Menu
▾
▴
[Capstone-users] regarding operand sizes
|
From: d wk <dw...@gm...> - 2016-11-29 02:43:47
|
Hi, I am trying to determine the operand size in x86 jump
instructions. For instance, given
0x1000: 0x74 0x20 => je 0x1022
then I would like to know that this is a short jump with a 1-byte
operand. But capstone says that this operand is 8 bytes on x86_64 and
4 bytes on x86 (the output of test_x86 on this instruction is attached
below). Any suggestions on getting the actual operand size present in
the original encoding?
What I'm actually trying to do is re-emit the same instruction with
the same encoding size, but a potentially adjusted operand value. So I
need to figure out which bytes correspond to the instruction opcodes
and output those while replacing the bytes that correspond with the
original jump displacement.
Thanks,
David
****************
Platform: X86 32 (Intel syntax)
Code:0x74 0x20
Disasm:
0x1000: je 0x1022
Prefix:0x00 0x00 0x00 0x00
Opcode:0x74 0x00 0x00 0x00
rex: 0x0
addr_size: 4
modrm: 0x0
disp: 0x0
sib: 0x0
imm_count: 1
imms[1]: 0x1022
op_count: 1
operands[0].type: IMM = 0x1022
operands[0].size: 4
0x1002:
****************
Platform: X86 64 (Intel syntax)
Code:0x74 0x20
Disasm:
0x1000: je 0x1022
Prefix:0x00 0x00 0x00 0x00
Opcode:0x74 0x00 0x00 0x00
rex: 0x0
addr_size: 8
modrm: 0x0
disp: 0x0
sib: 0x0
imm_count: 1
imms[1]: 0x1022
op_count: 1
operands[0].type: IMM = 0x1022
operands[0].size: 8
0x1002:
|
