search

zyantific / zydis

Fast and lightweight x86/x86-64 disassembler and code generation library
https://zydis.re
MIT License
3.47k stars 434 forks source link

far call/jmp absolute address problem #417

Closed PirocaoBengala closed 1 year ago

PirocaoBengala commented 1 year ago

I'm looking for the right way to display the following block of instructions.

    uint8_t data[] = {
        //   => call 0x7FFD62EE0000
        0xFF, 0x15, 0x02, 0x00, 0x00, 0x00, 0xEB, 0x08, 0x00, 0x00, 0xEE, 0x62, 0xFD, 0x7F, 0x00, 0x00,
        //   => jmp 0x7FFD62EE0000
        0xFF, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xEE, 0x62, 0xFD, 0x7F, 0x00, 0x00,
        //   => nop
        0x90,
        //   => nop
        0x90
    };

The output should be:

03590000 | FF15 02000000 EB08 0000EE62FD7F0000 -> call 0x7FFD62EE0000
03590010 | FF25 00000000 0000EE62FD7F0000 -> jmp 0x7FFD62EE0000
0359001E | 90 -> nop 
0359001F | 90 -> nop

but using zydis, it shows me as follows:

0000000003590000   call qword ptr ds:[0x0000000003590008]
0000000003590006   jmp 0x0000000003590010
0000000003590008   add byte ptr ds:[rax], al
000000000359000A   out dx, al

I'm using one of the examples that already comes. the Formatter01 with ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64 I don't know if I should use some kind of setting to tweak this. If anyone knows and can help, I'd appreciate it.

mappzor commented 1 year ago

Check this comment: https://github.com/zyantific/zydis/issues/360#issuecomment-1179401222

x86/x64 doesn't have call/jmp to an absolute address. It's an idiom composed of several instructions and data.

PirocaoBengala commented 1 year ago

OK, I figured there was a discussion about this, I just didn't know where to look. thanks.