    By Silkut in forum The Newbie Forum
    Replies: 1
    Last Post: December 20th, 2010, 10:23
  2. Help finding the correct api
    By michelinok in forum OllyDbg Support Forums
    Replies: 6
    Last Post: December 27th, 2005, 16:49
  3. HELP!! Cant find the correct ID button in GetDlgItem
    By Gento in forum The Newbie Forum
    Replies: 5
    Last Post: April 21st, 2004, 07:56

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •