Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing operand values #2179

Open
kilitary opened this issue Oct 22, 2023 · 1 comment
Open

Missing operand values #2179

kilitary opened this issue Oct 22, 2023 · 1 comment

Comments

@kilitary
Copy link

Hi, i am using capstone from python as plugin to IDA to dissasemble amd64/x86 code.
Sometimes the disasm output does not have all operand values, like 'mov ecx, ' 'mov dword ptr , eax'.
See:

0x000000a3:     push    ebp
0x000000a4:     dec     eax
0x000000a5:     mov     ebp, esp
0x000000a7:     dec     eax
0x000000a8:     sub     esp, 0x40
0x000000ab:     dec     eax
0x000000ac:     mov     dword ptr , ecx <- missed addr
0x000000af:     mov     dword ptr , 0x40  <- missed addr
0x000000b7:     inc     ecx
0x000000b8:     mov     ecx, 0x1000
0x000000bd:     inc     ecx
0x000000be:     mov     eax, 0x400
0x000000c3:     mov     edx, 0
0x000000c8:     dec     eax
0x000000c9:     mov     ecx, dword ptr  <- missed addr
0x000000cc:     dec     eax
0x000000cd:     mov     eax, dword ptr [0x7d44] <- here addr presents
0x000000d3:     call    eax
0x000000d5:     dec     eax
0x000000d6:     mov     dword ptr , eax <- missed addr
0x000000d9:     dec     eax
0x000000da:     cmp     dword ptr , 0 <- missed addr
0x000000de:     jne     0xe7
0x000000e0:     mov     eax, 0
0x000000e5:     jmp     0x140
0x000000e7:     dec     eax
0x000000e8:     mov     eax, dword ptr  <- missed addr
0x000000eb:     dec     eax
0x000000ec:     mov     dword ptr , 0 <- missed addr
0x000000f4:     inc     ecx
0x000000f5:     mov     ecx, 0x400
0x000000fa:     dec     esp
0x000000fb:     lea     eax, [0xffffff02]
0x00000101:     dec     eax
0x00000102:     mov     edx, eax
0x00000104:     dec     eax
0x00000105:     mov     ecx, dword ptr  <- missed addr
0x00000108:     dec     eax
0x00000109:     mov     eax, dword ptr [0x7d28]
0x0000010f:     call    eax
0x00000111:     test    eax, eax
0x00000113:     jne     0x13c
0x00000115:     dec     eax
0x00000116:     mov     eax, dword ptr  <- missed addr
0x00000119:     inc     ecx
0x0000011a:     mov     ecx, 0x8000
0x0000011f:     inc     ecx
0x00000120:     mov     eax, 0
0x00000125:     dec     eax
0x00000126:     mov     edx, eax
0x00000128:     dec     eax
0x00000129:     mov     ecx, dword ptr  <- missed addr
0x0000012c:     dec     eax
0x0000012d:     mov     eax, dword ptr [0x7cec]
0x00000133:     call    eax
0x00000135:     mov     eax, 0
0x0000013a:     jmp     0x140
0x0000013c:     dec     eax
0x0000013d:     mov     eax, dword ptr  <- missed addr
0x00000140:     dec     eax
0x00000141:     add     esp, 0x40
0x00000144:     pop     ebp
0x00000145:     ret

Python bindings for API version

CS_API_MAJOR = 3
CS_API_MINOR = 0

Python code which i using:

bytes_code = ida_bytes.get_bytes(start_addr, func.endEA - start_addr)
md = Cs(CS_ARCH_X86, CS_MODE_64) // i've tried CS_MODE_32
md.detail = True
md.syntax = CS_OPT_SYNTAX_DEFAULT // i've tried other syntaxes
    
for insn in md.disasm(bytes_code, func.endEA - start_addr):
    instruct = "0x%08x:\t%s\t%s" % (insn.address, insn.mnemonic, insn.op_str )
    code.append(instruct)
    print(instruct)
@Rot127
Copy link
Collaborator

Rot127 commented Oct 22, 2023

Can you check if this also happens with the cstool?

CS_API_MAJOR = 3

Also please try it with Capstone v5

If this doesn't help, you can use #2026 for AArch64 (if it is urgent).
For x86 you are a little out of luck due to #2089

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kilitary @Rot127