Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot find operand size in bytes #1970

Open
mjhouse opened this issue Mar 9, 2023 · 1 comment
Open

Cannot find operand size in bytes #1970

mjhouse opened this issue Mar 9, 2023 · 1 comment
Labels
X86 Arch

Comments

@mjhouse
Copy link

mjhouse commented Mar 9, 2023
edited
Loading

I'm working on a project that requires me to identify the offset and size of particular operands in the original binary. I need to know the size, in bytes, of the operand in the original binary. Currently, this is only for x86, and I thought that the size attribute on cs_x86_op would be what I needed:

// Instruction operand
typedef struct cs_x86_op {
		...

		// size of this operand (in bytes).
		uint8_t size;

		...
} cs_x86_op;

Unfortunately, the size attribute seems to only return 8 or 4 with no regard for the actual size of the operand, as found by using objdump and then counting bytes by hand.

output:

[2023-03-08 15:04:47.879] [warning]     mem: 8
[2023-03-08 15:04:47.879] [warning] 1282 mov: 8
[2023-03-08 15:04:47.879] [warning]     reg: 8
[2023-03-08 15:04:47.879] [warning]     reg: 8
[2023-03-08 15:04:47.879] [warning] 1285 call: 8
[2023-03-08 15:04:47.879] [warning]     imm: 8        /// <--- says this operand is 8 bytes wide
[2023-03-08 15:04:47.879] [warning] 128a nop: 8

objdump:

    1282:	48 89 c7             	mov    %rax,%rdi
    1285:	e8 16 fe ff ff       	callq  10a0   /// <--- operand is less that 8 bytes wide
    128a:	90                   	nop

Is there any way at all to reliably get the size of the operands in bytes? If not, can this feature be added easily? I'm willing to add it myself if necessary, but I'm not familiar with the capstone codebase. If @kabeor, @aquynh or someone could take a moment to tell me if this is possible, or give me a suggestion for how it could be implemented, that would be great.
@Rot127
Copy link
Collaborator

Rot127 commented Apr 3, 2023

If you need this for x86 you are a little out of luck (meaning: you have to invest quite some work into it).

But if it is for one of those archs:

AMDGPU, ARC, ARM, AVR, BPF, CSKY, DirectX, Lanai, LoongArch, Mips, NVPTX, PPC, RISCV, Sparc, SPIRV, SystemZ, VE, XCore

we could add it eventually with the new auto-sync feature (see: #1949).
But this would take quite some time, because the priority currently is to get the update feature done (and not extent Capstone).

But I will add entry documentation about the design of the updater and Capstone itself in the next weeks. So you could add the feature yourself.

@Rot127 Rot127 mentioned this issue May 25, 2023
Closed
@Rot127 Rot127 added the X86 Arch label Apr 26, 2024
@Rot127 Rot127 mentioned this issue Apr 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
X86 Arch
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mjhouse @Rot127