From 0f8916b28aee2e5802bb91dacafc66f3b57de801 Mon Sep 17 00:00:00 2001
From: Ratin Gao <ratin@knsoft.org>
Date: Tue, 26 May 2026 02:34:54 +0800
Subject: [PATCH] Fix XBEGIN C7 F8 decoding

Only the exact C7 F8 encoding is XBEGIN. The previous C7 /7 check also treated other ModR/M forms as XBEGIN and copied them as rel16/32 targets instead of invalid or legacy C7 forms.
---
 src/disasm.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/disasm.cpp b/src/disasm.cpp
index 894f46a0..4c2b45fa 100644
--- a/src/disasm.cpp
+++ b/src/disasm.cpp
@@ -755,9 +755,9 @@ PBYTE CDetourDis::CopyC7(REFCOPYENTRY pEntry, PBYTE pbDst, PBYTE pbSrc)
 {
     (void)pEntry;
 
-    // C7 /7 is XBEGIN rel32 (or rel16 with 66 prefix).
+    // C7 F8 is XBEGIN rel32 (or rel16 with 66 prefix).
     // It has a relative displacement that must be relocated like CALL/JMP.
-    if (0x38 == (0x38 & pbSrc[1])) {    // reg(bits 543) of ModR/M == 111
+    if (pbSrc[1] == 0xF8) {
         static const COPYENTRY ce = /* c7 /7 */ { 6, 4, 0, 2, 0, &CDetourDis::CopyBytes };
         return (this->*ce.pfCopy)(&ce, pbDst, pbSrc);
     }