From 0a60c318843fa88a94adb50acf457f17a05aff25 Mon Sep 17 00:00:00 2001
From: Zeex <zeex@rocketmail.com>
Date: Sun, 1 Nov 2020 12:34:25 +0600
Subject: Fix RIP-relative address decoding

Some instructions were detected as using RIP-relative addressing, but in
fact they did not.

Example:

48 89 E5 mov rbp,rsp
---
 subhook_x86.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/subhook_x86.c b/subhook_x86.c
index b4d3a38..a6eb8bb 100644
--- a/subhook_x86.c
+++ b/subhook_x86.c
@@ -274,11 +274,11 @@ SUBHOOK_EXPORT int SUBHOOK_API subhook_disasm(void *src, int *reloc_op_offset) {
   if (opcodes[i].flags & MODRM) {
     uint8_t modrm = code[len++]; /* +1 for Mod/RM byte */
     uint8_t mod = modrm >> 6;
-    uint8_t rm = modrm & 7; 
+    uint8_t rm = modrm & 0x07; 
 
     if (mod != 3 && rm == 4) {
       uint8_t sib = code[len++]; /* +1 for SIB byte */
-      uint8_t base = sib & 7;
+      uint8_t base = sib & 0x07;
 
       if (base == 5) {
         /* The SIB is followed by a disp32 with no base if the MOD is 00B.
@@ -293,8 +293,9 @@ SUBHOOK_EXPORT int SUBHOOK_API subhook_disasm(void *src, int *reloc_op_offset) {
     }
 
 #ifdef SUBHOOK_X86_64
-    if (reloc_op_offset != NULL && rm == 5) {
-      *reloc_op_offset = (int32_t)len; /* RIP-relative addressing */
+    if (reloc_op_offset != NULL && mod == 0 && rm == 5) {
+      /* RIP-relative addressing: target is at [RIP + disp32]. */
+      *reloc_op_offset = (int32_t)len;
     }
 #endif
 
-- 
cgit v1.1