Solved: encoding disp32 in Amd64

anujgarg2004gmail_co · ‎06-23-2009

I want to encode the following instruction using the displacement bytes instead of SIB byte. Is it possible?

mov rcx, ptr[1CE26F0h]

the following encoding should work
48 0B 0D F0 26 CE 01

however the assembler is interpreting it as

mov rcx,qword ptr [1CE26F7h] instead of
mov rcx, ptr[1CE26F0h]

where does this extra 7 come from. in other cases the interpretation of addresses is even different

00000000055C0251 48 8B 0D E8 26 C8 01 mov rcx,qword ptr [7242940h]

what am i doing wrong?

MarkC_Intel · ‎06-23-2009

Quoting - anujgarg2004gmail.com

I want to encode the following instruction using the displacement bytes instead of SIB byte. Is it possible?
mov rcx, ptr[1CE26F0h]
the following encoding should work
48 0B 0D F0 26 CE 01
however the assembler is interpreting it as
mov rcx,qword ptr [1CE26F7h] instead of
mov rcx, ptr[1CE26F0h]

Hi,
48 0B 0D F0 26 CE 01 is a RIP-relative "OR" instruction. (Did you mean 8B instead of 0B?)

% xed -64 -d 48 0b 0d f0 26 ce 01
SHORT: or rcx, qword ptr [rip+0x1ce26f0]

If you want a RIP-relative MOV, then you want this:

% xed -64 -e mov/64 rcx MEM8:RIP,-,-,01ce26f0
Request: MOV DISP_WIDTH:32, EOSZ:3, MEM_WIDTH:8, MEM0:qword ptr [RIP+0x1ce26f0], MODE:2, REG0:RCX, SMODE:2
OPERAND ORDER: REG0 MEM0
Encodable! 488B0DF026CE01
.byte 0x48,0x8b,0x0d,0xf0,0x26,0xce,0x01

The disassembler will factor in the address of the instruction when presenting the actual address to you. That is probably where the 7 is coming from.

To answer your question: unless your dest is rAX, you need a SIB byte to get a displacement-only load. The A0...A3 opcodes can reference displacements without a SIB byte but use rAX as one operand.

To encode the instruction "mov RCX, qword ptr[1CE26F0]" -- not rip-relative, you'd want the following:

% xed -64 -e mov/64 RCX MEM8:-,-,-,01ce26f0
Request: MOV DISP_WIDTH:32, EOSZ:3, MEM_WIDTH:8, MEM0:qword ptr [0x1ce26f0], MODE:2, REG0:RCX, SMODE:2
OPERAND ORDER: REG0 MEM0
Encodable! 488B0C25F026CE01
.byte 0x48,0x8b,0x0c,0x25,0xf0,0x26,0xce,0x01

Also note, this references a very low address. Probably not what you want.

(Compiled versions of libxed (and the source examples) are available inside pin kits from http://www.pintool.org )

Regards,
Mark

View solution in original post

MarkC_Intel · ‎06-23-2009

Quoting - anujgarg2004gmail.com

I want to encode the following instruction using the displacement bytes instead of SIB byte. Is it possible?
mov rcx, ptr[1CE26F0h]
the following encoding should work
48 0B 0D F0 26 CE 01
however the assembler is interpreting it as
mov rcx,qword ptr [1CE26F7h] instead of
mov rcx, ptr[1CE26F0h]

Hi,
48 0B 0D F0 26 CE 01 is a RIP-relative "OR" instruction. (Did you mean 8B instead of 0B?)

% xed -64 -d 48 0b 0d f0 26 ce 01
SHORT: or rcx, qword ptr [rip+0x1ce26f0]

If you want a RIP-relative MOV, then you want this:

% xed -64 -e mov/64 rcx MEM8:RIP,-,-,01ce26f0
Request: MOV DISP_WIDTH:32, EOSZ:3, MEM_WIDTH:8, MEM0:qword ptr [RIP+0x1ce26f0], MODE:2, REG0:RCX, SMODE:2
OPERAND ORDER: REG0 MEM0
Encodable! 488B0DF026CE01
.byte 0x48,0x8b,0x0d,0xf0,0x26,0xce,0x01

The disassembler will factor in the address of the instruction when presenting the actual address to you. That is probably where the 7 is coming from.

To answer your question: unless your dest is rAX, you need a SIB byte to get a displacement-only load. The A0...A3 opcodes can reference displacements without a SIB byte but use rAX as one operand.

To encode the instruction "mov RCX, qword ptr[1CE26F0]" -- not rip-relative, you'd want the following:

% xed -64 -e mov/64 RCX MEM8:-,-,-,01ce26f0
Request: MOV DISP_WIDTH:32, EOSZ:3, MEM_WIDTH:8, MEM0:qword ptr [0x1ce26f0], MODE:2, REG0:RCX, SMODE:2
OPERAND ORDER: REG0 MEM0
Encodable! 488B0C25F026CE01
.byte 0x48,0x8b,0x0c,0x25,0xf0,0x26,0xce,0x01

Also note, this references a very low address. Probably not what you want.

(Compiled versions of libxed (and the source examples) are available inside pin kits from http://www.pintool.org )

Regards,
Mark

anujgarg2004gmail_co · ‎06-23-2009

Quoting - Mark Charney (Intel)

Hi,
48 0B 0D F0 26 CE 01 is a RIP-relative "OR" instruction. (Did you mean 8B instead of 0B?)

% xed -64 -d 48 0b 0d f0 26 ce 01
SHORT: or rcx, qword ptr [rip+0x1ce26f0]

If you want a RIP-relative MOV, then you want this:

% xed -64 -e mov/64 rcx MEM8:RIP,-,-,01ce26f0
Request: MOV DISP_WIDTH:32, EOSZ:3, MEM_WIDTH:8, MEM0:qword ptr [RIP+0x1ce26f0], MODE:2, REG0:RCX, SMODE:2
OPERAND ORDER: REG0 MEM0
Encodable! 488B0DF026CE01
.byte 0x48,0x8b,0x0d,0xf0,0x26,0xce,0x01

The disassembler will factor in the address of the instruction when presenting the actual address to you. That is probably where the 7 is coming from.

To answer your question: unless your dest is rAX, you need a SIB byte to get a displacement-only load. The A0...A3 opcodes can reference displacements without a SIB byte but use rAX as one operand.

To encode the instruction "mov RCX, qword ptr[1CE26F0]" -- not rip-relative, you'd want the following:

% xed -64 -e mov/64 RCX MEM8:-,-,-,01ce26f0
Request: MOV DISP_WIDTH:32, EOSZ:3, MEM_WIDTH:8, MEM0:qword ptr [0x1ce26f0], MODE:2, REG0:RCX, SMODE:2
OPERAND ORDER: REG0 MEM0
Encodable! 488B0C25F026CE01
.byte 0x48,0x8b,0x0c,0x25,0xf0,0x26,0xce,0x01

Also note, this references a very low address. Probably not what you want.

(Compiled versions of libxed (and the source examples) are available inside pin kits from http://www.pintool.org )

Regards,
Mark

thanx a lot for xed. i am actually writting an encoder so thats pretty handy. thanx for the explanation. i forgot about the RIP mode.