Python bindings - incorrect value of operand.type

[OBarronCS]

Questions	Answers
Capstone module affected	multiple architectures
Source of Capstone	pip install 6.0.0a3
Version/git commit	6.0.0a3

The value of the type CS_OP_MEM changed in recent releases of Capstone. CS_OP_MEM used to have the value 3, but now it is 0x80 and can be OR'ed with other types.

capstone/bindings/python/capstone/__init__.py

Lines 429 to 431 in 1abe186

	CS_OP_MEM = 0x80 # Memory operand. Can be ORed with another operand type.
	CS_OP_MEM_REG = CS_OP_MEM | CS_OP_REG # Memory referencing register operand.
	CS_OP_MEM_IMM = CS_OP_MEM | CS_OP_IMM # Memory referencing immediate operand.

However, when using these Python bindings, the values of an operand.type are not always accurate in my testing. Fetching the value of operand.type still returns 3 for memory operands in some cases, as if the updates have not propagated fully.

Example with amd64 mov instruction mov qword ptr [rbp - 0x38], r12 (prints type = 3 for the operand).

Note that these scripts also print data that only exists on memory operands and succeeds, meaning it internally has the correct memory operand values but the .type attribute is incorrectly set.

#!/usr/bin/env python3

from capstone import *


print(cs_version())

md = Cs(CS_ARCH_X86,CS_MODE_LITTLE_ENDIAN | CS_MODE_64)
md.detail = True

# qword ptr [rbp - 0x38], r12
instruction = b"\x4c\x89\x65\xc8"

for ins in md.disasm(instruction,0x1000,1):
    print(ins.mnemonic, ins.op_str, ins.id)
    
    if hasattr(ins,"is_alias"):
        print(ins.is_alias, ins.alias_id)

    for i,op in enumerate(ins.operands):
        print(f"Operand {i}")
        print("Type:", hex(op.type))

        mem_attrs = ["base","index","disp","scale"]

        for attr in mem_attrs:
            if hasattr(op.mem,attr):
                print(f"op.mem.{attr}", getattr(op.mem, attr))

Example with RISCV-64 c.sw a1, 0(a2)

#!/usr/bin/env python3

from capstone import *


print(cs_version())

md = Cs(CS_ARCH_RISCV,CS_MODE_LITTLE_ENDIAN | CS_MODE_RISCV64 | CS_MODE_RISCVC)
md.detail = True

# c.sw   a1, 0(a2)
instruction = b"\x0c\xc2"

for ins in md.disasm(instruction,0x1000,1):
    print(ins.mnemonic, ins.op_str, ins.id)
    
    if hasattr(ins,"is_alias"):
        print(ins.is_alias, ins.alias_id)

    for i,op in enumerate(ins.operands):
        print(f"Operand {i}")
        print("Type:", hex(op.type))

        mem_attrs = ["base","index","disp","scale"]

        for attr in mem_attrs:
            if hasattr(op.mem,attr):
                print(f"op.mem.{attr}", getattr(op.mem, attr))

However, in this example, AArch64's ldr x1, [x2] the value of the operand.type is correct - it is 0x80.

#!/usr/bin/env python3

from capstone import *


print(cs_version())

md = Cs(CS_ARCH_AARCH64,CS_MODE_LITTLE_ENDIAN | CS_MODE_ARM)
md.detail = True

# ldr    x1, [x2]
instruction = b"\x41\x00\x40\xf9"

for ins in md.disasm(instruction,0x1000,1):
    print(ins.mnemonic, ins.op_str, ins.id)
    
    if hasattr(ins,"is_alias"):
        print(ins.is_alias, ins.alias_id)

    for i,op in enumerate(ins.operands):
        print(f"Operand {i}")
        print("Type:", hex(op.type))

        mem_attrs = ["base","index","disp","scale"]

        for attr in mem_attrs:
            if hasattr(op.mem,attr):
                print(f"op.mem.{attr}", getattr(op.mem, attr))