1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <string.h> 4 5 #include "libdis.h" 6 #include "ia32_insn.h" 7 #include "ia32_operand.h" 8 #include "ia32_modrm.h" 9 #include "ia32_reg.h" 10 #include "x86_imm.h" 11 #include "x86_operand_list.h" 12 13 14 15 /* apply segment override to memory operand in insn */ 16 static void apply_seg( x86_op_t *op, unsigned int prefixes ) { 17 if (! prefixes ) return; 18 19 /* apply overrides from prefix */ 20 switch ( prefixes & PREFIX_REG_MASK ) { 21 case PREFIX_CS: 22 op->flags |= op_cs_seg; break; 23 case PREFIX_SS: 24 op->flags |= op_ss_seg; break; 25 case PREFIX_DS: 26 op->flags |= op_ds_seg; break; 27 case PREFIX_ES: 28 op->flags |= op_es_seg; break; 29 case PREFIX_FS: 30 op->flags |= op_fs_seg; break; 31 case PREFIX_GS: 32 op->flags |= op_gs_seg; break; 33 } 34 35 return; 36 } 37 38 static size_t decode_operand_value( unsigned char *buf, size_t buf_len, 39 x86_op_t *op, x86_insn_t *insn, 40 unsigned int addr_meth, size_t op_size, 41 unsigned int op_value, unsigned char modrm, 42 size_t gen_regs ) { 43 size_t size = 0; 44 45 /* ++ Do Operand Addressing Method / Decode operand ++ */ 46 switch (addr_meth) { 47 /* This sets the operand Size based on the Intel Opcode Map 48 * (Vol 2, Appendix A). Letter encodings are from section 49 * A.1.1, 'Codes for Addressing Method' */ 50 51 /* ---------------------- Addressing Method -------------- */ 52 /* Note that decoding mod ModR/M operand adjusts the size of 53 * the instruction, but decoding the reg operand does not. 54 * This should not cause any problems, as every 'reg' operand 55 * has an associated 'mod' operand. 56 * Goddamn-Intel-Note: 57 * Some Intel addressing methods [M, R] specify that modR/M 58 * byte may only refer to a memory address/may only refer to 59 * a register -- however Intel provides no clues on what to do 60 * if, say, the modR/M for an M opcode decodes to a register 61 * rather than a memory address ... returning 0 is out of the 62 * question, as this would be an Immediate or a RelOffset, so 63 * instead these modR/Ms are decoded with total disregard to 64 * the M, R constraints. */ 65 66 /* MODRM -- mod operand. sets size to at least 1! */ 67 case ADDRMETH_E: /* ModR/M present, Gen reg or memory */ 68 size = ia32_modrm_decode( buf, buf_len, op, insn, 69 gen_regs ); 70 break; 71 case ADDRMETH_M: /* ModR/M only refers to memory */ 72 size = ia32_modrm_decode( buf, buf_len, op, insn, 73 gen_regs ); 74 break; 75 case ADDRMETH_Q: /* ModR/M present, MMX or Memory */ 76 size = ia32_modrm_decode( buf, buf_len, op, insn, 77 REG_MMX_OFFSET ); 78 break; 79 case ADDRMETH_R: /* ModR/M mod == gen reg */ 80 size = ia32_modrm_decode( buf, buf_len, op, insn, 81 gen_regs ); 82 break; 83 case ADDRMETH_W: /* ModR/M present, mem or SIMD reg */ 84 size = ia32_modrm_decode( buf, buf_len, op, insn, 85 REG_SIMD_OFFSET ); 86 break; 87 88 /* MODRM -- reg operand. does not effect size! */ 89 case ADDRMETH_C: /* ModR/M reg == control reg */ 90 ia32_reg_decode( modrm, op, REG_CTRL_OFFSET ); 91 break; 92 case ADDRMETH_D: /* ModR/M reg == debug reg */ 93 ia32_reg_decode( modrm, op, REG_DEBUG_OFFSET ); 94 break; 95 case ADDRMETH_G: /* ModR/M reg == gen-purpose reg */ 96 ia32_reg_decode( modrm, op, gen_regs ); 97 break; 98 case ADDRMETH_P: /* ModR/M reg == qword MMX reg */ 99 ia32_reg_decode( modrm, op, REG_MMX_OFFSET ); 100 break; 101 case ADDRMETH_S: /* ModR/M reg == segment reg */ 102 ia32_reg_decode( modrm, op, REG_SEG_OFFSET ); 103 break; 104 case ADDRMETH_T: /* ModR/M reg == test reg */ 105 ia32_reg_decode( modrm, op, REG_TEST_OFFSET ); 106 break; 107 case ADDRMETH_V: /* ModR/M reg == SIMD reg */ 108 ia32_reg_decode( modrm, op, REG_SIMD_OFFSET ); 109 break; 110 111 /* No MODRM : note these set operand type explicitly */ 112 case ADDRMETH_A: /* No modR/M -- direct addr */ 113 op->type = op_absolute; 114 115 /* segment:offset address used in far calls */ 116 x86_imm_sized( buf, buf_len, 117 &op->data.absolute.segment, 2 ); 118 if ( insn->addr_size == 4 ) { 119 x86_imm_sized( buf, buf_len, 120 &op->data.absolute.offset.off32, 4 ); 121 size = 6; 122 } else { 123 x86_imm_sized( buf, buf_len, 124 &op->data.absolute.offset.off16, 2 ); 125 size = 4; 126 } 127 128 break; 129 case ADDRMETH_I: /* Immediate val */ 130 op->type = op_immediate; 131 /* if it ever becomes legal to have imm as dest and 132 * there is a src ModR/M operand, we are screwed! */ 133 if ( op->flags & op_signed ) { 134 x86_imm_signsized(buf, buf_len, &op->data.byte, 135 op_size); 136 } else { 137 x86_imm_sized(buf, buf_len, &op->data.byte, 138 op_size); 139 } 140 size = op_size; 141 break; 142 case ADDRMETH_J: /* Rel offset to add to IP [jmp] */ 143 /* this fills op->data.near_offset or 144 op->data.far_offset depending on the size of 145 the operand */ 146 op->flags |= op_signed; 147 if ( op_size == 1 ) { 148 /* one-byte near offset */ 149 op->type = op_relative_near; 150 x86_imm_signsized(buf, buf_len, 151 &op->data.relative_near, 1); 152 } else { 153 /* far offset...is this truly signed? */ 154 op->type = op_relative_far; 155 x86_imm_signsized(buf, buf_len, 156 &op->data.relative_far, op_size ); 157 } 158 size = op_size; 159 break; 160 case ADDRMETH_O: /* No ModR/M; op is word/dword offset */ 161 /* NOTE: these are actually RVAs not offsets to seg!! */ 162 /* note bene: 'O' ADDR_METH uses addr_size to 163 determine operand size */ 164 op->type = op_offset; 165 op->flags |= op_pointer; 166 x86_imm_sized( buf, buf_len, &op->data.offset, 167 insn->addr_size ); 168 169 size = insn->addr_size; 170 break; 171 172 /* Hard-coded: these are specified in the insn definition */ 173 case ADDRMETH_F: /* EFLAGS register */ 174 op->type = op_register; 175 op->flags |= op_hardcode; 176 ia32_handle_register( &op->data.reg, REG_FLAGS_INDEX ); 177 break; 178 case ADDRMETH_X: /* Memory addressed by DS:SI [string] */ 179 op->type = op_expression; 180 op->flags |= op_hardcode; 181 op->flags |= op_ds_seg | op_pointer | op_string; 182 ia32_handle_register( &op->data.expression.base, 183 REG_DWORD_OFFSET + 6 ); 184 break; 185 case ADDRMETH_Y: /* Memory addressed by ES:DI [string] */ 186 op->type = op_expression; 187 op->flags |= op_hardcode; 188 op->flags |= op_es_seg | op_pointer | op_string; 189 ia32_handle_register( &op->data.expression.base, 190 REG_DWORD_OFFSET + 7 ); 191 break; 192 case ADDRMETH_RR: /* Gen Register hard-coded in opcode */ 193 op->type = op_register; 194 op->flags |= op_hardcode; 195 ia32_handle_register( &op->data.reg, 196 op_value + gen_regs ); 197 break; 198 case ADDRMETH_RS: /* Seg Register hard-coded in opcode */ 199 op->type = op_register; 200 op->flags |= op_hardcode; 201 ia32_handle_register( &op->data.reg, 202 op_value + REG_SEG_OFFSET ); 203 break; 204 case ADDRMETH_RF: /* FPU Register hard-coded in opcode */ 205 op->type = op_register; 206 op->flags |= op_hardcode; 207 ia32_handle_register( &op->data.reg, 208 op_value + REG_FPU_OFFSET ); 209 break; 210 case ADDRMETH_RT: /* TST Register hard-coded in opcode */ 211 op->type = op_register; 212 op->flags |= op_hardcode; 213 ia32_handle_register( &op->data.reg, 214 op_value + REG_TEST_OFFSET ); 215 break; 216 case ADDRMETH_II: /* Immediate hard-coded in opcode */ 217 op->type = op_immediate; 218 op->data.dword = op_value; 219 op->flags |= op_hardcode; 220 break; 221 222 case 0: /* Operand is not used */ 223 default: 224 /* ignore -- operand not used in this insn */ 225 op->type = op_unused; /* this shouldn't happen! */ 226 break; 227 } 228 229 return size; 230 } 231 232 static size_t decode_operand_size( unsigned int op_type, x86_insn_t *insn, 233 x86_op_t *op ){ 234 size_t size; 235 236 /* ++ Do Operand Type ++ */ 237 switch (op_type) { 238 /* This sets the operand Size based on the Intel Opcode Map 239 * (Vol 2, Appendix A). Letter encodings are from section 240 * A.1.2, 'Codes for Operand Type' */ 241 /* NOTE: in this routines, 'size' refers to the size 242 * of the operand in the raw (encoded) instruction; 243 * 'datatype' stores the actual size and datatype 244 * of the operand */ 245 246 /* ------------------------ Operand Type ----------------- */ 247 case OPTYPE_c: /* byte or word [op size attr] */ 248 size = (insn->op_size == 4) ? 2 : 1; 249 op->datatype = (size == 4) ? op_word : op_byte; 250 break; 251 case OPTYPE_a: /* 2 word or 2 dword [op size attr] */ 252 /* pointer to a 16:16 or 32:32 BOUNDS operand */ 253 size = (insn->op_size == 4) ? 8 : 4; 254 op->datatype = (size == 4) ? op_bounds32 : op_bounds16; 255 break; 256 case OPTYPE_v: /* word or dword [op size attr] */ 257 size = (insn->op_size == 4) ? 4 : 2; 258 op->datatype = (size == 4) ? op_dword : op_word; 259 break; 260 case OPTYPE_p: /* 32/48-bit ptr [op size attr] */ 261 /* technically these flags are not accurate: the 262 * value s a 16:16 pointer or a 16:32 pointer, where 263 * the first '16' is a segment */ 264 size = (insn->addr_size == 4) ? 6 : 4; 265 op->datatype = (size == 4) ? op_descr32 : op_descr16; 266 break; 267 case OPTYPE_b: /* byte, ignore op-size */ 268 size = 1; 269 op->datatype = op_byte; 270 break; 271 case OPTYPE_w: /* word, ignore op-size */ 272 size = 2; 273 op->datatype = op_word; 274 break; 275 case OPTYPE_d: /* dword , ignore op-size */ 276 size = 4; 277 op->datatype = op_dword; 278 break; 279 case OPTYPE_s: /* 6-byte psuedo-descriptor */ 280 /* ptr to 6-byte value which is 32:16 in 32-bit 281 * mode, or 8:24:16 in 16-bit mode. The high byte 282 * is ignored in 16-bit mode. */ 283 size = 6; 284 op->datatype = (insn->addr_size == 4) ? 285 op_pdescr32 : op_pdescr16; 286 break; 287 case OPTYPE_q: /* qword, ignore op-size */ 288 size = 8; 289 op->datatype = op_qword; 290 break; 291 case OPTYPE_dq: /* d-qword, ignore op-size */ 292 size = 16; 293 op->datatype = op_dqword; 294 break; 295 case OPTYPE_ps: /* 128-bit FP data */ 296 size = 16; 297 /* really this is 4 packed SP FP values */ 298 op->datatype = op_ssimd; 299 break; 300 case OPTYPE_pd: /* 128-bit FP data */ 301 size = 16; 302 /* really this is 2 packed DP FP values */ 303 op->datatype = op_dsimd; 304 break; 305 case OPTYPE_ss: /* Scalar elem of 128-bit FP data */ 306 size = 16; 307 /* this only looks at the low dword (4 bytes) 308 * of the xmmm register passed as a param. 309 * This is a 16-byte register where only 4 bytes 310 * are used in the insn. Painful, ain't it? */ 311 op->datatype = op_sssimd; 312 break; 313 case OPTYPE_sd: /* Scalar elem of 128-bit FP data */ 314 size = 16; 315 /* this only looks at the low qword (8 bytes) 316 * of the xmmm register passed as a param. 317 * This is a 16-byte register where only 8 bytes 318 * are used in the insn. Painful, again... */ 319 op->datatype = op_sdsimd; 320 break; 321 case OPTYPE_pi: /* qword mmx register */ 322 size = 8; 323 op->datatype = op_qword; 324 break; 325 case OPTYPE_si: /* dword integer register */ 326 size = 4; 327 op->datatype = op_dword; 328 break; 329 case OPTYPE_fs: /* single-real */ 330 size = 4; 331 op->datatype = op_sreal; 332 break; 333 case OPTYPE_fd: /* double real */ 334 size = 8; 335 op->datatype = op_dreal; 336 break; 337 case OPTYPE_fe: /* extended real */ 338 size = 10; 339 op->datatype = op_extreal; 340 break; 341 case OPTYPE_fb: /* packed BCD */ 342 size = 10; 343 op->datatype = op_bcd; 344 break; 345 case OPTYPE_fv: /* pointer to FPU env: 14 or 28-bytes */ 346 size = (insn->addr_size == 4)? 28 : 14; 347 op->datatype = (size == 28)? op_fpuenv32: op_fpuenv16; 348 break; 349 case OPTYPE_ft: /* pointer to FPU env: 94 or 108 bytes */ 350 size = (insn->addr_size == 4)? 108 : 94; 351 op->datatype = (size == 108)? 352 op_fpustate32: op_fpustate16; 353 break; 354 case OPTYPE_fx: /* 512-byte register stack */ 355 size = 512; 356 op->datatype = op_fpregset; 357 break; 358 case OPTYPE_fp: /* floating point register */ 359 size = 10; /* double extended precision */ 360 op->datatype = op_fpreg; 361 break; 362 case OPTYPE_m: /* fake operand type used for "lea Gv, M" */ 363 size = insn->addr_size; 364 op->datatype = (size == 4) ? op_dword : op_word; 365 break; 366 case OPTYPE_none: /* handle weird instructions that have no encoding but use a dword datatype, like invlpg */ 367 size = 0; 368 op->datatype = op_none; 369 break; 370 case 0: 371 default: 372 size = insn->op_size; 373 op->datatype = (size == 4) ? op_dword : op_word; 374 break; 375 } 376 return size; 377 } 378 379 size_t ia32_decode_operand( unsigned char *buf, size_t buf_len, 380 x86_insn_t *insn, unsigned int raw_op, 381 unsigned int raw_flags, unsigned int prefixes, 382 unsigned char modrm ) { 383 unsigned int addr_meth, op_type, op_size, gen_regs; 384 x86_op_t *op; 385 size_t size; 386 387 /* ++ Yank optype and addr mode out of operand flags */ 388 addr_meth = raw_flags & ADDRMETH_MASK; 389 op_type = raw_flags & OPTYPE_MASK; 390 391 if ( raw_flags == ARG_NONE ) { 392 /* operand is not used in this instruction */ 393 return 0; 394 } 395 396 /* allocate a new operand */ 397 op = x86_operand_new( insn ); 398 399 /* ++ Copy flags from opcode table to x86_insn_t */ 400 op->access = (enum x86_op_access) OP_PERM(raw_flags); 401 op->flags = (enum x86_op_flags) (OP_FLAGS(raw_flags) >> 12); 402 403 /* Get size (for decoding) and datatype of operand */ 404 op_size = decode_operand_size(op_type, insn, op); 405 406 /* override default register set based on Operand Type */ 407 /* this allows mixing of 8, 16, and 32 bit regs in insn */ 408 if (op_size == 1) { 409 gen_regs = REG_BYTE_OFFSET; 410 } else if (op_size == 2) { 411 gen_regs = REG_WORD_OFFSET; 412 } else { 413 gen_regs = REG_DWORD_OFFSET; 414 } 415 416 size = decode_operand_value( buf, buf_len, op, insn, addr_meth, 417 op_size, raw_op, modrm, gen_regs ); 418 419 /* if operand is an address, apply any segment override prefixes */ 420 if ( op->type == op_expression || op->type == op_offset ) { 421 apply_seg(op, prefixes); 422 } 423 424 return size; /* return number of bytes in instruction */ 425 } 426
