libdasm incorrectly disassembles FPU instructions with D9 prefix and second byte > fnop. Affected instructions amongst others include fsin, fcos and frndint. The reason is simple, there is four NULL lines missing in the correspondending opcode table, resulting in an off-by-four for the following opcodes. I've sent a very simple patch to the libdasm author, until it is included in a release, it's here as well:
--- libdasm-1.5/opcode_tables.h 2006-02-21 15:29:41.000000000 +0100
+++ libdasm-1.5-fpufix/opcode_tables.h 2009-04-10 13:32:20.000000000 +0200
@@ -1818,6 +1818,10 @@
{ INSTRUCTION_TYPE_FPU, NULL, FLAGS_NONE, FLAGS_NONE, FLAGS_NONE, 0, 0, 0, 0, 0 },
{ INSTRUCTION_TYPE_FPU, NULL, FLAGS_NONE, FLAGS_NONE, FLAGS_NONE, 0, 0, 0, 0, 0 },
{ INSTRUCTION_TYPE_FPU, NULL, FLAGS_NONE, FLAGS_NONE, FLAGS_NONE, 0, 0, 0, 0, 0 },
+ { INSTRUCTION_TYPE_FPU, NULL, FLAGS_NONE, FLAGS_NONE, FLAGS_NONE, 0, 0, 0, 0, 0 },
+ { INSTRUCTION_TYPE_FPU, NULL, FLAGS_NONE, FLAGS_NONE, FLAGS_NONE, 0, 0, 0, 0, 0 },
+ { INSTRUCTION_TYPE_FPU, NULL, FLAGS_NONE, FLAGS_NONE, FLAGS_NONE, 0, 0, 0, 0, 0 },
+ { INSTRUCTION_TYPE_FPU, NULL, FLAGS_NONE, FLAGS_NONE, FLAGS_NONE, 0, 0, 0, 0, 0 },
{ INSTRUCTION_TYPE_FPU, "fchs", FLAGS_NONE, FLAGS_NONE, FLAGS_NONE, 0, 0, 0, 0, 0 },
{ INSTRUCTION_TYPE_FPU, "fabs", FLAGS_NONE, FLAGS_NONE, FLAGS_NONE, 0, 0, 0, 0, 0 },
{ INSTRUCTION_TYPE_FPU, NULL, FLAGS_NONE, FLAGS_NONE, FLAGS_NONE, 0, 0, 0, 0, 0 },
I've stumbled across this while trying to use my (pefile and pydasm based) code normalizer on a malware packer using float's for looping.