Skip to content

instruction

Methods to deal with instructions and operands within a binary

Instruction

Instruction class

An instruction is the binary bread-and-butter. This class abstract some elements and offer various backends integration if needed.

Parameters:

Name Type Description Default
proto_index Index

Protobuf index of the instruction

 required
inst_index int

Instruction index in the block

 required
address AddressT

Instruction address

 required
block Block

Parent block reference

 required

Attributes:

Name Type Description
program Program

Reference to the program
parent Block

Parent block
proto_index Block

Protobuf index of the instruction
inst_tuple Block

A tuple composed of the (function_index, block_index, inst_index). This uniquely identify an instruction within the program.
thumb Block

is the instruction thumb?
index int

Instruction index in the parent block
Source code in bindings/python/quokka/instruction.py 
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
class Instruction:
    """Instruction class

    An instruction is the binary bread-and-butter.
    This class abstract some elements and offer various backends integration if needed.

    Arguments:
        proto_index: Protobuf index of the instruction
        inst_index: Instruction index in the block
        address: Instruction address
        block: Parent block reference

    Attributes:
        program: Reference to the program
        parent: Parent block
        proto_index: Protobuf index of the instruction
        inst_tuple: A tuple composed of the (function_index, block_index, inst_index). This
            uniquely identify an instruction within the program.
        thumb: is the instruction thumb?
        index: Instruction index in the parent block
    """

    def __init__(
        self,
        proto_index: Index,  # index in protobuf file
        inst_index: int,
        address: AddressT,
        block: quokka.Block,
        backend_inst: capstone.CsInsn|None = None,
    ):
        self.parent: quokka.Block = block

        if self.program.mode == ExporterMode.FULL:
            self._proto = self.program.proto.instructions[proto_index]
        elif self.program.mode == ExporterMode.LIGHT:
            self._proto = None
            self._cs_inst = backend_inst

        # self.inst_tuple = (block.parent.proto_index, block.proto_index, inst_index)

        # Retrieve xrefs (for the instruction)
        self._xrefs_from = [self.program.proto.references[x.xref_index] for x in block.proto.instructions_xref_from if x.instr_bb_idx == inst_index]
        self._xrefs_from = [(RefType(ref.reference_type), ref) for ref in self._xrefs_from]

        self._xrefs_to = [self.program.proto.references[x.xref_index] for x in block.proto.instructions_xref_to if x.instr_bb_idx == inst_index]
        self._xrefs_to = [(RefType(ref.reference_type), ref) for ref in self._xrefs_to]

        #: Instruction index in the parent block
        self.index: int = inst_index

        # TODO(dm) Sometimes, IDA merge two instruction in one
        #  (e.g. 0x1ab16 of d53a), deal with that
        self.address: AddressT = address

    @property
    def comments(self) -> Iterable[str]:
        """Returns the instruction comments"""
        for inst_c in self.parent.proto.instruction_comments:
            if inst_c.instr_bb_idx == self.index:
                yield from  inst_c.comments

    @property
    def proto(self) -> "Pb.Instruction":
        """Return the instruction protobuf if in full mode"""
        assert self._proto is not None
        return self._proto

    @property
    def program(self) -> quokka.Program:
        """Return the parent function of the instruction"""
        return self.parent.program

    @property
    def size(self) -> int:
        """Return the instruction size"""
        if self.program.mode == ExporterMode.FULL:
            return self.proto.size
        elif self.program.mode == ExporterMode.LIGHT:
            return self.cs_inst.size
        else:
            assert False

    @property
    def is_thumb(self) -> bool:
        """Return whether the instruction is a thumb instruction"""
        if self.program.mode == ExporterMode.FULL:
            return self.proto.is_thumb
        elif self.program.mode == ExporterMode.LIGHT:
            return self.parent.is_thumb
        else:
            assert False

    @cached_property
    def mnemonic(self) -> str:
        """Return the mnemonic for the instruction.

        First, try to use capstone because it's prettier
        Otherwise, fallback to the IDA mnemonic which is better than nothing.

        Returns:
            A string representation of the mnemonic
        """
        if self.program.mode == ExporterMode.LIGHT:
            return self.cs_inst.mnemonic  # return capstone mnemonic
        elif self.program.mode == ExporterMode.FULL:
            return self.program.proto.mnemonics[self.proto.mnemonic_index]
        else:
            assert False

    @cached_property
    def cs_inst(self) -> capstone.CsInsn:
        """Load an instruction from Capstone backend

        If the decoding fails, the result won't be cached, and it will be attempted
        again.

        Returns:
            A Capstone instruction

        """
        assert self._cs_inst is not None, f"Capstone instruction not available for instruction at 0x{self.address:x}"
        return self._cs_inst

    @cached_property
    def pcode_insts(self) -> Sequence[pypcode.PcodeOp]:
        """Retrieve the PcodeOps associated to the instruction

        Returns:
            A sequence of PCode instructions
        """
        from quokka.backends.pypcode import pypcode_decode_instruction

        return pypcode_decode_instruction(self)

    @property
    def data_refs_to(self) -> list['Data | Function | AddressT']:
        """Returns all data reference to this instruction"""
        # If querying refs_to get the source address
        return [_get_item(self.program, xref.source.address) for t, xref in self._xrefs_to if t.is_data]

    @property
    def data_read_refs_to(self) -> list['Data | Function | AddressT']:
        """Returns all data read reference to this instruction"""
        return [_get_item(self.program, xref.source.address) for t, xref in self._xrefs_to if t == RefType.DATA_READ]

    @property
    def data_write_refs_to(self) -> list['Data | Function | AddressT']:
        """Returns all data write reference to this instruction"""
        return [_get_item(self.program, xref.source.address) for t, xref in self._xrefs_to if t == RefType.DATA_WRITE]

    @property
    def data_refs_from(self) -> list['Data | Function | AddressT']:
        """Returns all data reference from this instruction"""
        # If querying refs_from get the destination address
        return [_get_item(self.program, xref.destination.address) for t, xref in self._xrefs_from if t.is_data]

    @property
    def data_read_refs_from(self) -> list['Data | Function | AddressT']:
        """Returns all data read reference from this instruction"""
        # FIXME: Right now consider DATA_INDIR reference as read references (do we want to distinguish R/W ?)
        return [_get_item(self.program, xref.destination.address) for t, xref in self._xrefs_from if t in [RefType.DATA_READ, RefType.DATA_INDIR]]

    @property
    def data_write_refs_from(self) -> list['Data | Function | AddressT']:
        """Returns all data write reference from this instruction"""
        return [_get_item(self.program, xref.destination.address) for t, xref in self._xrefs_from if t == RefType.DATA_WRITE]

    @property
    def code_refs_from(self) -> list[AddressT]:
        """Returns all code reference from this instruction"""
        # If querying refs_from get the destination address
        return [xref.destination.address for t, xref in self._xrefs_from if t.is_code]

    @property
    def code_refs_to(self) -> list[AddressT]:
        """Returns all code reference to this instruction"""
        # If querying refs_to get the source address
        return [xref.source.address for t, xref in self._xrefs_to if t.is_code]

    @property
    def type_refs_from(self) -> list[TypeReference]:
        """Returns all type reference from this instruction"""
        # Get protobuf type ids
        type_ids = [xref.destination.data_type_identifier for t, xref in self._xrefs_from 
                    if t.is_data and xref.destination.HasField("data_type_identifier")]  # Note: do not use SYMBOL enum
        # Resolve type ids to actual types
        return [self.program.get_type_reference(t.type_index, t.member_index) for t in type_ids]

    @property
    def callees(self) -> list[AddressT]:
        """Returns all call reference to this instruction"""
        # Check if the reference address points to a function head
        return [addr for addr in self.code_refs_from if addr in self.program]

    @property
    def callers(self) -> list[AddressT]:
        """Returns all call reference to this instruction"""
        # Check if the reference address points to a function head
        return [addr for addr in self.code_refs_to if addr in self.program]

    def is_fall_through(self, addr: AddressT) -> bool:
        """Check if the given address is a fall-through of the instruction

        Arguments:
            addr: Address to check
        Returns:
            True if the address is a fall-through of the instruction, False otherwise
        """
        return addr == self.address + self.size

    @property
    def is_call(self) -> bool:
        """Returns True if this instruction is a call instruction"""
        return any(t.is_call for t, _ in self._xrefs_from)

    @property
    def is_dynamic(self) -> bool:
        """Returns True if this instruction is a dynamic reference (i.e. indirect jump or call)"""
        return any(t.is_dynamic for t, _ in self._xrefs_from)

    @property
    def is_jump(self) -> bool:
        """Returns True if this instruction is a jump instruction"""
        return any(t.is_code and not t.is_call for t, _ in self._xrefs_from)

    @property
    def is_conditional_jump(self) -> bool:
        """Returns True if this instruction is a conditional jump instruction"""
        return any(t == RefType.JMP_COND for t, _ in self._xrefs_from)

    @property
    def operands(self) -> list[Operand]:
        """Retrieve the instruction operands and initialize them with Capstone"""
        operands: list[Operand] = []

        if self.program.mode == ExporterMode.LIGHT:
            # Retrieve operands from Capstone
            for op in self.cs_inst.operands:
                operands.append(OperandLight(self.program, op, self.cs_inst))

        elif self.program.mode == ExporterMode.FULL:
            for op_idx in self.proto.operand_index:
                op = self.program.proto.operands[op_idx]
                operands.append(OperandFull(self.program, op))
        else:
            assert False

        self._resolve_xrefs_on_operands(operands)

        return operands

    def _resolve_xrefs_on_operands(self, operands: list[Operand]) -> None:
        """Resolve xrefs on the instruction operands and update them accordingly

        Arguments:
            operands: List of operands to update with xref information
        """
        mem_ops = [x for x in operands if x.type == OperandType.MEMORY]
        imm_ops = [x for x in operands if x.type == OperandType.IMMEDIATE]

        for t, dxref in ((t, xref.destination.address) for t, xref in self._xrefs_from if t.is_data):
            # If there is only one memory operand assign data ref to it
            if len(operands) == 1:  # Only one operand, assign the data ref to it
                operands[0]._data_xrefs_from.append((t, dxref))
            elif len(mem_ops) == 1:  # Only one memory operand, assign the data ref to it
                mem_ops[0]._data_xrefs_from.append((t, dxref))
            elif len(imm_ops) == 1:  # Only one immediate operand, assign the data ref to it
                imm_ops[0]._data_xrefs_from.append((t, dxref))
            else:
                logger.warning(f"{self.address:#x} inst {str(self)} can't assign data refs")

        for t, cxref in ((t, xref.destination.address) for t, xref in self._xrefs_from if t.is_code):
            # If there is only one memory operand assign code ref to it
            if len(operands) == 1:  # Only one operand, assign the code ref to it
                operands[0]._code_xrefs_from.append((t, cxref))
            elif len(mem_ops) == 1:  # Only one memory operand, assign the code ref to it
                mem_ops[0]._code_xrefs_from.append((t, cxref))
            elif len(imm_ops) == 1:  # Only one immediate operand, assign the code ref to it
                imm_ops[0]._code_xrefs_from.append((t, cxref))
            else:
                logger.warning(f"{self.address:#x} inst {str(self)} can't assign code refs")

        for t, sxref in ((t, xref.destination.data_type_identifier) for t, xref in self._xrefs_from
                         if t.is_data and xref.destination.HasField("data_type_identifier")):  # Note: do not use SYMBOL enum
            # If there is only one memory operand assign symbol ref to it
            if len(operands) == 1:  # Only one operand, assign the symbol ref to it
                operands[0]._type_xrefs_from.append((t, sxref.type_index, sxref.member_index))
            elif len(mem_ops) == 1:  # Only one memory operand, assign the symbol ref to it
                mem_ops[0]._type_xrefs_from.append((t, sxref.type_index, sxref.member_index))
            elif len(imm_ops) == 1:  # Only one immediate operand, assign the symbol ref to it
                imm_ops[0]._type_xrefs_from.append((t, sxref.type_index, sxref.member_index))
            else:
                logger.warning(f"{self.address:#x} inst {str(self)} can't assign symbol refs")

    @cached_property
    def call_target(self) -> quokka.Function:
        """Find the call target of an instruction if any exists.
        Does not resolve thunk functions.

        Raises FunctionMissingError if the call target is not
        found.
        """
        call_targets = self.callees

        if not call_targets:
            raise quokka.FunctionMissingError(f"No call reference found for instruction at 0x{self.address:x}")
        elif len(call_targets) > 1:
            logger.warning(f"Multiple call references found for instruction at 0x{self.address:x}, taking the first one")
            raise quokka.FunctionMissingError(f"Multiple call references found for instruction at 0x{self.address:x}")
        else:  # Only on call reference, take it
            return self.program[call_targets[0]]

    @property
    def has_call(self) -> bool:
        """Check if the instruction has a call target (namely
        code refs on a function entrypoint)"""
        return self.call_target is not False

    @cached_property
    def strings(self) -> list[str]:
        """Fast accessor for instructions strings not using Capstone."""
        strings = []
        for data in self.data_refs_from:
            if isinstance(data, quokka.Data):
                if data.type.is_array and data.is_initialized:
                    if data.type.element_type == BaseType.BYTE:  # anything that is an array of bytes is considered
                        value = data.value
                        if isinstance(value, bytes):
                            try:
                                strings.append(value.decode())
                            except UnicodeDecodeError:
                                continue
        return strings

    @cached_property
    def constants(self) -> list[int]:
        """Fast accessor for instructions constant not using Capstone."""
        return [x.value for x in self.operands if x.type == OperandType.IMMEDIATE]

    def __str__(self) -> str:
        """String representation of the instruction

        First, try by capstone because it's prettier
        Otherwise, fallback to the mnemonic which is better than nothing.

        Returns:
            A string representation of the mnemonic
        """

        if self.program.mode == ExporterMode.LIGHT:
            return f"{self.cs_inst.mnemonic} {self.cs_inst.op_str}"
        elif self.program.mode == ExporterMode.FULL:
            operands = ", ".join(
                self.program.proto.operand_table[x] for x in self.proto.operand_strings  # FIXME: operand_strings do not exists anymore
            )
            return f"{self.mnemonic} {operands}"
        else:
            assert False

    def __repr__(self) -> str:
        return f"<Ins 0x{self.address:x} {str(self)}>"

    @cached_property
    def bytes(self) -> bytes:
        """Read the program binary to find the bytes associated to the instruction.

        This is not cached as it is already in memory.

        Returns:
            Bytes associated to the instruction
        """
        try:
            file_offset = self.program.address_to_offset(self.address)
        except quokka.NotInFileError:
            return b""

        return self.program.executable.read_bytes(
            offset=file_offset,
            size=self.size,
        )

bytes cached property

Read the program binary to find the bytes associated to the instruction.

This is not cached as it is already in memory.

Returns:

Type Description
bytes

Bytes associated to the instruction

call_target cached property

Find the call target of an instruction if any exists. Does not resolve thunk functions.

Raises FunctionMissingError if the call target is not found.

callees property

Returns all call reference to this instruction

callers property

Returns all call reference to this instruction

code_refs_from property

Returns all code reference from this instruction

code_refs_to property

Returns all code reference to this instruction

comments property

Returns the instruction comments

constants cached property

Fast accessor for instructions constant not using Capstone.

cs_inst cached property

Load an instruction from Capstone backend

If the decoding fails, the result won't be cached, and it will be attempted again.

Returns:

Type Description
CsInsn

A Capstone instruction

data_read_refs_from property

Returns all data read reference from this instruction

data_read_refs_to property

Returns all data read reference to this instruction

data_refs_from property

Returns all data reference from this instruction

data_refs_to property

Returns all data reference to this instruction

data_write_refs_from property

Returns all data write reference from this instruction

data_write_refs_to property

Returns all data write reference to this instruction

has_call property

Check if the instruction has a call target (namely code refs on a function entrypoint)

is_call property

Returns True if this instruction is a call instruction

is_conditional_jump property

Returns True if this instruction is a conditional jump instruction

is_dynamic property

Returns True if this instruction is a dynamic reference (i.e. indirect jump or call)

is_jump property

Returns True if this instruction is a jump instruction

is_thumb property

Return whether the instruction is a thumb instruction

mnemonic cached property

Return the mnemonic for the instruction.

First, try to use capstone because it's prettier Otherwise, fallback to the IDA mnemonic which is better than nothing.

Returns:

Type Description
str

A string representation of the mnemonic

operands property

Retrieve the instruction operands and initialize them with Capstone

pcode_insts cached property

Retrieve the PcodeOps associated to the instruction

Returns:

Type Description
Sequence[PcodeOp]

A sequence of PCode instructions

program property

Return the parent function of the instruction

proto property

Return the instruction protobuf if in full mode

size property

Return the instruction size

strings cached property

Fast accessor for instructions strings not using Capstone.

type_refs_from property

Returns all type reference from this instruction

__str__()

String representation of the instruction

First, try by capstone because it's prettier Otherwise, fallback to the mnemonic which is better than nothing.

Returns:

Type Description
str

A string representation of the mnemonic
Source code in bindings/python/quokka/instruction.py 
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
def __str__(self) -> str:
    """String representation of the instruction

    First, try by capstone because it's prettier
    Otherwise, fallback to the mnemonic which is better than nothing.

    Returns:
        A string representation of the mnemonic
    """

    if self.program.mode == ExporterMode.LIGHT:
        return f"{self.cs_inst.mnemonic} {self.cs_inst.op_str}"
    elif self.program.mode == ExporterMode.FULL:
        operands = ", ".join(
            self.program.proto.operand_table[x] for x in self.proto.operand_strings  # FIXME: operand_strings do not exists anymore
        )
        return f"{self.mnemonic} {operands}"
    else:
        assert False

is_fall_through(addr)

Check if the given address is a fall-through of the instruction

Parameters:

Name Type Description Default
addr AddressT

Address to check

 required

Returns: True if the address is a fall-through of the instruction, False otherwise

Source code in bindings/python/quokka/instruction.py 
473
474
475
476
477
478
479
480
481
def is_fall_through(self, addr: AddressT) -> bool:
    """Check if the given address is a fall-through of the instruction

    Arguments:
        addr: Address to check
    Returns:
        True if the address is a fall-through of the instruction, False otherwise
    """
    return addr == self.address + self.size

Operand

Bases: ABC

Abstract operand base class

An operand is an "argument" for an instruction. This abstract class defines the interface for operand implementations.

Parameters:

Name Type Description Default
program Program

Program reference

 required

Attributes:

Name Type Description
program Program

Program reference
type Any

Operand type
register Any

Register str (if applicable)
Source code in bindings/python/quokka/instruction.py 
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
class Operand(ABC):
    """Abstract operand base class

    An operand is an "argument" for an instruction.
    This abstract class defines the interface for operand implementations.

    Arguments:
        program: Program reference

    Attributes:
        program: Program reference
        type: Operand type
        register: Register str (if applicable)
    """

    def __init__(self, program: quokka.Program):
        """Constructor"""
        self.program: quokka.Program = program
        self._data_xrefs_from: list[tuple[RefType, AddressT]] = []
        self._code_xrefs_from: list[tuple[RefType, AddressT]] = []
        self._type_xrefs_from: list[tuple[RefType, Index, int]] = []

    @property
    def data_refs_from(self) -> list['Data | Function | AddressT']:
        """Returns all data reference from this instruction"""
        return [_get_item(self.program, addr) for t, addr in self._data_xrefs_from]

    @property
    def code_refs_from(self) -> list[AddressT]:
        """Returns all code reference from this instruction"""
        return [xref for t, xref in self._code_xrefs_from]

    @property
    def type_refs_from(self) -> list[TypeReference]:
        """Returns all type reference from this instruction"""
        return [self.program.get_type_reference(type_index, member_index) for t, type_index, member_index in self._type_xrefs_from]

    @property
    @abstractmethod
    def value(self) -> Any:
        """Returns the operand value

        Returns:
            The operand value
        """
        pass

    @property
    @abstractmethod
    def type(self) -> Any:
        """Returns the operand type

        Returns:
            The operand type
        """
        pass

    @property
    @abstractmethod
    def register(self) -> Any:
        """Returns the operand type

        Returns:
            The operand type
        """
        pass

    @property
    @abstractmethod
    def access(self) -> AccessMode:
        """Returns the operand access mode

        Returns:
            The operand access mode
        """
        pass

access abstractmethod property

Returns the operand access mode

Returns:

Type Description
AccessMode

The operand access mode

code_refs_from property

Returns all code reference from this instruction

data_refs_from property

Returns all data reference from this instruction

register abstractmethod property

Returns the operand type

Returns:

Type Description
Any

The operand type

type abstractmethod property

Returns the operand type

Returns:

Type Description
Any

The operand type

type_refs_from property

Returns all type reference from this instruction

value abstractmethod property

Returns the operand value

Returns:

Type Description
Any

The operand value

__init__(program)

Constructor

Source code in bindings/python/quokka/instruction.py 
78
79
80
81
82
83
def __init__(self, program: quokka.Program):
    """Constructor"""
    self.program: quokka.Program = program
    self._data_xrefs_from: list[tuple[RefType, AddressT]] = []
    self._code_xrefs_from: list[tuple[RefType, AddressT]] = []
    self._type_xrefs_from: list[tuple[RefType, Index, int]] = []

OperandFull

Bases: Operand

Operand implementation for full mode

Uses the full protobuf data to provide operand values.

Source code in bindings/python/quokka/instruction.py 
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
class OperandFull(Operand):
    """Operand implementation for full mode

    Uses the full protobuf data to provide operand values.
    """

    def __init__(self, program: quokka.Program, proto: "Pb.Operand"):
        """Constructor

        Arguments:
            proto_operand: Protobuf operand
            kwargs: Additional arguments for the operand (e.g. Capstone details)
        """
        super().__init__(program)
        self.proto = proto

    @property
    def type(self) -> OperandType:
        return OperandType.from_proto(self.proto.type)

    @property
    def value(self) -> Any:
        match self.type:
            case OperandType.IMMEDIATE:
                return self.proto.value
            case OperandType.REGISTER:
                # Go get register string in the register table of the program
                return self.program.proto.register_table[self.proto.register_index]
            case OperandType.MEMORY:
                return self.proto.address
            case OperandType.OTHER:
                return self.proto.other

    @property
    def register(self) -> str:
        if self.type == OperandType.REGISTER:
            return self.program.proto.register_table[self.proto.register_index]
        return ""

    @property
    def access(self) -> AccessMode:
        match self.proto.access:
            case 1:
                return AccessMode.READ
            case 2:
                return AccessMode.WRITE
            case 3:
                return AccessMode.READ | AccessMode.WRITE
        assert False, f"Unknown access mode {self.proto.access}"

    def __str__(self) -> str:
        return self.program.proto.operand_strings[self.proto.operand_string_index]

__init__(program, proto)

Constructor

Parameters:

Name Type Description Default
proto_operand

Protobuf operand

 required
kwargs

Additional arguments for the operand (e.g. Capstone details)

 required
Source code in bindings/python/quokka/instruction.py 
148
149
150
151
152
153
154
155
156
def __init__(self, program: quokka.Program, proto: "Pb.Operand"):
    """Constructor

    Arguments:
        proto_operand: Protobuf operand
        kwargs: Additional arguments for the operand (e.g. Capstone details)
    """
    super().__init__(program)
    self.proto = proto

OperandLight

Bases: Operand

Operand implementation for light mode using Capstone

Uses Capstone disassembly data to provide operand values.

Source code in bindings/python/quokka/instruction.py 
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
class OperandLight(Operand):
    """Operand implementation for light mode using Capstone

    Uses Capstone disassembly data to provide operand values.
    """

    def __init__(self, program: quokka.Program, cs_operand, cs_inst):
        """Constructor

        Arguments:
            program: Program reference
            capstone_obj: Capstone operand object
        """
        super().__init__(program)
        self.cs_op = cs_operand
        self._cs_inst = cs_inst

    @property
    def type(self) -> OperandType:
        if self.cs_op.type == capstone.CS_OP_IMM:
            return OperandType.IMMEDIATE
        elif self.cs_op.type == capstone.CS_OP_REG:
            return OperandType.REGISTER
        elif self.cs_op.type == capstone.CS_OP_MEM:
            return OperandType.MEMORY
        else:
            return OperandType.OTHER

    @property
    def value(self) -> Any:
        """Returns the operand value using Capstone data

        Returns:
            The operand value
        """
        match self.type:
            case OperandType.IMMEDIATE:
                return self.cs_op.imm
            case OperandType.REGISTER:
                return self.program.arch.regs(self.cs_op.reg) # type: ignore
            case OperandType.MEMORY:
                return self.cs_op.mem  #  atm: capstone.x86.X86OpMem, ...
            case OperandType.OTHER:
                return None

    @property
    def access(self) -> AccessMode:
        match self.cs_op.access:
            case 1:
                return AccessMode.READ
            case 2:
                return AccessMode.WRITE
            case 3:
                return AccessMode.READ | AccessMode.WRITE
        return AccessMode(0)  # No access information available

    @property
    def register(self) -> str:
        """Returns the operand register using Capstone data

        Returns:
            The operand register (empty string if not a register)
        """
        if self.type == OperandType.REGISTER:
            return self.program.arch.regs(self.cs_op.reg).name # type: ignore
        return ""

    def __str__(self) -> str:
        try:
            index = self._cs_inst.operands.index(self.cs_op)
            return self._cs_inst.op_str.split(",")[index]
        except IndexError:
            return f"<UNK>"
        except ValueError:
            return f"<UNK>"

register property

Returns the operand register using Capstone data

Returns:

Type Description
str

The operand register (empty string if not a register)

value property

Returns the operand value using Capstone data

Returns:

Type Description
Any

The operand value

__init__(program, cs_operand, cs_inst)

Constructor

Parameters:

Name Type Description Default
program Program

Program reference

 required
capstone_obj

Capstone operand object

 required
Source code in bindings/python/quokka/instruction.py 
202
203
204
205
206
207
208
209
210
211
def __init__(self, program: quokka.Program, cs_operand, cs_inst):
    """Constructor

    Arguments:
        program: Program reference
        capstone_obj: Capstone operand object
    """
    super().__init__(program)
    self.cs_op = cs_operand
    self._cs_inst = cs_inst