blitz / baresifter Goto Github PK

It looks like the tool skips scanning all prefixes somehow (looking at the logs generated)?

They might explode the search space somewhat, but they might also have different encodings and length affecting of the instructions (immediate size and modr/m size differences for example).
So that mainly affects operand and address and perhaps also REX on x86_64 specifically (which is currently detected as a prefix incorrectly on x86 as well, fixed in my repository).

When a page fault is thrown for the instruction fetching second page, the I-bit (bit 4 of the error code) is never set because it only happens on NX-enabled processors.
This breaks the analysis to incorrectly detect all instructions as 1-byte instructions.

XED is used inside and outside of Intel, is reasonably self contained and hopefully more actively maintained than Capstone.

https://github.com/intelxed/xed

Is it possible to make the Analyzer filter out some of the prefix groups in it's results somehow, like I implemented in my own fork of Baresifter (implemented for the Baresifter output, but not for Analyzer input yet (don't know the language that well))?

So far I've (see git pull request from my own Baresifter fork) implemented the possiblity to:

• Execute on any CPU down to i386.
• Filter out prefix groups that are detected as prefixes (allowing for older CPUs not to detect the REX prefix when it isn't supported) using a bitmask (bit 0 = group 0, bit 1 = group 1 etc. till group 3, then group 4 is the REX prefix (allows x86 40-4F INC/DEC instructions to be sifted)). Clearing the bitmask bit (set by default) in the parameter causes it to be excluded from the detected prefixes.
• Skip prefix groups (based on the above detection results, by compating against the bitmask) from the results. Another bitmask for this (same format as above) causes it to skip the instruction if the bit is cleared for any of detected prefixes (so detected because of detect bitmask 1(or default, which is 1 for any of the bits) so the detected prefix causes the cleared bit in the second mask (the used bitmask) to exclude if said bit in the used bitmask bit is cleared.
• Converted the prefix LUT into a class to be able to configure the filtering behaviour of detected prefixes.

Is it possible to add the same logic to the Analyzer (so detecting specified prefixes and excluding them from results if the used prefix bit is cleared) based on the inputted (already filtered) text file containing Baresifter's output?

I would like to fuzz MAME's i386 core using this tool, but unfortunately, this only works on 64-bit CPUs, and MAME's emulation simply hasn't gotten that far yet. I also can't run sandsifter since most modern Unices require at least a Pentium if not a Pentium Pro to install, and MAME's emulation of PCs based on those CPUs is shoddy currently at best.