Log in

View Full Version : Which tool is correct:


Bengaly
April 9th, 2009, 06:39
I'm testing and adding / fixing correct disassembly in my pvdasm engine, and lately i've found out that all disassemblers are have problems decoding this (And i guess some others which I have not yet investigated) opcodes:

consider the following bytes:

IDA:
Code:

F3 0F D6 4C 24 04 movq2dq xmm1, qword ptr [esp+4]
F2 0F D6 04 24 movdq2q mm0, xmm4
F2 0F D6 8F 05 F2 0F D6 movdq2q mm1, xmm7


OllyDbg:
Code:

F3 REP
0F DB 0F ; Unknown command
D6 SALC ;Undocumented instruction or encoding
4C DEC ESP
24 04 AND AL,04
F2 0F D6 04 24 MOVDQ2Q MM0,QWORD PTR SS:[ESP]
F2 0F D6 8F 05 F2 0F D6 MOVDQ2Q MM1,QWORD PTR DS:[EDI+D60FF205]


PVDasm
Code:

F3 0F D6 4C 24 04 MOVQ2DQ XMM1,QWORD PTR SS:[ESP+04]
F2 0F D6 04 24 MOVDQ2Q XMM0,QWORD PTR SS:[ESP] ; wrong register, should be mm0
F2 0F D6 8F 05 F2 0F D6 MOVDQ2Q QWORD PTR DS:[EDI+D60FF205],XMM1 ; bit d is incorrect and wrong register, should be mm1


WinDbg
shows different results too


As you can see, Ollydbg cannot decode the 0xF3 prefix, however, check out the next two instructions.. they are completely different (from IDA, and look alike PVDasm and WinDBg), Now, logically, ollydbg/PVDasm/WinDbg..etc, as appose to IDA, follows the ModR/M+SIB (If exists) and perform the decoding according to the opcode's decoding bits.
Intel, sometimes likes to play with their opcodes and force opcode operation, disregarding the bit tables so i guess that may be the reason ?.

Can someone please test those 3 operations (opcodes) on Softice? (don't have it installed here) to see what they come up with? (Maybe bastard or even run it at linux disassembler?)

I just want to know which one is the correct one

ZaiRoN
April 9th, 2009, 08:51
I can't check Softice right now, but my disasm engine is not able to decode "F3 0F D6 4C 24 04" and "F2 0F D6 04 24" sequences too. From a first glance it appears to me that the problem resides on the SIB byte which is 0x24 in both cases; according to Intel manual an instruction with that specific SIB value should not be defined.. Maybe my engine is bugged too, don't know. Just wait for a Softice dump

Anyway, I have learned to not fully trust in Ida's disasm engine (I did blog something about it...)

Bengaly
April 9th, 2009, 09:12
ZaiRon, hey buddy

Include a prefixes check before you decode the 0FD6 extended opcodes in your engine, and it should be fine then pass it to your modRm/sib function :P

Yes, very weird indeed why IDA acts that way..

Softice dump would be fabulous!

I will also try to get a disasm from Visual Studio. (which will most likely be like WinDbg I guess)

slcoleman
April 9th, 2009, 10:51
I might propose doing an experiment. Rather than seeing what other engines do, why not just create a test and single step through it using the native processor? The side effects of running the code in these 3 examples should be just different enough to tell you what the underlying hardware is wired up to actually perform. Whatever the hardware actually does is the way the disassembly should be produced. Just write known/unique values to all the possible source locations being read and step through to see what bit pattern values actually get moved to their respective destinations. Just my 2 cents ( as valued in today's economy .

ZaiRoN
April 9th, 2009, 10:58
Hey Ben, forgot to say hello.. .Sorry

Quote:
Include a prefixes check before you decode the 0FD6 extended opcodes in your engine, and it should be fine then pass it to your modRm/sib function :P
It's exactly what it does but if there's an inconsistency it stops analyzing it..

drizz
April 9th, 2009, 12:09
They are all wrong.
Quote:
[Originally Posted by "Instruction Set Reference - Table A-1. Notes on Instruction Encoding in Opcode Map Tables"]1H The instruction represented by this opcode expression does not support any operand to be a
memory location.

Kayaker
April 9th, 2009, 12:24
Hey Bengaly,

Whoa, let's not impede Pvdasm development

Softice:

Code:
F3 0F D6 4C 24 04 MOVQ2DQ XMM1,[ESP+04]
F2 0F D6 04 24 MOVDQ2Q XMM0,[ESP]
F2 0F D6 8F 05 F2 0F D6 MOVDQ2Q XMM1,[EDI+D60FF205]

evaluator
April 9th, 2009, 14:17
but when assembled
movdq2q mm0,xmm4 > F2 0F D6 C4
movdq2q mm1,xmm7 > F2 0F D6 CF

??

Bengaly
April 9th, 2009, 14:28
Quote:
[Originally Posted by Kayaker;80085]Hey Bengaly,

Whoa, let's not impede Pvdasm development

Softice:

Code:
F3 0F D6 4C 24 04 MOVQ2DQ XMM1,[ESP+04]
F2 0F D6 04 24 MOVDQ2Q XMM0,[ESP]
F2 0F D6 8F 05 F2 0F D6 MOVDQ2Q XMM1,[EDI+D60FF205]




Thanks kayaker,
Seems like PVDasm is doing its thing well.

* Just need to fix the direction of the last instruction and its done.

drizz
April 9th, 2009, 14:41
Quote:
[Originally Posted by evaluator;80087]but when assembled
movdq2q mm0,xmm4 > F2 0F D6 C4
movdq2q mm1,xmm7 > F2 0F D6 CF

??


F2 0F D6 C4

ModRM = C4(16) = 11000100(2)

This instruction is only valid if both operands are registers (bits 7 & 8 = 1; 11000100)

And apparently none of the tools listed know this.

reverser
April 9th, 2009, 15:11
IDA 5.4 refuses to disassemble these opcodes, which, as noted by several posters above, is the correct behavior.

Bengaly
April 9th, 2009, 15:39
Quote:
[Originally Posted by drizz;80089]F2 0F D6 C4

ModRM = C4(16) = 11000100(2)

This instruction is only valid if both operands are registers (bits 7 & 8 = 1; 11000100)

And apparently none of the tools listed know this.


This is true, indeed, when the question was if the opcodes are valid during run time in the cpu (I guess it will be restricted during assembly time ??).

However, the fact that IDA appose to others, forcefully induce mmX,xmmX (for any kind of opcodes combination under that opcode set F20FD6) is the different, it could on the other hand display the mmX,xmmX only if the opcodes were valid and either show db XX (or the regular decode with a 'invalid' remark).

If Softice and the rest shows the instructions (whatever valid or not) the way "they should be", than who's to be blame?

drizz
April 9th, 2009, 16:03
Ben, then you should have said that you don't have SSE2 capable cpu to test it yourself.
I have tested it and all non-reg,reg combinations raise:
The exception Illegal Instruction (0xc000001d)

evaluator
April 9th, 2009, 17:18
ya! i also not have SSE2, but just read manual..

F3 0F D6
MOVQ2DQ xmm, mm
Move quadword from mmx to low quadword of xmm.

that's all falks?!?!

Bengaly
April 10th, 2009, 04:16
Quote:
Ben, then you should have said that you don't have SSE2 capable cpu to test it yourself.
I have tested it and all non-reg,reg combinations raise:
The exception Illegal Instruction (0xc000001d)


Naa, my AMD Athlon 64 X2 3800+ is well capable of SSE2 and, I'm well aware of the fact that other non reg,reg are invalid.

I was just wondering if I should impose MOVDQ2Q mm, xmm / MOVQ2DQ xmm, mm (on all opcode combinations) like IDA does, or only at the ones that are valid and keep the rest like Softice shows.

It's a matter of keeping it well decoded with what we should expect

evaluator
April 11th, 2009, 05:48
then notify amd about silly bug..
AMD manual states same as Intels

reverser
April 12th, 2009, 15:22
Quote:
[Originally Posted by Bengaly;80100]
I was just wondering if I should impose MOVDQ2Q mm, xmm / MOVQ2DQ xmm, mm (on all opcode combinations) like IDA does

No, it doesn't.
(current version, that is)

Bengaly
April 13th, 2009, 04:05
I have IDA 5.2, maybe it's a bug in it... I'll check the latest version and see what it gives