Sark Instruction incorrect parsing of phrase registers. about sark HOT 5 CLOSED

Awesome project! I have a similar project that does pretty much the same things. IDA's API is pretty painful, right?

Anyways, I had spent some time understanding how o_phrase works and so would like to share it so you don't have to dick around with it also.

So, there's 2 operand types that we care about. o_phrase, and o_displ. (gas syntax encodes them as (offset,basereg,indexreg,scale) as does intel). IDA stores these into a 2,3,3 bitfield at Operand[x].specval2. Then .specval1 appears to be used to select the phrase type. The register numbers can then be grabbed out of idaapi.ph.regnames by index. Maybe it's actually the modr/m, but I only looked for a few instructions to compare against. ;)

offset(base,index,scale) == [base+index*scale+offset]

To calculate the scale:

    res = op.specflag2 & 0xc0
    if res == 0x00:     # 00
        scale = 1
    elif res == 0x40:   # 01
        scale = 2
    elif res == 0x80:   # 10
        scale = 4
    elif res == 0xc0:   # 11
        scale = 8

For o_displ:

    if op.specflag1 == 0:
        index = None
        base = op.reg
        offset = op.addr
    elif op.specflag1 == 1:
        index = (op.specflag2&0x07) >> 0
        base = None
        offset = op.addr
    else:
        raise TypeError, "o_displ : Not implemented yet : %x"% os.specflag1

For o_phrase:

    if op.specflag1 == 0:
        index = None
        base  = op.reg
    elif op.specflag1 == 1:
        index = (op.specflag2&0x38) >> 3
        base =  (op.specflag2&0x07) >> 0
    else:
        raise TypeError, "o_phrase : Not implemented yet: %x"% os.specflag1
    offset = op.value

So then, convert index and base to a register, and use scale and offset as their immediate values.

from sark.

Thanks a lot! This looks great!
I'll incorporate this into Sark as soon as I can!

from sark.

Finally got to start on this... I had to change your code a bit. Can you see if my version works for you as well?

MemPhrase = namedtuple('MemPhrase', 'base index scale offset')

def parse_op_phrase(op):
    specflag1 = op.op_t.specflag1
    specflag2 = op.op_t.specflag2
    scale = 1 << ((specflag2 & 0xC0) >> 6)
    index = None
    base_ = None
    offset = 0

    if op.type.is_displ:
        if specflag1 == 0:
            index = None
            base_ = op.op_t.reg
            offset = op.op_t.addr
        elif specflag1 == 1:

            # This part os different from the provided sample. <------------------HERE
            index = (specflag2 & 0x38) >> 3
            base_ = (specflag2 & 0x07) >> 0
            offset = op.op_t.addr
        else:
            raise TypeError, "o_displ : Not implemented yet : %x" % specflag1

    elif op.type.is_phrase:
        if specflag1 == 0:
            index = None
            base_ = op.op_t.reg
        elif specflag1 == 1:
            index = (specflag2 & 0x38) >> 3
            base_ = (specflag2 & 0x07) >> 0
        else:
            raise TypeError, "o_phrase : Not implemented yet: %x" % specflag1

        offset = op.op_t.addr

    return MemPhrase(base=base_, index=index, scale=scale, offset=offset)

from sark.

So... This code works for x86. Any pointers for x64?

from sark.

Added support for x64 - 735ba5e

Sadly, it seems that [esp+X] is handled a bit weird in IDA. Will probably need to add a specific exception.

from sark.