Multiple improvements

- New shemu flag - SHEMU_FLAG_SIDT, set when sheu encounters a SIDT in ring0. - Added the CET Tracked flag to SYSCLAL, SYSENTER and INT n instructions. - Fixed Do Not Track prefix recognition for CALL and JMP in long-mode. - Fixed MONITOR and MONITORX implicit operands - the rAX register encodes a virtual address that will be used as the monitored range. That address is subject to a 1 byte load. - Fixed RMPADJUST and RMPUPDATE implicit operands - the rAX register encodes a virtual address, and the rCX register encodes a virtual address of the RMP updated entry.
bitdefender · Aug 31, 2021 · 0809617 · 0809617
1 parent 5a61798
commit 0809617
Show file tree

Hide file tree

Showing 25 changed files with 701 additions and 51 deletions.
diff --git a/bddisasm/bddisasm.c b/bddisasm/bddisasm.c
@@ -215,6 +215,8 @@ static const uint16_t gOperandMap[] =
     ND_OPE_S,       // ND_OPT_SSE_XMM6
     ND_OPE_S,       // ND_OPT_SSE_XMM7
 
+    ND_OPE_S,       // ND_OPT_MEM_rAX (as used by MONITOR, MONITORX and RMPADJUST)
+    ND_OPE_S,       // ND_OPT_MEM_rCX (as used by RMPUPDATE)
     ND_OPE_S,       // ND_OPT_MEM_rBX_AL (as used by XLAT)
     ND_OPE_S,       // ND_OPT_MEM_rDI (as used by masked moves)
     ND_OPE_S,       // ND_OPT_MEM_SHS
@@ -733,10 +735,26 @@ NdFetchPrefixes(
             case ND_PREFIX_G2_SEG_GS:
                 if (ND_CODE_64 == Instrux->DefCode)
                 {
-                    // Do not overwrite FS/GS with ES/CS/DS/SS in 64 bit mode. In 64 bit mode, only FS/GS overrides
-                    // are considered.
-                    if (prefix == ND_PREFIX_G2_SEG_FS || prefix == ND_PREFIX_G2_SEG_GS)
+                    if (prefix == ND_PREFIX_G2_SEG_FS || 
+                        prefix == ND_PREFIX_G2_SEG_GS)
                     {
+                        // The last FS/GS is always used, if present.
+                        Instrux->Seg = prefix;
+                        Instrux->HasSeg = true;
+                    }
+                    else if (prefix == ND_PREFIX_G2_NO_TRACK && 
+                        Instrux->Seg != ND_PREFIX_G2_SEG_FS &&
+                        Instrux->Seg != ND_PREFIX_G2_SEG_GS)
+                    {
+                        // The Do Not Track prefix is considered only if there isn't a FS/GS prefix.
+                        Instrux->Seg = prefix;
+                        Instrux->HasSeg = true;
+                    }
+                    else if (Instrux->Seg != ND_PREFIX_G2_SEG_FS && 
+                        Instrux->Seg != ND_PREFIX_G2_SEG_GS &&
+                        Instrux->Seg != ND_PREFIX_G2_NO_TRACK)
+                    {
+                        // All other prefixes are considered if Do Not Track, FS, GS are not present.
                         Instrux->Seg = prefix;
                         Instrux->HasSeg = true;
                     }
@@ -746,11 +764,6 @@ NdFetchPrefixes(
                     Instrux->Seg = prefix;
                     Instrux->HasSeg = true;
                 }
-                if (prefix == ND_PREFIX_G2_BR_TAKEN || prefix == ND_PREFIX_G2_BR_NOT_TAKEN)
-                {
-                    Instrux->Bhint = prefix;
-                    Instrux->HasSeg = true;
-                }
                 morePrefixes = true;
                 break;
             case ND_PREFIX_G3_OPERAND_SIZE:
@@ -2909,6 +2922,28 @@ NdParseOperand(
         operand->Info.Memory.Seg = NdGetSegOverride(Instrux, NDR_DS);
         break;
 
+    case ND_OPT_MEM_rAX:
+        // [rAX], used implicitly by MONITOR, MONITORX and RMPADJUST instructions.
+        Instrux->MemoryAccess |= operand->Access.Access;
+        operand->Type = ND_OP_MEM;
+        operand->Info.Memory.HasBase = true;
+        operand->Info.Memory.BaseSize = 2 << Instrux->AddrMode;
+        operand->Info.Memory.Base = NDR_RAX;            // Always rAX.
+        operand->Info.Memory.HasSeg = true;
+        operand->Info.Memory.Seg = NdGetSegOverride(Instrux, NDR_DS);
+        break;
+
+    case ND_OPT_MEM_rCX:
+        // [rCX], used implicitly by RMPUPDATE.
+        Instrux->MemoryAccess |= operand->Access.Access;
+        operand->Type = ND_OP_MEM;
+        operand->Info.Memory.HasBase = true;
+        operand->Info.Memory.BaseSize = 2 << Instrux->AddrMode;
+        operand->Info.Memory.Base = NDR_RCX;            // Always rCX.
+        operand->Info.Memory.HasSeg = true;
+        operand->Info.Memory.Seg = NdGetSegOverride(Instrux, NDR_DS);
+        break;
+
     case ND_OPT_MEM_SHS:
         // Shadow stack access using the current SSP.
         Instrux->MemoryAccess |= operand->Access.Access;
@@ -4231,10 +4266,9 @@ NdDecodeWithContext(
     Instrux->IsRepeated = ((Instrux->Rep != 0) && (ND_REP_SUPPORT(Instrux) || ND_REPC_SUPPORT(Instrux)));
 
     // Check if the instruction is CET tracked. The do not track prefix (0x3E) works only for indirect near JMP and CALL
-    // via register. It is always enabled for indirect far JMP and CALL or near indirect JMP and CALL via memoery.
+    // instructions. It is always enabled for far JMP and CALL instructions.
     Instrux->IsCetTracked = ND_HAS_CETT(Instrux) && ((!ND_DNT_SUPPORT(Instrux)) ||
-                                                     (Instrux->Seg != ND_PREFIX_G2_NO_TRACK) ||
-                                                     (Instrux->HasModRm && (Instrux->ModRm.mod != 3)));
+                                                     (Instrux->Seg != ND_PREFIX_G2_NO_TRACK));
 
     // Do instruction validations. These checks are made in order to filter out encodings that would normally
     // be invalid and would generate #UD.
@@ -4391,7 +4425,7 @@ NdToText(
 
     if (Instrux->HasSeg && ND_BHINT_SUPPORT(Instrux))
     {
-       switch (Instrux->Bhint)
+       switch (Instrux->Seg)
        {
        case ND_PREFIX_G2_BR_TAKEN:
             res = nd_strcat_s(Buffer, BufferSize, "BHT ");

diff --git a/bddisasm/include/instructions.h b/bddisasm/include/instructions.h
@@ -7316,7 +7316,7 @@ const ND_INSTRUCTION gInstructions[2701] =
         ND_INS_INT, ND_CAT_INTERRUPT, ND_SET_I86, 291, 
         0, 
         ND_MOD_R0|ND_MOD_R1|ND_MOD_R2|ND_MOD_R3|ND_MOD_REAL|ND_MOD_V8086|ND_MOD_PROT|ND_MOD_COMPAT|ND_MOD_LONG|ND_MOD_VMXR|ND_MOD_VMXN|ND_MOD_VMXR_SEAM|ND_MOD_VMXN_SEAM|ND_MOD_VMX_OFF|ND_MOD_SMM|ND_MOD_SMM_OFF|ND_MOD_SGX_OFF|ND_MOD_TSX|ND_MOD_TSX_OFF, 
-        0, ND_OPS_CNT(1, 5), 0, 0, 0, 0, 0, 0, 0, 0, 
+        0, ND_OPS_CNT(1, 5), 0, 0, 0, 0, 0, 0, ND_FLAG_CETT, 0, 
         0|NDR_RFLAG_VM,
         0|NDR_RFLAG_VM|NDR_RFLAG_IF|NDR_RFLAG_NT|NDR_RFLAG_AC|NDR_RFLAG_RF|NDR_RFLAG_TF,
         0,
@@ -7354,7 +7354,7 @@ const ND_INSTRUCTION gInstructions[2701] =
         ND_INS_INT3, ND_CAT_INTERRUPT, ND_SET_I86, 293, 
         0, 
         ND_MOD_R0|ND_MOD_R1|ND_MOD_R2|ND_MOD_R3|ND_MOD_REAL|ND_MOD_V8086|ND_MOD_PROT|ND_MOD_COMPAT|ND_MOD_LONG|ND_MOD_VMXR|ND_MOD_VMXN|ND_MOD_VMXR_SEAM|ND_MOD_VMXN_SEAM|ND_MOD_VMX_OFF|ND_MOD_SMM|ND_MOD_SMM_OFF|ND_MOD_SGX_OFF|ND_MOD_TSX|ND_MOD_TSX_OFF, 
-        0, ND_OPS_CNT(0, 5), 0, 0, 0, 0, 0, 0, 0, 0, 
+        0, ND_OPS_CNT(0, 5), 0, 0, 0, 0, 0, 0, ND_FLAG_CETT, 0, 
         0|NDR_RFLAG_VM,
         0|NDR_RFLAG_VM|NDR_RFLAG_IF|NDR_RFLAG_NT|NDR_RFLAG_AC|NDR_RFLAG_RF|NDR_RFLAG_TF,
         0,
@@ -7373,7 +7373,7 @@ const ND_INSTRUCTION gInstructions[2701] =
         ND_INS_INTO, ND_CAT_INTERRUPT, ND_SET_I86, 294, 
         0, 
         ND_MOD_R0|ND_MOD_R1|ND_MOD_R2|ND_MOD_R3|ND_MOD_REAL|ND_MOD_V8086|ND_MOD_PROT|ND_MOD_COMPAT|ND_MOD_VMXR|ND_MOD_VMXN|ND_MOD_VMXR_SEAM|ND_MOD_VMXN_SEAM|ND_MOD_VMX_OFF|ND_MOD_SMM|ND_MOD_SMM_OFF|ND_MOD_SGX_OFF|ND_MOD_TSX|ND_MOD_TSX_OFF, 
-        0, ND_OPS_CNT(0, 5), 0, 0, 0, 0, 0, 0, ND_FLAG_I64, 0, 
+        0, ND_OPS_CNT(0, 5), 0, 0, 0, 0, 0, 0, ND_FLAG_CETT|ND_FLAG_I64, 0, 
         0|NDR_RFLAG_VM,
         0|NDR_RFLAG_VM|NDR_RFLAG_IF|NDR_RFLAG_NT|NDR_RFLAG_AC|NDR_RFLAG_RF|NDR_RFLAG_TF,
         0,
@@ -10276,7 +10276,7 @@ const ND_INSTRUCTION gInstructions[2701] =
         0,
         0,
         {
-            OP(ND_OPT_GPR_rAX, ND_OPS_d, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
+            OP(ND_OPT_MEM_rAX, ND_OPS_b, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
             OP(ND_OPT_GPR_rCX, ND_OPS_d, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
             OP(ND_OPT_GPR_rDX, ND_OPS_d, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
         },
@@ -10293,7 +10293,7 @@ const ND_INSTRUCTION gInstructions[2701] =
         0,
         0,
         {
-            OP(ND_OPT_GPR_rAX, ND_OPS_d, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
+            OP(ND_OPT_MEM_rAX, ND_OPS_b, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
             OP(ND_OPT_GPR_rCX, ND_OPS_d, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
             OP(ND_OPT_GPR_rDX, ND_OPS_d, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
         },
@@ -19031,13 +19031,14 @@ const ND_INSTRUCTION gInstructions[2701] =
         ND_INS_RMPADJUST, ND_CAT_SYSTEM, ND_SET_SNP, 684, 
         0, 
         ND_MOD_R0|ND_MOD_LONG|ND_MOD_VMXR|ND_MOD_VMXN|ND_MOD_VMXR_SEAM|ND_MOD_VMXN_SEAM|ND_MOD_VMX_OFF|ND_MOD_SMM|ND_MOD_SMM_OFF|ND_MOD_SGX_OFF|ND_MOD_TSX|ND_MOD_TSX_OFF, 
-        0, ND_OPS_CNT(0, 4), 0, 0, 0, 0, 0, 0, ND_FLAG_MODRM|ND_FLAG_O64, ND_CFF_SNP, 
+        0, ND_OPS_CNT(0, 5), 0, 0, 0, 0, 0, 0, ND_FLAG_I67|ND_FLAG_MODRM|ND_FLAG_O64, ND_CFF_SNP, 
         0,
         0|NDR_RFLAG_OF|NDR_RFLAG_ZF|NDR_RFLAG_AF|NDR_RFLAG_PF|NDR_RFLAG_SF,
         0,
         0,
         {
-            OP(ND_OPT_GPR_rAX, ND_OPS_q, ND_OPF_DEFAULT, ND_OPA_RW, 0, 0), 
+            OP(ND_OPT_MEM_rAX, ND_OPS_b, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
+            OP(ND_OPT_GPR_rAX, ND_OPS_d, ND_OPF_DEFAULT, ND_OPA_RW, 0, 0), 
             OP(ND_OPT_GPR_rCX, ND_OPS_q, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
             OP(ND_OPT_GPR_rDX, ND_OPS_q, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
             OP(ND_OPT_F, ND_OPS_v, ND_OPF_DEFAULT, ND_OPA_W, 0, 0), 
@@ -19049,14 +19050,14 @@ const ND_INSTRUCTION gInstructions[2701] =
         ND_INS_RMPUPDATE, ND_CAT_SYSTEM, ND_SET_SNP, 685, 
         0, 
         ND_MOD_R0|ND_MOD_LONG|ND_MOD_VMXR|ND_MOD_VMXN|ND_MOD_VMXR_SEAM|ND_MOD_VMXN_SEAM|ND_MOD_VMX_OFF|ND_MOD_SMM|ND_MOD_SMM_OFF|ND_MOD_SGX_OFF|ND_MOD_TSX|ND_MOD_TSX_OFF, 
-        0, ND_OPS_CNT(0, 3), 0, 0, 0, 0, 0, 0, ND_FLAG_MODRM|ND_FLAG_O64, ND_CFF_SNP, 
+        0, ND_OPS_CNT(0, 3), 0, 0, 0, 0, 0, 0, ND_FLAG_I67|ND_FLAG_MODRM|ND_FLAG_O64, ND_CFF_SNP, 
         0,
         0|NDR_RFLAG_OF|NDR_RFLAG_ZF|NDR_RFLAG_AF|NDR_RFLAG_PF|NDR_RFLAG_SF,
         0,
         0,
         {
             OP(ND_OPT_GPR_rAX, ND_OPS_q, ND_OPF_DEFAULT, ND_OPA_RW, 0, 0), 
-            OP(ND_OPT_GPR_rCX, ND_OPS_q, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
+            OP(ND_OPT_MEM_rCX, ND_OPS_dq, ND_OPF_DEFAULT, ND_OPA_R, 0, 0), 
             OP(ND_OPT_F, ND_OPS_v, ND_OPF_DEFAULT, ND_OPA_W, 0, 0), 
         },
     }, 
@@ -21694,7 +21695,7 @@ const ND_INSTRUCTION gInstructions[2701] =
         ND_INS_SYSCALL, ND_CAT_SYSCALL, ND_SET_AMD, 783, 
         0, 
         ND_MOD_R0|ND_MOD_R1|ND_MOD_R2|ND_MOD_R3|ND_MOD_REAL|ND_MOD_V8086|ND_MOD_PROT|ND_MOD_COMPAT|ND_MOD_LONG|ND_MOD_VMXR|ND_MOD_VMXN|ND_MOD_VMXR_SEAM|ND_MOD_VMXN_SEAM|ND_MOD_VMX_OFF|ND_MOD_SMM|ND_MOD_SMM_OFF|ND_MOD_SGX_OFF|ND_MOD_TSX|ND_MOD_TSX_OFF, 
-        0, ND_OPS_CNT(0, 10), 0, 0, 0, 0, 0, 0, ND_FLAG_F64, ND_CFF_FSC, 
+        0, ND_OPS_CNT(0, 10), 0, 0, 0, 0, 0, 0, ND_FLAG_F64|ND_FLAG_CETT, ND_CFF_FSC, 
         0,
         0,
         0,
@@ -21718,7 +21719,7 @@ const ND_INSTRUCTION gInstructions[2701] =
         ND_INS_SYSENTER, ND_CAT_SYSCALL, ND_SET_PPRO, 784, 
         0, 
         ND_MOD_R0|ND_MOD_R1|ND_MOD_R2|ND_MOD_R3|ND_MOD_PROT|ND_MOD_COMPAT|ND_MOD_LONG|ND_MOD_VMXR|ND_MOD_VMXN|ND_MOD_VMXR_SEAM|ND_MOD_VMXN_SEAM|ND_MOD_VMX_OFF|ND_MOD_SMM|ND_MOD_SMM_OFF|ND_MOD_SGX_OFF|ND_MOD_TSX|ND_MOD_TSX_OFF, 
-        0, ND_OPS_CNT(0, 9), 0, 0, 0, 0, 0, 0, 0, ND_CFF_SEP, 
+        0, ND_OPS_CNT(0, 9), 0, 0, 0, 0, 0, 0, ND_FLAG_CETT, ND_CFF_SEP, 
         0,
         0,
         0,

diff --git a/bddisasm/include/tabledefs.h b/bddisasm/include/tabledefs.h
@@ -441,6 +441,8 @@ typedef enum _ND_OPERAND_TYPE_SPEC
     ND_OPT_SSE_XMM7,
 
     // Implicit memory operands.
+    ND_OPT_MEM_rAX,
+    ND_OPT_MEM_rCX,
     ND_OPT_MEM_rBX_AL,
     ND_OPT_MEM_rDI,
     ND_OPT_MEM_SHS,

diff --git a/bddisasm_test/basic/basic2_64.result b/bddisasm_test/basic/basic2_64.result
@@ -66,7 +66,8 @@
                 REP: no, REPcc: no, LOCK: no
                 HLE: no, XACQUIRE only: no, XRELEASE only: no
                 BND: no, BHINT: no, DNT: no
-        Operand: 0, Acc:  R-,  Type:   Register, Size:  4, RawSize:  4, Encoding: S, RegType:  General Purpose, RegSize:  4, RegId: 0, RegCount: 1
+        Operand: 0, Acc:  R-,  Type:     Memory, Size:  1, RawSize:  1, Encoding: S, 
+                Segment: 3, Base: 0, 
         Operand: 1, Acc:  R-,  Type:   Register, Size:  4, RawSize:  4, Encoding: S, RegType:  General Purpose, RegSize:  4, RegId: 1, RegCount: 1
         Operand: 2, Acc:  R-,  Type:   Register, Size:  4, RawSize:  4, Encoding: S, RegType:  General Purpose, RegSize:  4, RegId: 2, RegCount: 1
 

diff --git a/bddisasm_test/basic/branch_16.result b/bddisasm_test/basic/branch_16.result
@@ -580,7 +580,7 @@
 
 0000000000000066 cd21                            INT       0x21
         DSIZE: 16, ASIZE: 16, VLEN: -
-        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: no
+        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: yes
         FLAGS access
                 TF: m, IF: m, NT: m, RF: m, VM: tm, AC: m, 
         Valid modes
@@ -603,7 +603,7 @@
 
 0000000000000068 cc                              INT3
         DSIZE: 16, ASIZE: 16, VLEN: -
-        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: no
+        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: yes
         FLAGS access
                 TF: m, IF: m, NT: m, RF: m, VM: tm, AC: m, 
         Valid modes

diff --git a/bddisasm_test/basic/branch_32.result b/bddisasm_test/basic/branch_32.result
@@ -580,7 +580,7 @@
 
 0000000000000064 cd21                            INT       0x21
         DSIZE: 32, ASIZE: 32, VLEN: -
-        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: no
+        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: yes
         FLAGS access
                 TF: m, IF: m, NT: m, RF: m, VM: tm, AC: m, 
         Valid modes
@@ -603,7 +603,7 @@
 
 0000000000000066 cc                              INT3
         DSIZE: 32, ASIZE: 32, VLEN: -
-        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: no
+        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: yes
         FLAGS access
                 TF: m, IF: m, NT: m, RF: m, VM: tm, AC: m, 
         Valid modes
@@ -786,7 +786,7 @@
 
 0000000000000074 0f34                            SYSENTER
         DSIZE: 32, ASIZE: 32, VLEN: -
-        ISA Set: PPRO, Ins cat: SYSCALL, CET tracked: no
+        ISA Set: PPRO, Ins cat: SYSCALL, CET tracked: yes
         CPUID leaf: 0x00000001, reg: edx, bit: 11
         FLAGS access
                 IF: 0, 

diff --git a/bddisasm_test/basic/branch_64.result b/bddisasm_test/basic/branch_64.result
@@ -360,7 +360,7 @@
 
 0000000000000032 cd21                            INT       0x21
         DSIZE: 32, ASIZE: 64, VLEN: -
-        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: no
+        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: yes
         FLAGS access
                 TF: m, IF: m, NT: m, RF: m, VM: tm, AC: m, 
         Valid modes
@@ -383,7 +383,7 @@
 
 0000000000000034 cc                              INT3
         DSIZE: 32, ASIZE: 64, VLEN: -
-        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: no
+        ISA Set: I86, Ins cat: INTERRUPT, CET tracked: yes
         FLAGS access
                 TF: m, IF: m, NT: m, RF: m, VM: tm, AC: m, 
         Valid modes
@@ -566,7 +566,7 @@
 
 0000000000000042 0f05                            SYSCALL
         DSIZE: 64, ASIZE: 64, VLEN: -
-        ISA Set: AMD, Ins cat: SYSCALL, CET tracked: no
+        ISA Set: AMD, Ins cat: SYSCALL, CET tracked: yes
         CPUID leaf: 0x80000001, reg: ecx, bit: 11
         FLAGS access
                 Entire register

diff --git a/bddisasm_test/basic/snp_64.result b/bddisasm_test/basic/snp_64.result
@@ -13,10 +13,12 @@
                 REP: no, REPcc: no, LOCK: no
                 HLE: no, XACQUIRE only: no, XRELEASE only: no
                 BND: no, BHINT: no, DNT: no
-        Operand: 0, Acc:  RW,  Type:   Register, Size:  8, RawSize:  8, Encoding: S, RegType:  General Purpose, RegSize:  8, RegId: 0, RegCount: 1
-        Operand: 1, Acc:  R-,  Type:   Register, Size:  8, RawSize:  8, Encoding: S, RegType:  General Purpose, RegSize:  8, RegId: 1, RegCount: 1
-        Operand: 2, Acc:  R-,  Type:   Register, Size:  8, RawSize:  8, Encoding: S, RegType:  General Purpose, RegSize:  8, RegId: 2, RegCount: 1
-        Operand: 3, Acc:  -W,  Type:   Register, Size:  4, RawSize:  4, Encoding: S, RegType:            Flags, RegSize:  4, RegId: 0, RegCount: 1
+        Operand: 0, Acc:  R-,  Type:     Memory, Size:  1, RawSize:  1, Encoding: S, 
+                Segment: 3, Base: 0, 
+        Operand: 1, Acc:  RW,  Type:   Register, Size:  4, RawSize:  4, Encoding: S, RegType:  General Purpose, RegSize:  4, RegId: 0, RegCount: 1
+        Operand: 2, Acc:  R-,  Type:   Register, Size:  8, RawSize:  8, Encoding: S, RegType:  General Purpose, RegSize:  8, RegId: 1, RegCount: 1
+        Operand: 3, Acc:  R-,  Type:   Register, Size:  8, RawSize:  8, Encoding: S, RegType:  General Purpose, RegSize:  8, RegId: 2, RegCount: 1
+        Operand: 4, Acc:  -W,  Type:   Register, Size:  4, RawSize:  4, Encoding: S, RegType:            Flags, RegSize:  4, RegId: 0, RegCount: 1
 
 0000000000000004 f20f01fe                        RMPUPDATE
         DSIZE: 32, ASIZE: 64, VLEN: -
@@ -34,7 +36,8 @@
                 HLE: no, XACQUIRE only: no, XRELEASE only: no
                 BND: no, BHINT: no, DNT: no
         Operand: 0, Acc:  RW,  Type:   Register, Size:  8, RawSize:  8, Encoding: S, RegType:  General Purpose, RegSize:  8, RegId: 0, RegCount: 1
-        Operand: 1, Acc:  R-,  Type:   Register, Size:  8, RawSize:  8, Encoding: S, RegType:  General Purpose, RegSize:  8, RegId: 1, RegCount: 1
+        Operand: 1, Acc:  R-,  Type:     Memory, Size: 16, RawSize: 16, Encoding: S, 
+                Segment: 3, Base: 1, 
         Operand: 2, Acc:  -W,  Type:   Register, Size:  4, RawSize:  4, Encoding: S, RegType:            Flags, RegSize:  4, RegId: 0, RegCount: 1
 
 0000000000000008 f30f01ff                        PSMASH

diff --git a/bddisasm_test/cet/dnt_32 b/bddisasm_test/cet/dnt_32
@@ -0,0 +1 @@
+���d�d��>�>��>.�>.��.>�.>��>d�>d��d>�d>��
diff --git a/bddisasm_test/cet/dnt_32.asm b/bddisasm_test/cet/dnt_32.asm
@@ -0,0 +1,28 @@
+    bits 32
+    
+    call    dword [eax]
+    call    eax
+    db 0x64
+    call    dword [eax]
+    db 0x64
+    call    eax
+    db 0x3E
+    call    dword [eax]
+    db 0x3E
+    call    eax
+    db 0x3E, 0x2E
+    call    dword [eax]
+    db 0x3E, 0x2E
+    call    eax
+    db 0x2E, 0x3E
+    call    dword [eax]
+    db 0x2E, 0x3E
+    call    eax
+    db 0x3E, 0x64
+    call    dword [eax]
+    db 0x3E, 0x64
+    call    eax
+    db 0x64, 0x3E
+    call    dword [eax]
+    db 0x64, 0x3E
+    call    eax
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		��d�d��>�>��>.�>.��.>�.>��>d�>d��d>�d>��