xed icon indicating copy to clipboard operation
xed copied to clipboard

Published 20 hours ago verified publisher icon intelxed

How to set the decode base address

Open eaglesharkmayonnaise opened this issue 4 years ago • 7 comments

the instruction returns different values at different base addresses, such as "jmp 0x77DAE9EC"

  • base: 0x77DAEA00 decode results:EB EA

  • base: 0x000C1000 decode results:E9 E7 D9 CE 77

eaglesharkmayonnaise avatar Mar 17 '20 06:03 eaglesharkmayonnaise

Is there such a simple api

bool xed_init(__IN__ size_t baseAddress);
bool xed_ecode(__IN__ insString, __OUT__ byte* insDate, __OUT__ size_t insLength);

so we can do this:

xed_init(0x77dea00);
byte insData[256];
size_t insLength;


char  singlelineAsmString[0x100] = {"jmp 0x77DAE9EC"};
// decode single line assembly
xed_ecode(insData,&inslength,singlelineAsmString);

// decode multiline assembly
char  multilineAsmString[0x100] = {
    "jmp 0x77DAE9EC\n"
    "pop\n"
    "call 0x12345678\n"};
xed_ecode(insData,&inslength,multilineAsmString);

eaglesharkmayonnaise avatar Mar 17 '20 06:03 eaglesharkmayonnaise

xed_format_context() and xed_format_generic() allow users to pass a runtime address to use in generating the disassembly. See xed-decoded-inst-api.h. The latter function takes a structure defined in xed-print-info.h.

markcharney avatar Mar 17 '20 23:03 markcharney

For creating instructions, there are many options. See the xed-asmparse.c and .h files in the examples. There is also a new encoder called enc2. I have some fixes that I hope to push out for that this week.

markcharney avatar Mar 17 '20 23:03 markcharney

hello, i checked the sample code today, but no example of decoding multi-line assembly was found.

image

eaglesharkmayonnaise avatar Apr 18 '20 12:04 eaglesharkmayonnaise

Yes, xed-asmparse.c is a simple example. It would take a small amount of restructuring to allow it to handle multiple requests, separated by a semicolon or a newline character. Right now process_args() returns one request to encode. The code could be modified to return a list of requests to encode. Or, better, it could return the full command line assembly string and some data (collected from the command line switches) that a new function could use to create a list of requests... I have another customer who is interested in this so I guess I can put it on the list. Lots of extra time to program these days...

markcharney avatar Apr 18 '20 17:04 markcharney

I just tweaked it in my workspace to use a semicolon as a separator. I will look for a moment to push out my commits.

% obj/wkit/bin/xed-asmparse-main -64 -q "add rax, rbx;mov rcx, rbx;"
Assembling [add rax, rbx]
48 01 d8
Assembling [mov rcx, rbx]
48 89 d9

markcharney avatar Apr 18 '20 19:04 markcharney

I guess the next step would be allowing labels and trying to get the branch displacements right.

markcharney avatar Apr 18 '20 20:04 markcharney