x86 anti DECODE (PoC)
Axel Tillequin
@bdcht
Rump SSTIC 2014
ia32 instructions
![](https://s3.amazonaws.com/media-p.slid.es/uploads/bdcht/images/452509/x86_format.png)
... many "oddities"
(see https://code.google.com/p/corkami/wiki/x86oddities)
MORE PFX/SSE oddities
![](https://s3.amazonaws.com/media-p.slid.es/uploads/bdcht/images/451045/intel_addps.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/bdcht/images/452520/intel_addsd.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/bdcht/images/452517/intel_addss.png)
+
66 0F 58 /r : ADDPD,
etc.
what is decoded...
objdump FAIL :
![](https://s3.amazonaws.com/media-p.slid.es/uploads/bdcht/images/452533/objdump_sse_fail.png)
WHAT IS DECODED...
IDA (6.x) FAIL :
WHAT IS DECODED...
LLVM FAIL :
WHAT IS DECODED...
capstone FAIL:
[FIXED]
WHAT IS DECODED...
beaengine :
Hopper :
WHAT IS DECODED...
HTE fail :
WTF ??!
(they got it almost right !!!)
conclusion
decoding IA32 is tricky...
- use last prefix within each group
- for SSE2, use pfx groups "precedence" rules (F2/F3 > 66)
- the decoder needs to be EASY to enhance/fix !!!
more testings needed :
- more CPUs (reliable behaviors ??)
- REX/VEX things... (64 bits)
- automated testing ? (ptrace validation)
amoco
github.com/bdcht/amoco
(how to do it and fix it)