capstone
capstone copied to clipboard
capstone-engine
Add mode for automatic rip relative address translation
Hello,
Taking an example from docs into IPython:
In [130]: %cpaste
Pasting code; enter '--' alone on the line to stop or use Ctrl-D.
:from capstone import *
:md = Cs(CS_ARCH_X86, CS_MODE_64)
:CODE = b"\x55\x48\x8b\x05\xb8\x13\x00\x00"
:for i in md.disasm(CODE, 0x1000):
: print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))
:
:--
0x1000: push rbp
0x1001: mov rax, qword ptr [rip + 0x13b8]
It would be nice to be able to specify a flag, which would make [rip + 0x13b8] display calculated as it would be in IDA Pro - [cs:qword_23c0] - or similar. The address is calculated as 0x1001 + 0x13b8 + instruction_size (7) = 0x23c0.
Somehow related: https://github.com/aquynh/capstone/issues/443
Or... is there any easy workaround for such translation?
Probably [cs:0x23c0] or even [0x23c0].
When I think more of it, the things described in #443 would be as good as this. I mean, it would be nice to be able to recognize that the instruction uses RIP relative addressing and then retrieve the offset/displacement (or however it is called).
You can already get this info from detail mode, no? If you dont know yet, run "cstool" with -d option, and see the output of the operand.
Oh, that is nice :heart:.
Anyway, what do you think about an "additional display mode" launched by a given flag?
@disconnect3d if you're already in python, this is what I did for another disassembler, but the theory is the same -- you'd just have to change the code a little to allow for that hideous spacing around the +/-
def ripadd(group, rip):
splut = re.split(r'([+-])', group, 1)
if len(splut) == 3:
return "rel 0x{:x}".format(rip + int(splut[1] + splut[2], 16))
return "rel " + "".join(group)
regex = r"\b(rip[+-]0x[0-9a-f]+)"
operand = re.sub(regex, lambda m: ripadd(m.group(), e.address + e.size), operand, 0, re.IGNORECASE)
Just be aware that you would have to split the operands and run that on each.
