keystone icon indicating copy to clipboard operation
keystone copied to clipboard
verified publisher icon keystone-engine

X64 improperly turns base-less memory operand into rip-relative one

Open iconmaster5326 opened this issue 6 years ago • 3 comments

See this instruction here:

xor rdi, qword ptr fs:[40]

Keystone will compile this to:

xor rdi, qword ptr fs:[rip + 0x20]

This is not correct. I wanted to access the memory location at fs+40, but Keystone compiled it into an instruction that accesses memory at fs+rip+40. I am using Keystone version 0.9.1 (the version installed from PyPI, more specifically).

iconmaster5326 avatar Sep 12 '19 17:09 iconmaster5326

I'd pin this issue down to something in LLVM's MC module. I've tested out the LLVM assembler from versions 3.9.0 (the version you forked LLVM from) and 9.0.1 (the latest version), and it succeeds in assembling this code correctly, so it seems a change this repository made to LLVM causes this issue.

iconmaster5326 avatar Feb 10 '20 19:02 iconmaster5326

It looks like Keystone is pinned to a very old version of LLVM. Are there any plans to move to (and ideally start tracing) a recent version of LLVM. Is keystone currently actively maintained?

eschulte avatar Feb 17 '20 15:02 eschulte

really annoying bug

x86asmr avatar Oct 31 '20 16:10 x86asmr