search

capstone-engine / capstone

Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.
http://www.capstone-engine.org
7.57k stars 1.55k forks source link

Systemz immediate missing upper 32bits? #1515

Closed kamiyaa closed 5 years ago

kamiyaa commented 5 years ago

The upper 32bits of the immediate appears to be dropped at some point in the calculation.

Produced on next branch 0574f899e5be711895378ea0848f38808f4a5431

csh handle;
cs_insn *csInst = NULL;
if (cs_open(CS_ARCH_SYSZ, 0, &handle) != CS_ERR_OK){
    fprintf(stderr, "Error initilizing Capstone\n");
    return 1;
}
if (cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON) != CS_ERR_OK){
    fprintf(stderr, "Error setting options\n" );
    return 1;
}
csInst = cs_malloc(handle);
if (csInst == NULL) {
    fprintf(stderr, "Error alocating memory!\n");
    return 2;
}

uint8_t buffer[40] = { 0 };
// buffer = ec180b6f007c
buffer[0] = 0xec;    buffer[1] = 0x18;    buffer[2] = 0x0b;
buffer[3] = 0x6f;    buffer[4] = 0x00;    buffer[5] = 0x7c;

// cgije
uint64 baseAddr = 0x5024ab4566;

int ret
do {
    ret = cs_disasm_iter(handle, &pBuffer, &size, &baseAddr, csInst );
    if (ret) {
        for (i = 0; i < csInst->detail->sysz.op_count; i++) {
            if (csInst->detail->sysz.operands[i].type == SYSZ_OP_IMM) {
                fprintf(stderr, "immediate: %lx %lu\n", csInst->detail->sysz.operands[i].imm,
                    csInst->detail->sysz.operands[i].imm);
            }
        }
    }
} while (ret);

Output:

immediate: 24ab5c44, 615210052

Expected:

immediate: 5024ab5c44, 344212593732
kamiyaa commented 5 years ago

This also seems to be happening on x86:

// jmp
uint64 baseAddr = 0x7fa35d869657;

uint8_t buffer[40] = // e9d4feffff;
// Expected:
0x7fa35d869530
// Actual:
0x    5d869530 # 1569101104
aquynh commented 5 years ago

Can you reproduce this with "cstool -d"?

kamiyaa commented 5 years ago

like this?

./cstool -d x32 e9d4feffff 7fa35d869657
7fa35d869657  e9 d4 fe ff ff                                   jmp  0x5d869530
    ID: 172 (jmp)
    Prefix:0x00 0x00 0x00 0x00 
    Opcode:0xe9 0x00 0x00 0x00 
    rex: 0x0
    addr_size: 4
    modrm: 0x0
    disp: 0x0
    sib: 0x0
    imm_count: 1
        imms[1]: 0x5d869530
    op_count: 1
        operands[0].type: IMM = 0x5d869530
        operands[0].size: 4
    Groups: branch_relative jump 
./cstool -d x64 e9d4feffff 7fa35d869657
7fa35d869657  e9 d4 fe ff ff                                   jmp  0x7fa35d869530
    ID: 172 (jmp)
    Prefix:0x00 0x00 0x00 0x00 
    Opcode:0xe9 0x00 0x00 0x00 
    rex: 0x0
    addr_size: 8
    modrm: 0x0
    disp: 0x0
    sib: 0x0
    imm_count: 1
        imms[1]: 0x7fa35d869530
    op_count: 1
        operands[0].type: IMM = 0x7fa35d869530
        operands[0].size: 8
    Groups: branch_relative jump
kamiyaa commented 5 years ago

Sorry, it seems x86 was working properly after all. I will need to do more testing on zOS and ppc

kamiyaa commented 5 years ago

It is reproducible for systemz

./cstool -d systemz ec180b6f007c 5024ab4566
5024ab4566  ec 18 0b 6f 00 7c  cgije    %r1, 0, 0x24ab5c44
    ID: 89 (cgije)
    op_count: 3
        operands[0].type: REG = 1
        operands[1].type: IMM = 0x0
        operands[2].type: IMM = 0x24ab5c44
    Groups: jump
aquynh commented 5 years ago

Please provide expected output

kamiyaa commented 5 years ago

Expected:

./cstool -d systemz ec180b6f007c 5024ab4566
5024ab4566  ec 18 0b 6f 00 7c  cgije    %r1, 0, 0x5024ab5c44
    ID: 89 (cgije)
    op_count: 3
        operands[0].type: REG = 1
        operands[1].type: IMM = 0x0
        operands[2].type: IMM = 0x5024ab5c44
    Groups: jump

Actual:

./cstool -d systemz ec180b6f007c 5024ab4566
5024ab4566  ec 18 0b 6f 00 7c  cgije    %r1, 0, 0x24ab5c44
    ID: 89 (cgije)
    op_count: 3
        operands[0].type: REG = 1
        operands[1].type: IMM = 0x0
        operands[2].type: IMM = 0x24ab5c44
    Groups: jump

Expected:

./cstool -d systemz ec9800058064 5024ab45a6
5024ab45a6  ec 98 00 05 80 64  cgrje    %r9, %r8, 0x5024ab45b0
    ID: 90 (cgrje)
    op_count: 3
        operands[0].type: REG = 9
        operands[1].type: REG = 8
        operands[2].type: IMM = 0x5024ab45b0
    Groups: jump

Actual

./cstool -d systemz ec9800058064 5024ab45a6
5024ab45a6  ec 98 00 05 80 64  cgrje    %r9, %r8, 0x24ab45b0
    ID: 90 (cgrje)
    op_count: 3
        operands[0].type: REG = 9
        operands[1].type: REG = 8
        operands[2].type: IMM = 0x24ab45b0
    Groups: jump

Expected:

./cstool -d systemz ec980261007d 5024ab5c38
5024ab5c38  ec 98 02 61 00 7d  clgije   %r9, 0, 0x5024ab60fa
    ID: 92 (clgije)
    op_count: 3
        operands[0].type: REG = 9
        operands[1].type: IMM = 0x0
        operands[2].type: IMM = 0x5024ab60fa
    Groups: jump

Actual:

./cstool -d systemz ec980261007d 5024ab5c38
5024ab5c38  ec 98 02 61 00 7d  clgije   %r9, 0, 0x24ab60fa
    ID: 92 (clgije)
    op_count: 3
        operands[0].type: REG = 9
        operands[1].type: IMM = 0x0
        operands[2].type: IMM = 0x24ab60fa
    Groups: jump

There may be others like this that I haven't come across, but I think its mostly the cg, cgr, clg and jhe instructions

aquynh commented 5 years ago

fixed now, please confirm.

kamiyaa commented 5 years ago

Thanks!