[XED] how to encode mov instruction

Yuya_K_ · ‎12-27-2016

Hello, all.

I am trying to encode mov and call instruction on CentOS7, but encountered some error.

The source code is as below.

#ifdef __X86_64__
#define  XED_MMODE                 XED_MACHINE_MODE_LONG_64
#define  XED_STACK_ADDR_WIDTH     XED_ADDRESS_WIDTH_64b
#else 
#define  XED_MMODE                XED_MACHINE_MODE_LEGACY_32
#define  XED_STACK_ADDR_WIDTH    XED_ADDRESS_WIDTH_32b
#endif

static xed_uint8_t 	ret_inst[MAX_INST_LEN_X86_64];
static unsigned		ret_inst_len;	
static xed_uint8_t  load_func_inst[MAX_INST_LEN_X86_64];
static unsigned  	load_func_inst_len;
static xed_uint8_t  call_mem_acc_handler_wrapper_inst[MAX_INST_LEN_X86_64];
static unsigned  	call_mem_acc_handler_wrapper_inst_len;
__attribute__((constructor)) static void __init_inst(void){
	xed_encoder_instruction_t 	enc_inst;
	xed_encoder_request_t		enc_req;
	xed_error_enum_t			xed_err;
	xed_state_t					dstate = {XED_MMODE, XED_STACK_ADDR_WIDTH};

	//RET instruction
	{
		xed_inst0(&enc_inst, dstate, XED_ICLASS_RET_NEAR, 0);
		xed_encoder_request_zero_set_mode(&enc_req, &dstate);
		if(unlikely(!xed_convert_to_encoder_request(&enc_req, &enc_inst))){
			fprintf(stderr, "conversion to encode request failed\n");
			abort();
		}
		xed_err = xed_encode(&enc_req, ret_inst, sizeof(ret_inst) , &ret_inst_len);
		if(unlikely(xed_err != XED_ERROR_NONE)){
			fprintf(stderr, "xed encoding request of `ret` failed : XED error number(%d)\n", xed_err);
			abort();
		}
	}
	//function address LOAD instruction "mov *mem_acc_handler_wrapper,(%rsp)"
	{
		xed_uint64_t fa = mem_acc_handler_wrapper;
		xed_encoder_operand_t faddr_oper = xed_imm0(fa, __SIZEOF_POINTER__);
		xed_encoder_operand_t m_oper	 = xed_mem_bd(XED_REG_RSP, xed_disp(0,32), 64);
		xed_inst2(&enc_inst, dstate, XED_ICLASS_MOV, 0, faddr_oper, m_oper);
		xed_encoder_request_zero_set_mode(&enc_req, &dstate);
		if(unlikely(!xed_convert_to_encoder_request(&enc_req, &enc_inst))){
			fprintf(stderr, "conversion to encode request failed\n");
			abort();
		}
		xed_err = xed_encode(&enc_req, load_func_inst, sizeof(load_func_inst) , &load_func_inst_len);
		if(unlikely(xed_err != XED_ERROR_NONE)){
			fprintf(stderr, "xed encoding request of `mov` failed : XED error number(%d)\n", xed_err);
			abort();
		}
	}
	//CALL instruction "call *(%rsp)"
	{
		xed_inst1(&enc_inst, dstate, XED_ICLASS_CALL_NEAR, 0, xed_mem_bd(XED_REG_RSP, xed_disp(0,8), 0));
		xed_encoder_request_zero_set_mode(&enc_req, &dstate);
		if(unlikely(!xed_convert_to_encoder_request(&enc_req, &enc_inst))){
			fprintf(stderr, "conversion to encode request failed\n");
			abort();
		}
		xed_err = xed_encode(&enc_req, call_mem_acc_handler_wrapper_inst, sizeof(call_mem_acc_handler_wrapper_inst) , &call_mem_acc_handler_wrapper_inst_len);
		if(unlikely(xed_err != XED_ERROR_NONE)){
			fprintf(stderr, "xed encoding request of `call` failed : XED error number(%d)\n", xed_err);
			abort();
		}
	}
}

Calling this function, I got the following message and my program stopped.

xed encoding request of `mov` failed : XED error number(2) # 2 means "XED could not decode the given instruction".
中止 (コアダンプ) #core dump by abort()

I have no idea about what happened.

And I cannot Identify a source of the problem because of few documentation of Intel® XED.

I would appreciate if you would help me about this error.

andysem · ‎12-27-2016

I'm not familiar with XED, and I'm not sure how to interpret the "mov *mem_acc_handler_wrapper,(%rsp)" comment. I'm guessing you're trying to store a 64-bit immediate value to stack. If so, the problem you're having is likely caused by the fact that there is no such mov instruction in x86. Only 32-bit and smaller immediates can be stored directly into memory. You have to first load the 64-bit immediate value into a register using a dedicated mov and then store that register to the stack.

Yuya_K_ · ‎12-27-2016

Dear andysem,

Thank you for the reply.

As you guessed, mem_acc_handler_wrapper is a function and 64-bit immediate value.

On reading your comment, I changed the code at line 40 as below, in order that value of mem_acc_handler_wrapper is stored in the %rax register. However, I got the same massage.

 //"mov mem_acc_handler_wrapper,%rax" where mem_acc_handler_wrapper is an immediate value.
 xed_inst2(&enc_inst, dstate, XED_ICLASS_MOV, 0, faddr_oper, xed_reg(XED_REG_RAX));

After that, I modified the code as below to confirm whether a mov instruction containing an immediate value is invalid. However, even in this case, I got the same error message.

 //"mov %r10,%rax"
 xed_inst2(&enc_inst, dstate, XED_ICLASS_MOV, 0, xed_reg(XED_REG_R10), xed_reg(XED_REG_RAX));

Although something except for xed_* functions seems to be wrong, there is no other difference between encoding RET and MOV.

Yuya_K_ · ‎12-28-2016

In addition the above, I found that an example in the official package (available at https://software.intel.com/en-us/protected-download/267266/560870/step2) dose not work correctly. The error message is as follows.

~/source/xed-install-base-2016-02-02-lin-x86-64/examples$ ./xed-ex5-enc
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
Result: 2
	03 82 44 33 22 11
	add eax, dword ptr [edx+0x11223344]
Result: 3
	64 03 84 b0 44 33 22 11
	add eax, dword ptr fs:[eax+esi*4+0x11223344]
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
Result: 11
	f3 48 ae
	rep scasb byte ptr [rdi]
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
Result: 16
	48 83 c0 77
	add rax, 0x77
Result: 17
	48 05 11 22 33 44
	add rax, 0x44332211
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
ENCODE ERROR: GENERAL_ERROR
Result: 21
	7c 05
	jl 0x7
Result: 22
	67 7c 05
	addr32 jl 0x8
Result: 23
	78 05
	js 0x7
ENCODE ERROR: GENERAL_ERROR

Therefore, I concluded Intel XED is not reliable. If you do not agree with me, I ask you to tell me your idea.