Print “far” token, support RTM instructions

- Also, more whitelist entries for the CS-Zydis diff
2017-09-23 20:20:21 +02:00 · 2017-09-23 20:20:21 +02:00 · da0d4415e3
parent 0711ac09df
commit da0d4415e3
2 changed files with 22 additions and 12 deletions
--- a/src/gui/Src/BasicView/Disassembly.cpp
+++ b/src/gui/Src/BasicView/Disassembly.cpp
@ -1537,11 +1537,20 @@ Instruction_t Disassembly::DisassembleAt(dsint rva)
        if (cs_instr.instStr.startsWith("wait")) // cs says wait, zy says fwait (both ok)
            goto _exit;
        if (cs_instr.dump.length() > 2 &&  // cs ignores segment prefixes if followed by branch hints
-            cs_instr.dump[1] == '\x2e' &&
-            cs_instr.dump[2] == '\x3e')
+            (cs_instr.dump[1] == '\x2e' ||
+            cs_instr.dump[2] == '\x3e'))
+            goto _exit;
+        if (QRegExp("mov .s,.*").exactMatch(cs_instr.instStr) ||
+            cs_instr.instStr.startsWith("str")) // cs claims it's priviliged (it's not)
+            goto _exit;
+        if (QRegExp("l[defgs]s.*").exactMatch(cs_instr.instStr)) // cs allows LES (and friends) in 64 bit mode (invalid)
+            goto _exit;
+        if (QRegExp("f[^ ]+ st0.*").exactMatch(zy_instr.instStr)) // zy prints excplitic st0, cs omits (both ok)
+            goto _exit;
+        if (cs_instr.instStr.startsWith("fstp")) // CS reports 3 operands but only prints 2 ... wat.
            goto _exit;

-        auto insn_hex = zy_instr.dump.toHex().toStdString();
+        auto insn_hex = cs_instr.dump.toHex().toStdString();
        auto cs = cs_instr.instStr.toStdString();
        auto zy = zy_instr.instStr.toStdString();

--- a/src/gui/Src/Disassembler/capstone_gui.cpp
+++ b/src/gui/Src/Disassembler/capstone_gui.cpp
@ -399,16 +399,19 @@ bool CapstoneTokenizer::tokenizeMnemonic()
    QString mnemonic = QString(_cp.Mnemonic().c_str());
    _mnemonicType = TokenType::MnemonicNormal;

-    auto id = _cp.GetId();
+    if (_cp.IsBranchType(Zydis::BT_FarCall | Zydis::BT_FarJmp))
+    {
+        mnemonic += " far";
+    }
+
    if(isNop)
        _mnemonicType = TokenType::MnemonicNop;
    else if(_cp.IsCall())
        _mnemonicType = TokenType::MnemonicCall;
-    else if(_cp.IsJump() || _cp.IsLoop())
-    {
-        _mnemonicType = (id == ZYDIS_MNEMONIC_JMP) ?
-            TokenType::MnemonicUncondJump : TokenType::MnemonicCondJump;
-    }
+    else if(_cp.IsBranchType(Zydis::BT_CondJmp | Zydis::BT_Loop | Zydis::BT_Xbegin))
+        _mnemonicType = TokenType::MnemonicCondJump;
+    else if (_cp.IsBranchType(Zydis::BT_UncondJmp | Zydis::BT_Xabort))
+        _mnemonicType = TokenType::MnemonicUncondJump;
    else if(_cp.IsInt3())
        _mnemonicType = TokenType::MnemonicInt3;
    else if(_cp.IsUnusual())
@ -418,9 +421,7 @@ bool CapstoneTokenizer::tokenizeMnemonic()
    else if(_cp.IsPushPop())
        _mnemonicType = TokenType::MnemonicPushPop;

-    tokenizeMnemonic(_mnemonicType, mnemonic);
-
-    return true;
+    return tokenizeMnemonic(_mnemonicType, mnemonic);;
 }

 bool CapstoneTokenizer::tokenizeMnemonic(TokenType type, const QString & mnemonic)