Format customization

[440bx]

Hello,

I would like to go from this (a):
0000000100001000 FF 25 26 13 12 00 jmp qword ptr ds:[0x000000010012232C]
to this (b):
0000000100001000 FF 25 26 13 12 00 jmp qword ptr cs:10012232Ch

I was able to go from the first to the second by tokenizing the instruction and adding whatever code was needed to go from (a) to (b). I used the Formatter03 and ZydisDisasm examples to get there.

The first question I have is: are there properties/options that can be set in the formatter that would minimize or eliminate the need to tokenize the instruction in order to go from (a) to (b) ?

The second question is: is there a way to inform the dis-assembler that the addresses are CS relative (instead of DS which is what it's using).

Thank you for your help.

[flobernd]

Hi!

I was able to go from the first to the second by tokenizing the instruction and adding whatever code was needed to go from (a) to (b). I used the Formatter03 and ZydisDisasm examples to get there.

You mean you used formatter hooks to achieve that?

The first question I have is: are there properties/options that can be set in the formatter that would minimize or eliminate the need to tokenize the instruction in order to go from (a) to (b) ?

The hexadecimal formatting is completely customizable. You can remove the 0x prefix and add the h suffix instead. The padding can as well be disabled without using formatter hooks.

If you look in the source, we already have the MASM formatter style that uses this configuration:
https://github.com/zyantific/zydis/blob/master/include/Zydis/Internal/FormatterIntel.h#L181

The second question is: is there a way to inform the dis-assembler that the addresses are CS relative (instead of DS which is what it's using).

Zydis currently sets the wrong default segment for branch instructions with memory operands. We should fix this by adding some more logic here:

zydis/src/Decoder.c

Line 1930 in ffde0f4

if (operands[i].mem.segment == ZYDIS_REGISTER_NONE)

As a workaround you can simply modify the segment register of the operand before passing the ZydisDecodedInstruction to the formatter.

[440bx]

Hi Florian,

I changed the formatter style to ZYDIS_FORMATTER_STYLE_INTEL_MASM thinking that would get me closer to what I want and, in some ways it did but, I get this:

0000000100001000 FF 25 26 13 12 00 jmp qword ptr [$+12132Ch]

I'd like to get this instead:

0000000100001000 FF 25 26 13 12 00 jmp qword ptr cs:10012232Ch

I tried setting the formatter property ZYDIS_FORMATTER_PROP_FORCE_RELATIVE_BRANCHES to ZYAN_FALSE but that didn't change the formatting (still got a relative address). Is there a property I can set to get the absolute address or do I have to use ZydisCalcAbsoluteAddress and format it myself ?

Thank you for your help.

[flobernd]

for the time being I am using ZydisFormatterTokenizeInstruction to tokenize the instruction and based on the tokens and information I gather from the instruction and the operands, I "customize" the formatting.

The recommended way of doing this, is by using this formatter hook (this way it works for the regular printing and the tokenizing APIs):

zydis/include/Zydis/Formatter.h

Lines 484 to 491 in ffde0f4

	/**
	* This function is invoked to format a memory operand.
	*
	* Replacing this function might indirectly disable some specific calls to the
	* `ZYDIS_FORMATTER_FUNC_PRINT_TYPECAST`, `ZYDIS_FORMATTER_FUNC_PRINT_SEGMENT`,
	* `ZYDIS_FORMATTER_FUNC_PRINT_ADDRESS_ABS` and `ZYDIS_FORMATTER_FUNC_PRINT_DISP` functions.
	*/
	ZYDIS_FORMATTER_FUNC_FORMAT_OPERAND_MEM,

However, the base implementation of this function (e.g. for the INTEL style) does a lot of things and calls several sub-routines. One quick solution would be to copy the code and just remove the part that adds the [ and ] token (but only, if the operand is an absolute address; conditions for that can be found in the same piece of code).

The hexadecimal formatting is completely customizable. You can remove the 0x prefix and add the h suffix instead.

can that be done without using formatter hooks and/or tokenizing the instruction ? if the answer is yes, please enlighten me. Also note that I am using the library, i.e, dll.

After getting rid of the memory operand parenthesis, you only have to customize the printing of absolute addresses for which you can use the formatter properties ZYDIS_FORMATTER_PROP_ADDR_PADDING_ABSOLUTE, ZYDIS_FORMATTER_PROP_HEX_PREFIX and ZYDIS_FORMATTER_PROP_HEX_SUFFIX (take inspiration on how the MASM style formatter is initialized).

I changed the formatter style to ZYDIS_FORMATTER_STYLE_INTEL_MASM thinking that would get me closer to what I want

I guess using the regular INTEL style will be easier in regards to the customizations you are trying to achieve. The MASM style was just an example of how to customize the hexadecimal value output.

I think you do not pass the correct base address (e.g. 0x0000000100001000) to the formatter API, otherwise the operand should correctly use 10012232Ch instead of just 12132Ch.

[440bx]

Thank you for all that info. It is very useful.

I think you do not pass the correct base address (e.g. 0x0000000100001000) to the formatter API, otherwise the operand should correctly use 10012232Ch instead of just 12132Ch.

Just to make sure we both know what I'm doing. I'm using the functions ZydisFormatterInit, ZydisFormatterSetProperty, ZydisFormatterTokenizeInstruction and, ZydisFormatterTokenGetValue. I'm not using any other formatter functions. To test the hypothesis that I'm not passing the correct base address, I hard coded a number of test addresses in the call to ZydisFormatterTokenizeInstruction and that function, when the style is ZYDIS_FORMATTER_STYLE_INTEL_MASM seems to ignore the address passed to it. IOW, no matter the address passed, the instruction is formatted as [$+<offset>] where the offset is always the same for a given instruction and is the distance computed from the end of the instruction (which is as expected given the "$" specification.) When I use ZydisCalcAbsoluteAddress then I get the correct absolute address (of course, provided I pass it the correct instruction address.)

If at all possible, I'd like the tokenizer to calculate the absolute address but, there doesn't seem to be a way to make it do that when the style is set to ...INTEL_MASM.

I've tried setting ZYDIS_FORMATTER_PROP_FORCE_RELATIVE_BRANCHES to FALSE using ZydisFormatterSetProperty but, that didn't make any difference either.

I'm coming to the conclusion that using ZydisFormatterTokenizeInstruction to customize the output of the instruction to be the way I want it, while it may possible to do, seems to require a significant amount of work which also results in fragile code because its correct operation depends on the property settings used in the formatter.

As you suggested, I'm going to look into using Formatter hooks instead and using the existing code in Zydis as templates/examples.

Any additional comments you may have are most welcome. Thank you again.

[flobernd]

What I was trying to suggest is using the regular INTEL formatter style (not MASM) and use ZydisFormatterSetProperty to customize the hexadecimal value prefix/suffix and address padding (use the defaults from the MASM style here; but nothing else). This should allow you to get your desired address output.

The regular INTEL formatter should respect the runtime address.

As you suggested, I'm going to look into using Formatter hooks instead

That would be the recommended way of getting rid of the [ and ] tokens which as well would allow you to use the regular ZydisFormatterFormatInstruction instead of the tokenizing one.

[440bx]

Thank you Florian. I'm now working on the formatting using hooks.