## Where communities thrive

• Join over 1.5M+ people
• Join over 100K+ communities
• Free without limits
• Create your own community
##### Activity
• Oct 03 12:29
athre0z synchronize #383
• Oct 03 12:28
Tachi107 commented #384
• Oct 03 12:24

athre0z on master

build: add doc target This pat… build(make): use new doc target… (compare)

• Oct 03 12:24
athre0z closed #384
• Oct 02 19:28
Tachi107 commented #384
• Oct 02 19:28
Tachi107 synchronize #384
• Oct 02 15:29
Tachi107 commented #384
• Oct 02 15:27
Tachi107 synchronize #384
• Oct 02 13:39
Tachi107 commented #384
• Oct 02 13:29
athre0z commented #384
• Oct 02 13:29
athre0z commented #384
• Oct 02 13:27
athre0z commented #384
• Oct 01 16:53
flobernd review_requested #384
• Oct 01 16:26
Tachi107 opened #384
• Sep 30 08:33
pkubaj edited #383
• Sep 30 08:33
pkubaj synchronize #383
• Sep 29 22:25
pkubaj opened #383
• Sep 26 22:50
xtremegamer1 commented #382
• Sep 26 22:16
xtremegamer1 commented #382
• Sep 26 22:16
xtremegamer1 closed #382
Stephen Eckels
@stevemk14ebr
perfect, thanks! You'll probably hear from me more :p. Also saw your work on the zydis hook engine, i like!
jstaursky
@jstaursky
might be a bit dumb of a question, but how to access register contents after decode?
ζeh Matt
@ZehMatt
gotta request the thread context
jstaursky
@jstaursky
simple example?
Florian Bernd
@flobernd
Not sure about your question. Zydis is for static code analysis .. you can ofc read individual registers at a specific time using e.g. GetThreadContext on Windows, but you would have to somehow make the codeflow stop at an exact position. What are you trying to archieve?
jstaursky
@jstaursky
I guess I thought Zydis would store immediate's and the EFLAGS for a primitive form of emulation. Saying it "out loud" now makes me realize how silly I was. Think unicorn is probably more in line with what I was thinking. Sorry about that.
Tennn
@stonedreamforest
hi all, how to make " push [ebp-0x04]" show "push dword ptr [ebp-0x04]"
The "push [ebp-0x04] style can't parse in asmjit
genuine_
@blaquee
Who maintains the Zydis package for vcpkg?
just fyi installing t doesnt seem to compile properly when #include <Zydis/Zydis.h> is used
it will error with a bunch of missing header complaints Severity Code Description Project File Line Suppression State Error (active) E1696 cannot open source file "Zycore/Types.h" BadDriverParser C:\vcpkg\installed\x64-windows\include\Zydis\Decoder.h 35
mainly looks like some configuration error
Florian Bernd
@flobernd
Hi there, I will redirect your report to @athre0z
ζeh Matt
@ZehMatt
Just stumbled upon the same problem I believe, vcpkg no longer install Zycore
ζeh Matt
@ZehMatt
quite a bit changed API wise, its somewhat inconvenient not having the address on the instr
Joel Höner
@athre0z
yeah.. it's due to vcpkg making it absurdly hard to deal with git submodules. i thought I figured it out by just cloning zycore as well and setting a var to tell zydis where zycore lives, but it appears like the zycore headers aren't installed anyways and that cmake var isn't persisted
I already wasted like 20+ hours trying to fix this shit. every time I have to deal with vcpkg I feel like a career in gardening would have been the better option
I'll give it another try sometime next week
Joel Höner
@athre0z
probably not even really vcpkg's fault, it's mostly down to it being based on cmake and cmake's sparsity of documentation and guidance on how to correctly design a project so that it works in all possible use cases (system install, subdir / submodule, package managers, ...)
Stephen Eckels
@stevemk14ebr
@athre0z vcpkg is annoying, i let contributors handle that shit. Someone recently seriously improved the cmakelists.txt of my project, which may help as a reference point for complicated cmake stuff: https://github.com/stevemk14ebr/PolyHook_2_0/blob/master/CMakeLists.txt
Duncan Ogilvie
@mrexodia
Might be helpful, I just include Zydis as a submodule and this will correctly compile and link zydis in your cmake project
That being said I think the Zycore submodule is super annoying and should probably be copied back to the project itself :D
Florian Bernd
@flobernd
Thanks for the example :) We have a similar repo here: https://github.com/zyantific/zydis-submodule-example
Joel Höner
@athre0z
microsoft/vcpkg#11173 looks like just waiting & hoping for someone else to fix it worked out :D
looks like it was actually pretty easy & I was just approaching it from the wrong direction
ζeh Matt
@ZehMatt
is there a particular reason why zydis is not using the actual bit position for the rflags/eflags? The way it works seems a little bit overengineered
It would be also a bit faster to have 3 flag fields instead of an array which specify the action
toggling a bit is pretty fast
Joel Höner
@athre0z
hmm yeah, that is a valid thought. with the current tested/modified/set0/set1/undefined variants we'd need 5 fields however. that being said, it can be argued that set0/set1 are just noise anyways and could just as well be reduced to "modified". in any case, this is a breaking and thus 4.0 change. if you care about this enough, i'd invite you to create an issue for this so we can speak this through properly
also, sorry for the late response -- we don't check gitter so frequently anymore, you'd have better chances for quick responses with discord
ζeh Matt
@ZehMatt
I'm struggling a bit with zydis performance, is there anything to compensate this a bit
the decoding is actually fast but when i want to query the flags of the instr its actually a bottleneck in my environment
Florian Bernd
@flobernd
I have to admit I never benchmarked this function. If you want you can have a look in the code and maybe suggest some optimizations. Will create an issue on GitHub and see what we can do 😋
ζeh Matt
@ZehMatt
i would simply stick to the actual flag and have a field per access, ex.: uint32_t flagsRead; uint32_t flagsWrite; uint32_t flagsReadCond; uint32_t flagsWriteCond;
i think it makes it a lot easier to just tag the right bit on
can apply binary operations too
having a rather large array seems a bit over the top
Florian Bernd
@flobernd
that's a good suggestion
did not quite like the current flag system myself tbh :P will do some research regarding performance and binary size changes of such a change first
Florian Bernd
@flobernd
Here is the issue for this task: zyantific/zydis#150
ζeh Matt
@ZehMatt
ah nice
ζeh Matt
@ZehMatt
is this project still alive?
Florian Bernd
@flobernd
Sure :) Gitter is just not that actively used anymore. Discord is more active.
Petr Kobalicek
@kobalicek

Hi, I'm running some comparisons and I have found this one:
0F01DF - decoded as invlpga eax, ecx in 64-bit mode. But it should be invlpga rax, ecx according to the manual stating "The portion of RAX used to form the address is determined by the effective address size".

Is this a bug?

Florian Bernd
@flobernd
@kobalicek Hey hey, sorry for late response. For some reason I did not receive a notification. I will add an issue on Github .. seems like you are correct :)
zyantific/zydis#181 - I will try to resolve asap when I have a few free minutes