mirrors/ParkanPlayground
0
Fork 0
mirror of https://github.com/sampletext32/ParkanPlayground.git synced 2025-05-19 20:01:17 +03:00
Code Issues Releases Activity

Added detailed comments to test files explaining x86 encoding special cases: 1) Mod=00 and R/M=101 (EBP) for displacement-only addressing, 2) Mod=00 and R/M=100 (ESP) for SIB byte requirement, 3) SIB byte with EBP as base register special cases

Browse Source
This commit is contained in:
bird_egop 2025-04-16 19:58:34 +03:00
parent e5b63270b6
commit 09786b781b
2 changed files with 22 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
X86DisassemblerTests/TestData/call_tests.csv
View File

@ -23,7 +23,12 @@ FF10;[{ "Type": "Call", "Operands": ["dword ptr [eax]"] }]
FF11;[{ "Type": "Call", "Operands": ["dword ptr [ecx]"] }] FF11;[{ "Type": "Call", "Operands": ["dword ptr [ecx]"] }]
FF12;[{ "Type": "Call", "Operands": ["dword ptr [edx]"] }] FF12;[{ "Type": "Call", "Operands": ["dword ptr [edx]"] }]
FF13;[{ "Type": "Call", "Operands": ["dword ptr [ebx]"] }] FF13;[{ "Type": "Call", "Operands": ["dword ptr [ebx]"] }]
# TODO: these are not recognized by ghidra, but these seem to be valid x86 instructions. # SPECIAL CASES in x86 encoding:
# 1. When Mod=00 and R/M=100 (ESP), a SIB byte is required. The instruction FF14 is invalid because
# it's missing the required SIB byte. The correct encoding would use a SIB byte (e.g., FF1424).
# 2. When Mod=00 and R/M=101 (EBP), this doesn't actually refer to [EBP] but instead indicates
# a 32-bit displacement-only addressing mode. The correct encoding for "Call [disp32]" would be
# FF1578563412 which is "Call dword ptr [0x12345678]"
# FF14;[{ "Type": "Call", "Operands": ["dword ptr [esp]"] }] # FF14;[{ "Type": "Call", "Operands": ["dword ptr [esp]"] }]
# FF15;[{ "Type": "Call", "Operands": ["dword ptr [ebp]"] }] # FF15;[{ "Type": "Call", "Operands": ["dword ptr [ebp]"] }]
FF16;[{ "Type": "Call", "Operands": ["dword ptr [esi]"] }] FF16;[{ "Type": "Call", "Operands": ["dword ptr [esi]"] }]
@ -33,11 +38,17 @@ FF17;[{ "Type": "Call", "Operands": ["dword ptr [edi]"] }]
FF1400;[{ "Type": "Call", "Operands": ["dword ptr [eax+eax*1]"] }] FF1400;[{ "Type": "Call", "Operands": ["dword ptr [eax+eax*1]"] }]
FF14C0;[{ "Type": "Call", "Operands": ["dword ptr [eax+eax*8]"] }] FF14C0;[{ "Type": "Call", "Operands": ["dword ptr [eax+eax*8]"] }]
FF1444;[{ "Type": "Call", "Operands": ["dword ptr [esp+eax*2]"] }] FF1444;[{ "Type": "Call", "Operands": ["dword ptr [esp+eax*2]"] }]
# not recognized neither by ghidra nor online disasms # SPECIAL CASE: SIB byte with EBP as base register
# When the SIB byte has Base=101 (EBP) and Mod=00, the base register is not used.
# Instead, a 32-bit displacement follows the SIB byte (similar to the Mod=00, R/M=101 special case).
# This instruction is commented out because it's not correctly recognized by many disassemblers.
# FF1485;[{ "Type": "Call", "Operands": ["dword ptr [ebp+eax*4]"] }] # FF1485;[{ "Type": "Call", "Operands": ["dword ptr [ebp+eax*4]"] }]
FF1498;[{ "Type": "Call", "Operands": ["dword ptr [eax+ebx*4]"] }] FF1498;[{ "Type": "Call", "Operands": ["dword ptr [eax+ebx*4]"] }]
FF14D9;[{ "Type": "Call", "Operands": ["dword ptr [ecx+ebx*8]"] }] FF14D9;[{ "Type": "Call", "Operands": ["dword ptr [ecx+ebx*8]"] }]
# not recognized neither by ghidra nor online disasms # SPECIAL CASE: Another SIB byte with EBP as base register
# When the SIB byte has Base=101 (EBP) and Mod=00, the base register is not used.
# Instead, a 32-bit displacement follows the SIB byte (similar to the Mod=00, R/M=101 special case).
# This instruction is commented out because it's not correctly recognized by many disassemblers.
# FF149D;[{ "Type": "Call", "Operands": ["dword ptr [ebp+ebx*4]"] }] # FF149D;[{ "Type": "Call", "Operands": ["dword ptr [ebp+ebx*4]"] }]
# CALL m32 (opcode FF /2) with displacement # CALL m32 (opcode FF /2) with displacement

Can't render this file because it contains an unexpected character in line 6 and column 15.

9
X86DisassemblerTests/TestData/jmp_tests.csv
View File

@ -27,6 +27,9 @@ FF22;[{ "Type": "Jmp", "Operands": ["dword ptr [edx]"] }]
FF23;[{ "Type": "Jmp", "Operands": ["dword ptr [ebx]"] }] FF23;[{ "Type": "Jmp", "Operands": ["dword ptr [ebx]"] }]
FF24;[{ "Type": "Jmp", "Operands": ["dword ptr [esp]"] }] FF24;[{ "Type": "Jmp", "Operands": ["dword ptr [esp]"] }]
# SPECIAL CASE: When Mod=00 and R/M=101 (EBP), this doesn't actually refer to [EBP].
# Instead, it's a special case that indicates a 32-bit displacement-only addressing mode.
# The correct encoding for this would be FF2578563412 which is "Jmp dword ptr [0x12345678]"
# FF25;[{ "Type": "Jmp", "Operands": ["dword ptr [ebp]"] }] # FF25;[{ "Type": "Jmp", "Operands": ["dword ptr [ebp]"] }]
FF26;[{ "Type": "Jmp", "Operands": ["dword ptr [esi]"] }] FF26;[{ "Type": "Jmp", "Operands": ["dword ptr [esi]"] }]
FF27;[{ "Type": "Jmp", "Operands": ["dword ptr [edi]"] }] FF27;[{ "Type": "Jmp", "Operands": ["dword ptr [edi]"] }]
@ -42,7 +45,11 @@ FF6610;[{ "Type": "Jmp", "Operands": ["dword ptr [esi+0x10]"] }]
FF6710;[{ "Type": "Jmp", "Operands": ["dword ptr [edi+0x10]"] }] FF6710;[{ "Type": "Jmp", "Operands": ["dword ptr [edi+0x10]"] }]
# JMP m32 (opcode FF /4) with SIB byte # JMP m32 (opcode FF /4) with SIB byte
# not recognized by ghidra or online disasms # SPECIAL CASE: These SIB encodings with EBP as base register have special rules.
# When the SIB byte has Base=101 (EBP) and Mod=00, the base register is not used.
# Instead, a 32-bit displacement follows the SIB byte (similar to the Mod=00, R/M=101 special case).
# These instructions are commented out because they're not correctly recognized by many disassemblers,
# including Ghidra and online disassemblers, due to their unusual encoding.
# FF24C5;[{ "Type": "Jmp", "Operands": ["dword ptr [eax*8+ebp]"] }] # FF24C5;[{ "Type": "Jmp", "Operands": ["dword ptr [eax*8+ebp]"] }]
# FF24CD;[{ "Type": "Jmp", "Operands": ["dword ptr [ecx*8+ebp]"] }] # FF24CD;[{ "Type": "Jmp", "Operands": ["dword ptr [ecx*8+ebp]"] }]
# FF24D5;[{ "Type": "Jmp", "Operands": ["dword ptr [edx*8+ebp]"] }] # FF24D5;[{ "Type": "Jmp", "Operands": ["dword ptr [edx*8+ebp]"] }]

Can't render this file because it contains an unexpected character in line 6 and column 9.