search

capstone-engine / capstone

Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.
http://www.capstone-engine.org
7.35k stars 1.54k forks source link

Cannot find operand size in bytes #1970

Open mjhouse opened 1 year ago

mjhouse commented 1 year ago

I'm working on a project that requires me to identify the offset and size of particular operands in the original binary. I need to know the size, in bytes, of the operand in the original binary. Currently, this is only for x86, and I thought that the size attribute on cs_x86_op would be what I needed:

// Instruction operand
typedef struct cs_x86_op {
        ...

        // size of this operand (in bytes).
        uint8_t size;

        ...
} cs_x86_op;

Unfortunately, the size attribute seems to only return 8 or 4 with no regard for the actual size of the operand, as found by using objdump and then counting bytes by hand.

output:

[2023-03-08 15:04:47.879] [warning]     mem: 8
[2023-03-08 15:04:47.879] [warning] 1282 mov: 8
[2023-03-08 15:04:47.879] [warning]     reg: 8
[2023-03-08 15:04:47.879] [warning]     reg: 8
[2023-03-08 15:04:47.879] [warning] 1285 call: 8
[2023-03-08 15:04:47.879] [warning]     imm: 8        /// <--- says this operand is 8 bytes wide
[2023-03-08 15:04:47.879] [warning] 128a nop: 8

objdump:

    1282:   48 89 c7                mov    %rax,%rdi
    1285:   e8 16 fe ff ff          callq  10a0   /// <--- operand is less that 8 bytes wide
    128a:   90                      nop

Is there any way at all to reliably get the size of the operands in bytes? If not, can this feature be added easily? I'm willing to add it myself if necessary, but I'm not familiar with the capstone codebase. If @kabeor, @aquynh or someone could take a moment to tell me if this is possible, or give me a suggestion for how it could be implemented, that would be great.

Rot127 commented 1 year ago

If you need this for x86 you are a little out of luck (meaning: you have to invest quite some work into it).

But if it is for one of those archs:

AMDGPU, ARC, ARM, AVR, BPF, CSKY, DirectX, Lanai, LoongArch, Mips, NVPTX, PPC, RISCV, Sparc, SPIRV, SystemZ, VE, XCore

we could add it eventually with the new auto-sync feature (see: https://github.com/capstone-engine/capstone/pull/1949). But this would take quite some time, because the priority currently is to get the update feature done (and not extent Capstone).

But I will add entry documentation about the design of the updater and Capstone itself in the next weeks. So you could add the feature yourself.