- Binary Ninja Version: 5.3.9434 (f7cf98e7)
- Edition: Commercial
- OS: Windows
- OS Version: 10.0.26200 Build 26200
- CPU Architecture: x64
Bug Description:
When an lea rcx, [rcx+rcx * n] instruction is encountered, the possible value set calculations are incorrectly trying every possible value of rcx in all combinations of (rcx + rcx * n) so the calculation creates 4 possible values, from an initial 2.
Steps To Reproduce:
Have assembly code that does the following:
call function ; that returns value in eax
test rax, rax ; sets ZF based on rax
setnz cl ; cl possible value set becomes {0,1}
movzx edx, cl ; edx possible value set becomes {0,1}
shl edx, 0x3 ; edx possible value set becomes {0,8}
mov ecx, edx ; ecx possible value set becomes {0, 8}
lea ecx, [rcx + rcx*8] ; possible value set becomes {0, 8, 0x40, 0x48}
Expected Behavior:
The final possible value set cannot have 0x8 or 0x40 as values as the input would either be 0 or 8 and the output would either be 0 or 0x48.
Bug Description:
When an lea rcx, [rcx+rcx * n] instruction is encountered, the possible value set calculations are incorrectly trying every possible value of rcx in all combinations of (rcx + rcx * n) so the calculation creates 4 possible values, from an initial 2.
Steps To Reproduce:
Have assembly code that does the following:
call function ; that returns value in eax
test rax, rax ; sets ZF based on rax
setnz cl ; cl possible value set becomes {0,1}
movzx edx, cl ; edx possible value set becomes {0,1}
shl edx, 0x3 ; edx possible value set becomes {0,8}
mov ecx, edx ; ecx possible value set becomes {0, 8}
lea ecx, [rcx + rcx*8] ; possible value set becomes {0, 8, 0x40, 0x48}
Expected Behavior:
The final possible value set cannot have 0x8 or 0x40 as values as the input would either be 0 or 8 and the output would either be 0 or 0x48.