Open
Description
Work environment
| Questions | Answers |
|---|---|
| OS/arch/bits | x86_64 Ubuntu 20.04 |
| Architecture | x86_64 |
| Source of Capstone | git clone, default on next branch. |
| Version/git commit | v6.0.0, d7be5f9 |
Instruction bytes giving faulty results
0x0f 0x1a 0xde
Expected results
It should be:
nop esi, ebx
Steps to get the wrong result
With cstool:
$ ./cstool -d x64 "0x0f 0x1a 0xde"
ERROR: invalid assembly code
$ ./cstool -d x64 "0xf0 0x1d 0xee"
ERROR: invalid assembly code
$ ./cstool -d x64 "0x0f 0x1f 0x00"
0 0f 1f 00 nop dword ptr [rax]
ID: 510 (nop)
Prefix:0x00 0x00 0x00 0x00
Opcode:0x0f 0x1f 0x00 0x00
rex: 0x0
addr_size: 8
modrm: 0x0
disp: 0x0
sib: 0x0
op_count: 1
operands[0].type: MEM
operands[0].mem.base: REG = rax
operands[0].size: 4
operands[0].access: READ
Registers read: raxAdditional Logs, screenshots, source code, configuration dump, ...
x86 (and x86_64) processors have single-byte NOP instructions and various multi-byte NOP-like instructions. Real-world compilers sometimes use multi-byte NOPs for code alignment and performance optimization purposes. Capstone seems to fail when encountering unusual multi-byte NOPs. Other x86 instruction decoders like Zydis, ICED, and XED can translate the byte sequence "0x0f 0x1a 0xde" into NOP.