search

capstone-engine / capstone

Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.
http://www.capstone-engine.org
7.5k stars 1.55k forks source link

Missing operand values #2179

Open kilitary opened 11 months ago

kilitary commented 11 months ago

Hi, i am using capstone from python as plugin to IDA to dissasemble amd64/x86 code. Sometimes the disasm output does not have all operand values, like 'mov ecx, ' 'mov dword ptr , eax'. See:

0x000000a3:     push    ebp
0x000000a4:     dec     eax
0x000000a5:     mov     ebp, esp
0x000000a7:     dec     eax
0x000000a8:     sub     esp, 0x40
0x000000ab:     dec     eax
0x000000ac:     mov     dword ptr , ecx <- missed addr
0x000000af:     mov     dword ptr , 0x40  <- missed addr
0x000000b7:     inc     ecx
0x000000b8:     mov     ecx, 0x1000
0x000000bd:     inc     ecx
0x000000be:     mov     eax, 0x400
0x000000c3:     mov     edx, 0
0x000000c8:     dec     eax
0x000000c9:     mov     ecx, dword ptr  <- missed addr
0x000000cc:     dec     eax
0x000000cd:     mov     eax, dword ptr [0x7d44] <- here addr presents
0x000000d3:     call    eax
0x000000d5:     dec     eax
0x000000d6:     mov     dword ptr , eax <- missed addr
0x000000d9:     dec     eax
0x000000da:     cmp     dword ptr , 0 <- missed addr
0x000000de:     jne     0xe7
0x000000e0:     mov     eax, 0
0x000000e5:     jmp     0x140
0x000000e7:     dec     eax
0x000000e8:     mov     eax, dword ptr  <- missed addr
0x000000eb:     dec     eax
0x000000ec:     mov     dword ptr , 0 <- missed addr
0x000000f4:     inc     ecx
0x000000f5:     mov     ecx, 0x400
0x000000fa:     dec     esp
0x000000fb:     lea     eax, [0xffffff02]
0x00000101:     dec     eax
0x00000102:     mov     edx, eax
0x00000104:     dec     eax
0x00000105:     mov     ecx, dword ptr  <- missed addr
0x00000108:     dec     eax
0x00000109:     mov     eax, dword ptr [0x7d28]
0x0000010f:     call    eax
0x00000111:     test    eax, eax
0x00000113:     jne     0x13c
0x00000115:     dec     eax
0x00000116:     mov     eax, dword ptr  <- missed addr
0x00000119:     inc     ecx
0x0000011a:     mov     ecx, 0x8000
0x0000011f:     inc     ecx
0x00000120:     mov     eax, 0
0x00000125:     dec     eax
0x00000126:     mov     edx, eax
0x00000128:     dec     eax
0x00000129:     mov     ecx, dword ptr  <- missed addr
0x0000012c:     dec     eax
0x0000012d:     mov     eax, dword ptr [0x7cec]
0x00000133:     call    eax
0x00000135:     mov     eax, 0
0x0000013a:     jmp     0x140
0x0000013c:     dec     eax
0x0000013d:     mov     eax, dword ptr  <- missed addr
0x00000140:     dec     eax
0x00000141:     add     esp, 0x40
0x00000144:     pop     ebp
0x00000145:     ret

Python bindings for API version

CS_API_MAJOR = 3
CS_API_MINOR = 0

Python code which i using:

bytes_code = ida_bytes.get_bytes(start_addr, func.endEA - start_addr)
md = Cs(CS_ARCH_X86, CS_MODE_64) // i've tried CS_MODE_32
md.detail = True
md.syntax = CS_OPT_SYNTAX_DEFAULT // i've tried other syntaxes

for insn in md.disasm(bytes_code, func.endEA - start_addr):
    instruct = "0x%08x:\t%s\t%s" % (insn.address, insn.mnemonic, insn.op_str )
    code.append(instruct)
    print(instruct)
Rot127 commented 11 months ago

Can you check if this also happens with the cstool?

CS_API_MAJOR = 3

Also please try it with Capstone v5

If this doesn't help, you can use https://github.com/capstone-engine/capstone/pull/2026 for AArch64 (if it is urgent). For x86 you are a little out of luck due to https://github.com/capstone-engine/capstone/issues/2089