Fixed instruction boundary detection for complex instruction sequences

2025-06-19 16:08:02 +03:00 · 2025-04-13 03:08:37 +03:00
parent 33b151d856
commit e12f5b5bdf
4 changed files with 267 additions and 23 deletions
--- a/X86DisassemblerTests/InstructionSequenceTests.cs
+++ b/X86DisassemblerTests/InstructionSequenceTests.cs
@ -0,0 +1,103 @@
+namespace X86DisassemblerTests;
+
+using System;
+using Xunit;
+using X86Disassembler.X86;
+
+/// <summary>
+/// Tests for specific instruction sequences that were problematic
+/// </summary>
+public class InstructionSequenceTests
+{
+    /// <summary>
+    /// Tests that the disassembler correctly handles the sequence at address 0x10001C4B
+    /// </summary>
+    [Fact]
+    public void Disassembler_HandlesJmpSequence_Correctly()
+    {
+        // Arrange - This is the sequence from address 0x10001C4B
+        byte[] codeBuffer = new byte[] { 0x7D, 0x05, 0x83, 0xC5, 0x18, 0xEB, 0x03, 0x83, 0xC5, 0xB8, 0x8B, 0x56, 0x04 };
+        var disassembler = new Disassembler(codeBuffer, 0x10001C4A);
+        
+        // Act
+        var instructions = disassembler.Disassemble();
+        
+        // Assert
+        Assert.True(instructions.Count >= 5, $"Expected at least 5 instructions, but got {instructions.Count}");
+        
+        // First instruction: JGE LAB_10001c51 (JNL is an alternative mnemonic for JGE)
+        Assert.True(instructions[0].Mnemonic == "jge" || instructions[0].Mnemonic == "jnl", 
+            $"Expected 'jge' or 'jnl', but got '{instructions[0].Mnemonic}'");
+        // Don't check the exact target address as it depends on the base address calculation
+        Assert.Contains("0x", instructions[0].Operands);
+        
+        // Second instruction: ADD EBP, 0x18
+        Assert.Equal("add", instructions[1].Mnemonic);
+        Assert.Contains("ebp", instructions[1].Operands);
+        Assert.Contains("0x00000018", instructions[1].Operands);
+        
+        // Third instruction: JMP LAB_10001c54
+        Assert.Equal("jmp", instructions[2].Mnemonic);
+        // Don't check the exact target address as it depends on the base address calculation
+        Assert.Contains("0x", instructions[2].Operands);
+        
+        // Fourth instruction: ADD EBP, -0x48
+        Assert.Equal("add", instructions[3].Mnemonic);
+        Assert.Contains("ebp", instructions[3].Operands);
+        Assert.Contains("0xFFFFFFB8", instructions[3].Operands); // -0x48 sign-extended to 32-bit
+        
+        // Fifth instruction: MOV EDX, dword ptr [ESI + 0x4]
+        Assert.Equal("mov", instructions[4].Mnemonic);
+        Assert.Contains("edx", instructions[4].Operands);
+        Assert.Contains("esi", instructions[4].Operands);
+    }
+    
+    /// <summary>
+    /// Tests that the disassembler correctly handles the sequence at address 0x00001C4B
+    /// </summary>
+    [Fact]
+    public void Disassembler_HandlesAddSequence_Correctly()
+    {
+        // Arrange - This is the sequence from address 0x00001C4B
+        byte[] codeBuffer = new byte[] { 0x05, 0x83, 0xC5, 0x18, 0xEB, 0x03, 0x83, 0xC5, 0xB8, 0x8B, 0x56, 0x04, 0x8A, 0x02, 0x8D, 0x4A, 0x18 };
+        var disassembler = new Disassembler(codeBuffer, 0x00001C4B);
+        
+        // Act
+        var instructions = disassembler.Disassemble();
+        
+        // Assert
+        Assert.True(instructions.Count >= 7, $"Expected at least 7 instructions, but got {instructions.Count}");
+        
+        // First instruction should be ADD EAX, ?? (incomplete immediate)
+        Assert.Equal("add", instructions[0].Mnemonic);
+        Assert.Contains("eax", instructions[0].Operands);
+        
+        // Second instruction should be ADD EBP, 0x18
+        Assert.Equal("add", instructions[1].Mnemonic);
+        Assert.Contains("ebp", instructions[1].Operands);
+        Assert.Contains("0x00000018", instructions[1].Operands);
+        
+        // Third instruction should be JMP
+        Assert.Equal("jmp", instructions[2].Mnemonic);
+        
+        // Fourth instruction should be ADD EBP, -0x48
+        Assert.Equal("add", instructions[3].Mnemonic);
+        Assert.Contains("ebp", instructions[3].Operands);
+        Assert.Contains("0xFFFFFFB8", instructions[3].Operands); // -0x48 sign-extended to 32-bit
+        
+        // Fifth instruction should be MOV EDX, [ESI+0x4]
+        Assert.Equal("mov", instructions[4].Mnemonic);
+        Assert.Contains("edx", instructions[4].Operands);
+        Assert.Contains("esi", instructions[4].Operands);
+        
+        // Sixth instruction should be MOV AL, [EDX]
+        Assert.Equal("mov", instructions[5].Mnemonic);
+        Assert.Contains("al", instructions[5].Operands);
+        Assert.Contains("edx", instructions[5].Operands);
+        
+        // Seventh instruction should be LEA ECX, [EDX+0x18]
+        Assert.Equal("lea", instructions[6].Mnemonic);
+        Assert.Contains("ecx", instructions[6].Operands);
+        Assert.Contains("edx", instructions[6].Operands);
+    }
+}