x86: Decode MOVSXD r32, r/m32 and MOVSXD r16, r/m16#2930
Merged
Conversation
…D r32, r/m32 and MOVSXD r16 variant. I confirmed this instruction patterns are used in commercial obfuscators now to break any tool that depends on capstone, which led me to investigate and fix this properly. Since "autosync" branch doesn't support x86 yet, these instructions that was already fixed in LLVM doesn't exist in autogenerated tables of capstone. I manually added the instructions to the table. Fixes capstone-engine#1636 Fixes capstone-engine#1832 Fixes capstone-engine#2442 Fixes capstone-engine#2555 Verified with cstool against the reproducers from each linked issue: cstool -d x64 "63 c7" -> movsxd eax, edi cstool -d x64 "63 20" -> movsxd esp, dword ptr [rax] cstool -d x64 "63 6b 20 ..." -> movsxd ebp, dword ptr [rbx+0x20] cstool -d x64 "63 26" -> movsxd esp, dword ptr [rsi] cstool -d x64 "66 63 c1" -> movsxd ax, ecx cstool -d x64 "66 63 20" -> movsxd sp, dword ptr [rax] All 86334 MC tests, 821 detail tests, 473 issue tests, 2 feature tests, and 9 integration tests pass, tested both regular and reduce mode.
Rot127
requested changes
May 22, 2026
Collaborator
|
@0xradulf I wanted to do the release today. |
Contributor
Author
|
Writing the tests right now, should be ready in a few minutes @Rot127 |
Contributor
Author
|
Tests added in ad22a61, six entries in tests/issues/issues.yaml covering all reproducers (4 issue-tied + 2 for the r16 variants). |
Rot127
approved these changes
May 22, 2026
Collaborator
Rot127
left a comment
Rot127
left a comment
There was a problem hiding this comment.
Thanks a lot for adding the tests so quickly.
I'll open the backport to v5 and do the release tomorrow then with fresh mind.
Rot127
added a commit
that referenced
this pull request
May 23, 2026
* x86: Decode MOVSXD r32, r/m32 and MOVSXD r16, r/m16 (#2930) * I fix the previously rejected valid MOVSXD instruction variants MOVSXD r32, r/m32 and MOVSXD r16 variant. I confirmed this instruction patterns are used in commercial obfuscators now to break any tool that depends on capstone, which led me to investigate and fix this properly. Since "autosync" branch doesn't support x86 yet, these instructions that was already fixed in LLVM doesn't exist in autogenerated tables of capstone. I manually added the instructions to the table. Fixes #2442 Verified with cstool against the reproducers from each linked issue: cstool -d x64 "63 c7" -> movsxd eax, edi cstool -d x64 "63 20" -> movsxd esp, dword ptr [rax] cstool -d x64 "63 6b 20 ..." -> movsxd ebp, dword ptr [rbx+0x20] cstool -d x64 "63 26" -> movsxd esp, dword ptr [rsi] cstool -d x64 "66 63 c1" -> movsxd ax, ecx cstool -d x64 "66 63 20" -> movsxd sp, dword ptr [rax] All 86334 MC tests, 821 detail tests, 473 issue tests, 2 feature tests, and 9 integration tests pass, tested both regular and reduce mode. * Add v5 version of tests. --------- Co-authored-by: 0xradulf <radulf@iretq.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Your checklist for this pull request
Detailed description
I fix the previously rejected valid x86 MOVSXD instruction variants MOVSXD r32, r/m32 and r16 one, following LLVM's definitions.
I confirmed this instruction patterns are now being used in commercial obfuscators to break any tool that depends on capstone, which led me to investigate and fix this properly.
Since "autosync" branch doesn't support x86 yet, these variants that was already fixed in LLVM doesn't exist in autogenerated tables of capstone which is outdated.
I manually added the specific variants to the tables.
Test plan
Verified with cstool against the reproducers from each linked issue:
cstool -d x64 "63 c7" -> movsxd eax, edi
cstool -d x64 "63 20" -> movsxd esp, dword ptr [rax]
cstool -d x64 "63 6b 20" -> movsxd ebp, dword ptr [rbx+0x20]
cstool -d x64 "63 26" -> movsxd esp, dword ptr [rsi]
cstool -d x64 "66 63 c1" -> movsxd ax, ecx
cstool -d x64 "66 63 20" -> movsxd sp, dword ptr [rax]
All 86334 MC tests, 821 detail tests, 473 issue tests, 2 feature tests, and 9 integration tests pass, tested both regular and reduce mode.
Closing issues
Closes #1636
Closes #1832
Closes #2555