search

capstone-engine / capstone

Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.
http://www.capstone-engine.org
7.61k stars 1.56k forks source link

Wrong disp_size with 0x66 prefix in x86 64bit #1640

Open L4ys opened 4 years ago

L4ys commented 4 years ago

When there's a 0x66 prefix with rip-relative addressing instruction the disp_size will be an incorrect value.

Some example:

from capstone import *

md = Cs(CS_ARCH_X86, CS_MODE_64)
md.detail = True

code = bytes.fromhex("66 89 3D 96 5A 0E 00")
ins = next(md.disasm(code, 0x140002523))

print(ins)
print('disp', hex(ins.disp))
print('disp_size', ins.disp_size)

code = bytes.fromhex("66 0F 6F 05 26 1C 0B 00")
ins = next(md.disasm(code, 0x140009C92))

print(ins)
print('disp', hex(ins.disp))
print('disp_size', ins.disp_size)

Output:

<CsInsn 0x140002523 [66893d965a0e00]: mov word ptr [rip + 0xe5a96], di>
disp 0xe5a96
disp_size 2
<CsInsn 0x140009c92 [660f6f05261c0b00]: movdqa xmm0, xmmword ptr [rip + 0xb1c26]>
disp 0xb1c26
disp_size 2

disp_size should be 4 instead of 2 here.

gitttt commented 2 years ago

I ran into the same bug with this instruction:

<CsInsn 0xd3de [66c705714309000000]: mov word ptr [rip + 0x94371], 0> has: 

c_i.disp:         0x94371
c_i.disp_offset:  0x3
c_i.disp_size:    0x2

Any plans to fix this? Or pointers how to fix it?