def magicbyte(insn):
p,o,m,s,d,i = insn
mod,reg,rm = decoder.extractmodrm(m)
if reg == 6:
return [4,2][b'\x66' in p]
return 0
def magicbyte(insn):
p,o,m,s,d,i = insn
mod,reg,rm = decoder.extractmodrm(m)
if reg == 6:
return [4,2]['\x66' in p]
return 0
def isFarJmp(instruction):
opcode = getOpcode(instruction)
if opcode == '\xff':
modrm = getModrm(instruction)
mod, reg, rm = decoder.extractmodrm(ord(modrm))
return reg == 5
return False
def decode(instruction):
'''Extract the modrm tuple out of the provided instruction'''
modrm = instruction[2]
if len(modrm) > 0:
modrm = decoder.decodeInteger(modrm)
return decoder.extractmodrm(modrm)
return None
def isRegisterCall(instruction):
'''call Ev'''
if getOpcode(instruction) == '\xff':
modrm = getModrm(instruction)
mod,reg,rm = decoder.extractmodrm(ord(modrm))
return reg == 2 and mod == 3
return False
def isFarJmp(instruction):
opcode = getOpcode(instruction)
if opcode == '\xff':
modrm = getModrm(instruction)
mod,reg,rm = decoder.extractmodrm(ord(modrm))
return reg == 5
return False
def isMemoryCall(instruction):
'''call Mp'''
if getOpcode(instruction) == '\xff':
modrm = getModrm(instruction)
mod,reg,rm = decoder.extractmodrm(ord(modrm))
return reg in [2,3] and mod < 3
return False
def isJmpFF(instruction):
opcode = getOpcode(instruction)
if opcode == '\xff':
modrm = getModrm(instruction)
mod,reg,rm = decoder.extractmodrm(ord(modrm))
return reg in [4,5]
return False
def isMemoryCall(instruction):
'''call Mp'''
if getOpcode(instruction) == '\xff':
modrm = getModrm(instruction)
mod, reg, rm = decoder.extractmodrm(ord(modrm))
return reg in [2, 3] and mod < 3
return False
def decode(instruction):
'''Extract the modrm tuple out of the provided instruction'''
modrm = instruction[2]
if len(modrm) > 0:
modrm = decoder.decodeInteger(modrm)
return decoder.extractmodrm(modrm)
return None
def isRegisterCall(instruction):
'''call Ev'''
if getOpcode(instruction) == '\xff':
modrm = getModrm(instruction)
mod, reg, rm = decoder.extractmodrm(ord(modrm))
return reg == 2 and mod == 3
return False
def isJmpFF(instruction):
opcode = getOpcode(instruction)
if opcode == '\xff':
modrm = getModrm(instruction)
mod, reg, rm = decoder.extractmodrm(ord(modrm))
return reg in [4, 5]
return False
def isDispBranch(instruction):
if isJmpFF(instruction):
modrm = getModrm(instruction)
mod,reg,rm = decoder.extractmodrm(ord(modrm))
return rm == 5 and mod in [1,2]
return False
def isMemoryBranch(instruction):
if isJmpFF(instruction):
modrm = getModrm(instruction)
mod,reg,rm = decoder.extractmodrm(ord(modrm))
return mod < 3
return False
def isRegisterBranch(instruction):
if isJmpFF(instruction):
modrm = getModrm(instruction)
mod,reg,rm = decoder.extractmodrm(ord(modrm))
return mod == 3
return False
def extractmodrm(instruction):
'''Return the (Mod, Reg, r/m) components of an instruction'''
modrm = getModrm(instruction)
return decoder.extractmodrm( decodeInteger(modrm) )
def isMemoryBranch(instruction):
if isJmpFF(instruction):
modrm = getModrm(instruction)
mod, reg, rm = decoder.extractmodrm(ord(modrm))
return mod < 3
return False
def isSibBranch(instruction):
if isJmpFF(instruction):
modrm = getModrm(instruction)
mod, reg, rm = decoder.extractmodrm(ord(modrm))
return rm == 4 and mod < 3
return False
def isDispBranch(instruction):
if isJmpFF(instruction):
modrm = getModrm(instruction)
mod, reg, rm = decoder.extractmodrm(ord(modrm))
return rm == 5 and mod in [1, 2]
return False
def isSibBranch(instruction):
if isJmpFF(instruction):
modrm = getModrm(instruction)
mod,reg,rm = decoder.extractmodrm(ord(modrm))
return rm == 4 and mod < 3
return False
if True:
code = 'C7 05 6C B0 88 30 A0 BC 88 30'
code = [chr(int(x, 16)) for x in code.split(' ')]
source = iter(code)
insn = decoder.consume(source)
checkinsn()
if False:
code = b'\x6b\xc0\x2c'
lookup = optable.Lookup(b'\x6b')
# print(optable.HasModrm(lookup),optable.HasImmediate(lookup))
modrm = b'\xc0'
mod, reg, rm = decoder.extractmodrm(ord(modrm))
# print(mod,reg,rm)
if True:
list = ['f7 d8', '1a c0', '68 80 00 00 00']
checklist()
if True:
code = 'F7 C1 00 01 00 00'
code = [chr(int(x, 16)) for x in code.split(' ')]
source = iter(code)
insn = decoder.consume(source)
checkinsn()
if True:
def isRegisterBranch(instruction):
if isJmpFF(instruction):
modrm = getModrm(instruction)
mod, reg, rm = decoder.extractmodrm(ord(modrm))
return mod == 3
return False
if True:
code = 'C7 05 6C B0 88 30 A0 BC 88 30'
code = [ chr(int(x,16)) for x in code.split(' ') ]
source = iter(code)
insn = decoder.consume(source)
checkinsn()
if False:
code = '\x6b\xc0\x2c'
lookup = optable.Lookup('\x6b')
# print optable.HasModrm(lookup),optable.HasImmediate(lookup)
modrm = '\xc0'
mod,reg,rm = decoder.extractmodrm(ord(modrm))
# print mod,reg,rm
if True:
list = ['f7 d8', '1a c0', '68 80 00 00 00']
checklist()
if True:
code = 'F7 C1 00 01 00 00'
code = [ chr(int(x,16)) for x in code.split(' ') ]
source = iter(code)
insn = decoder.consume(source)
checkinsn()
if True:
def extractmodrm(instruction):
'''Return the (Mod, Reg, r/m) components of an instruction'''
modrm = getModrm(instruction)
return decoder.extractmodrm(decodeInteger(modrm))
