Potential incorrect parsing of x64 phrases
Closed this issue · 3 comments
Sark seems to behave weirdly on the following x64 operation's base.
41 0F BE 14 10 movsx edx, byte ptr [r8+rdx]
To my understanding, the source operand is a phrase and its base (r8) could be recovered through the operand.base property. When doing so I however receive the unexpected rax register instead. This behavior is best demonstrated through the following output:
ea = REDACTED
repr(line): [REDACTED] movsx edx, byte ptr [r8+rdx]
repr(line.insn): <Instruction at REDACTED>
repr(line.bytes): b'A\x0f\xbe\x14\x10'
repr(line.insn.operands): [<Operand(n=0, text='edx')>, <Operand(n=1, text='byte ptr [r8+rdx]')>]
repr(line.insn.operands[1]): <Operand(n=1, text='byte ptr [r8+rdx]')>
repr(line.insn.operands[1].base): 'rax'
repr(line.insn.operands[1]._phrase): [rax+rdx*1]
If I am not mistaken, the representation of the operand itself is done through IDA (hence correct result) while the representation of the _phrase itself is based on the parsed value and hence exhibits the potential incorrect parsing.
The above was generated through the following snippet.
line = sark.Line()
print(f"ea = {hex(line.ea)}")
print(f"repr(line): {repr(line)}")
print(f"repr(line.insn): {repr(line.insn)}")
print(f"repr(line.bytes): {repr(line.bytes)}")
print(f"repr(line.insn.operands): {repr(line.insn.operands)}")
print(f"repr(line.insn.operands[1]): {repr(line.insn.operands[1])}")
print(f"repr(line.insn.operands[1].base): {repr(line.insn.operands[1].base)}")
print(f"repr(line.insn.operands[1]._phrase): {repr(line.insn.operands[1]._phrase)}")This definitely looks like a bug, thanks!
I'll try looking into it. But since this is entirely undocumented, I can only do so much...
@0xThiebaut , I uploaded a patch - #111
Please try it and see that it solves your issues.
@tmr232 I confirm the fix works :) The stack string decryption now works, much appreciated!