beaengine
beaengine copied to clipboard
BeaEngine
Off-by-one access in fillRegister
Hello,
The following bytes '\x44\x0f\xf8\x41\x8b' (disassembled as psubb mm0,mmword ptr [rcx-75h] by windbg) triggers an off-by-one in the RegistersMMX global variable:
void __bea_callspec__ fillRegister(int index, OPTYPE* pMyOperand, PDISASM pMyDisasm)
{
size_t i = 0;
switch(GV.Register_) {
// ...
case MMX_REG:
#ifndef BEA_LIGHT_DISASSEMBLY
(void) strcpy ((char*) pMyOperand->OpMnemonic+i, RegistersMMX[index]);
#endif
The index variable is off-by-one:
08 0000002f`75dfce10 00007ff7`b1172f2a rp_win_x64!fillRegister(int index = 0n8, struct OPTYPE * pMyOperand = 0x0000002f`75dfe06c, struct _Disasm * pMyDisasm = 0x0000002f`75dfdecc)+0x598 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 105]
Cheers
There's a similar case with the bytes '\x62' in the below case:
default:
switch (GV.OperandSize) {
case 16:
#ifndef BEA_LIGHT_DISASSEMBLY
(void)strcpy((char *)pMyOperand->OpMnemonic + i, Registers16Bits[index]);
index is out-of-bounds:
08 00000054`5b6fd190 00007ff7`f6fb2f2a rp_win_x64!fillRegister(int index = 0n23, struct OPTYPE * pMyOperand = 0x00000054`5b6fe690, struct _Disasm * pMyDisasm = 0x00000054`5b6fe42c)+0xde5 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 180]
09 00000054`5b6fd410 00007ff7`f7041e09 rp_win_x64!decodeRegOpcode(struct OPTYPE * pMyOperand = 0x00000054`5b6fe690, struct _Disasm * pMyDisasm = 0x00000054`5b6fe42c)+0x32a [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 238]
0a 00000054`5b6fd4d0 00007ff7`f70b014a rp_win_x64!vextractf128(struct _Disasm * pMyDisasm = 0x00000054`5b6fe42c)+0x2e9 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\instr_set\instructions_list.c @ 15002]
0b 00000054`5b6fd630 00007ff7`f6fa3226 rp_win_x64!bound_(struct _Disasm * pMyDisasm = 0x00000054`5b6fe42c)+0xd3a [C:\work\codes\rp\src\third_party\beaengine\src\Includes\instr_set\instructions_list.c @ 713]
0c 00000054`5b6fdb00 00007ff7`f70b4f9a rp_win_x64!AnalyzeOpcode(struct _Disasm * pMyDisasm = 0x00000054`5b6fe42c)+0x166 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c @ 222]
Cheers
Same with '\x4f' in:
case 64:
#ifndef BEA_LIGHT_DISASSEMBLY
(void)strcpy((char *)pMyOperand->OpMnemonic + i,
Registers64Bits[index]);
08 00000095`2f9fcf50 00007ff6`444c2f2a rp_win_x64!fillRegister(int index = 0n30, struct OPTYPE * pMyOperand = 0x00000095`2f9fe600, struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x106b [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 203]
09 00000095`2f9fd1e0 00007ff6`444b26c1 rp_win_x64!decodeRegOpcode(struct OPTYPE * pMyOperand = 0x00000095`2f9fe600, struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x32a [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_ModRM.c @ 243]
0a 00000095`2f9fd2a0 00007ff6`444e123a rp_win_x64!ExGx(struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x51 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c @ 271]
0b 00000095`2f9fd320 00007ff6`445c012b rp_win_x64!vpscatterqd(struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x4da [C:\work\codes\rp\src\third_party\beaengine\src\Includes\instr_set\instructions_list.c @ 30224]
0c 00000095`2f9fd420 00007ff6`445b3286 rp_win_x64!bound_(struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0xcdb [C:\work\codes\rp\src\third_party\beaengine\src\Includes\instr_set\instructions_list.c @ 710]
0d 00000095`2f9fd8f0 00007ff6`444b3226 rp_win_x64!dec_edi(struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x736 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\instr_set\instructions_list.c @ 2213]
0e 00000095`2f9fda70 00007ff6`445c4fda rp_win_x64!AnalyzeOpcode(struct _Disasm * pMyDisasm = 0x00000095`2f9fe39c)+0x166 [C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c @ 222]
Cheers