How do i encode an instruction

[JenyaRostov]

Continuation of #363
How do i encode this:
mov rcx, [0x00007fff99750b40]
RIP-rel obviously wouldn't work (>int32), so how should i encode this?
It worked fine with rax, how is rcx different?
(Sorry if that's a stupid question, I'm just not very advanced in asm)

[flobernd]

Hi, the register shouldn't make a difference here. I don't see any issue in encoding your instruction (if you can control at which place in memory the instruction is emitted).

What you see in the disassembly here is the absolute address while the 32-bit displacement of a RIP-rel instruction is relative to the position of the instruction itself (to the end of the instruction to be precise).

Being able to address memory > +/-2^31 was basically the reason for inventing the RIP-rel addressing mode.

You need to convert your absolute address to a relative one based on the emitted instruction position and it's length. Sadly Zydis currently does not provide a way to help you with that (but @mappzor is working on it), so you will need to patch the displacement by your own after the instruction has been encoded.

Feel free to ask again, if you are not sure how to do it.

[JenyaRostov]

That would be appreciated. I think ive tried rip-rel before, but i wasn't able to encode it

[mappzor]

RIP-rel obviously wouldn't work (>int32), so how should i encode this?

That depends where you want to put your new code. There are two solutions:

• allocate memory close (within 2GB relative to data you are referencing)
• use a sequence of instructions, see When the call is far, zydisdecoderdecodefull cannot work normally #360 for example idiom - 1st instructions references rip+2, next one is a jump over 8 bytes of data, 8 bytes of data is an absolute address of data you want to reference. That's some extra work but it will make your code position independent.

[JenyaRostov]

I have no control over placement of my code, so can you please help with second solution?

[mappzor]

For moves you can simply detect which register is the target (in your case rcx), emit a mov that writes absolute address to rcx and emit second instruction mov rcx, [rcx]. So final sequence would be:

mov rcx, 0x00007fff99750b40
mov rcx, [rcx]

To calculate absolute address from memory operand use ZydisCalcAbsoluteAddress.

[JenyaRostov]

Ooh yeah that makes sense, thanks
But how would my second operand look? (ZydisEncoderRequest)
In mov rcx, [rcx]

[mappzor]

base = RCX
index = NONE
scale = 0
displacement = 0
size = 8

[JenyaRostov]

thanks, that worked flawlessly!