Support Compressed Instructions

[f0rki]

RISC-V also has a extension for compressed instructions (2-byte). Currently those are not supported, because capstone does not disassemble them correctly.

There is a pull-request, which merges the necessary changes:
capstone-engine/capstone#1594

So we have to wait until this one is merged.

[fabianfreyer]

capstone-engine/capstone#1682 was merged, closing capstone-engine/capstone#1594. What would need to happen for this to work?

[f0rki]

You're right. I missed that. I did a quick check with the latest capstone from the next branch and adapted the lifter a bit.

The compressed instructions are prefixed with c. and mostly omit the first parameter compared to the uncompressed version, i.e. c.add rX, rY is equal to add rX, rX, rY so the lifting should work for many of the compressed instructions by simply prepending op[0] to the list of operands.

Check out the latest commit, which contains some progress but is far from complete.

[fabianfreyer]

hmm, I'm having trouble even getting these disassembled. For example, the following compressed bytes disassemble fine using capstone directly:

>>> CODE=b"]q\x86\xc6\xa2\xc4\xa6\xc2\xca\xc0."
>>> from capstone import *
>>> md = Cs(CS_ARCH_RISCV, CS_MODE_RISCV64 | CS_MODE_RISCVC)
>>> list(md.disasm(CODE, 0xffd005be))
[<CsInsn 0xffd005be [5d71]: c.addi16sp sp, -0x50>, <CsInsn 0xffd005c0 [86c6]: c.swsp ra, 0x4c(sp)>, <CsInsn 0xffd005c2 [a2c4]: c.swsp s0, 0x48(sp)>, <CsInsn 0xffd005c4 [a6c2]: c.swsp s1, 0x44(sp)>, <CsInsn 0xffd005c6 [cac0]: c.swsp s2, 0x40(sp)>]

However, in the disassembly view, they don't appear:

[f0rki]

@fabianfreyer could you post the binary you are testing on here in this issue? otherwise it is hard to reproduce the problem.

I think addi16sp is not lifted at all currently, but this doesn't explain what you are seeing as it should be disassembled. However, I am also not sure what you are seeing is an issue of this plugin? Is bn-riscv using the right capstone?

[fabianfreyer]

I'll send you a binary that exhibits this problem - to the email address at https://f0rki.at/pages/about.html?

Is bn-riscv using the right capstone?

the IL above is from the bn python view, so yes, it seems so?

I don't mind adding to the lifter, I'd just like to see it disassemble first ;)

[f0rki]

strange. Yeah you can send it to me via mail or directly attach it to this issue if the binary is public (just drag and drop should work).

[fabianfreyer]

Ah, can't find it on the webpage - there seems to be no sidebar? Also your gpg key 404's ;)

[f0rki]

@fabianfreyer curl https://keybase.io/f0rki/pgp_keys.asc | gpg --import then [email protected] if you really insist on pgp :P

[f0rki]

@fabianfreyer I can't reproduce this. I am using binary ninja 2.1.2475-dev (Build ID c7d4e572) + today's capstone next branch.

[fabianfreyer]

weird, also using the same capstone, just installed it again.

Either way, you're probably right and this is not an issue with this plugin. I'll dig into that separately then. Thanks for double-checking!