incorrect 64-bit decode of 0x488b3d534c5f

[GoogleCodeExporter]

What steps will reproduce the problem?

run the following python code

from distorm3 import Decode, Decode64Bits
for op in  Decode(0x400000, '488b3d534c5f'.decode('hex'), Decode64Bits):
    print op[2]


What is the expected output? What do you see instead?

It prints:
DB 0x48
DB 0x8b
DB 0x3d
PUSH RBX
POP RDI

However other disassemblers print:
MOV RDI, QWORD PTR [0x5F4C74]


What version of the product are you using? On what operating system?
distrom3-1.0 python installer

Original issue reported on code.google.com by jcope...@gmail.com on 5 Nov 2010 at 7:45

[GoogleCodeExporter]

I don't know what you're trying to disassemble. But you have two prefixes here! 
So the second one overrides the first one. Then the instruction starts with 
0x3d, which is really a 'compare'. And then you're not passing enough bytes so 
you get the instruction broken.

I don't know what disassembler you use, but even WinDbg gave me the following 
output for your input:
0 48              ???
1 4b3d534c5fcc    cmp     rax,0FFFFFFFFCC5F4C53h

So if you're adding another byte to the stream, diStorm will give you a good 
result.
Good luck.

Original comment by distorm@gmail.com on 6 Nov 2010 at 6:17

• Changed state: Invalid

[GoogleCodeExporter]

I was disassembling it with PEBrowsePro, which must automatically pad with 
zeros because if I change the bytes to '488b3d534c5f00', as you suggest, it 
matches what PEBrowsePro gives..

Sorry.

Original comment by jcope...@gmail.com on 7 Nov 2010 at 3:54