Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect handling of movsxd instruction #162

Open
sleirsgoevy opened this issue May 22, 2020 · 6 comments
Open

Incorrect handling of movsxd instruction #162

sleirsgoevy opened this issue May 22, 2020 · 6 comments

Comments

@sleirsgoevy
Copy link

ROPgadget output is incorrect for the following code:

main:
movsxd rax, edi
ret

ROPgadget reports the movsxd rax, edi ; ret gadget at main+1, while it is actually at main.

@sleirsgoevy
Copy link
Author

EDIT: #56 seems to be related. Probably that is another symptom of the same off-by-1 error.

@nurmukhametov
Copy link
Contributor

According to capstone in your example movsxd rax, edi ; ret gadget does exist at main+0x1 (_start+0x1 in example below).

$ cat test.s
_start:
  movsxd rax, edi
  ret
$ objdump -d -M intel test
0000000000401000 <_start>:
  401000:	48 63 c7             	movsxd rax,edi
  401003:	c3                   	ret
$ cstool x64 4863c7
 0  48 63 c7                                         movsxd	rax, edi
$ cstool x64 63c7
 0  63 c7                                            movsxd	rax, edi

@sleirsgoevy
Copy link
Author

Then it is probably a bug in capstone itself. The instruction without the leading byte does not actually work as movsxd rax, edi.

@nurmukhametov
Copy link
Contributor

nurmukhametov commented May 23, 2020

Yes, it is a capstone bug. I checked that this bug kind of fixed in capstone upcoming 5 release (next branch). So I think you can install fresh capstone to avoid this bug.

However, I am not sure that they correctly fix this instruction decoding. According to fresh capstone

$ cstool x64 63c7
ERROR: invalid assembly code

But e.g. gdb disassembles this bytes as movsxd eax,edi.

@sleirsgoevy
Copy link
Author

A quick'n'dirty workaround is to use the --dump flag to verify that the first byte is indeed 48 (that's the REX.W prefix, so it will be the same for other registers). If it is not, the address probably needs to be decremented.

@SweetVishnya
Copy link
Collaborator

You can upgrade Capstone or use --all option to display all gadgets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants