Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
84 lines (66 sloc) 3.01 KB


As promised - we arrive to discuss the instruction objects. Instruction objects represent the actual assembly code of each line.

>>> line = sark.Line()
>>> insn = line.insn
>>> print line
[00417555]    mov     ecx, [eax+8]

>>> print insn.mnem

>>> print insn.operands
[<Operand(n=0, text='ecx')>, <Operand(n=1, text='[eax+8]')>]

Out of their members,

Member Usage
operands list of operands
mnem opcode mnemonic
has_reg is a reg used in the instruction
regs the registers used in the instruction

Instruction.operands is the most interesting one.


Each operand provides the means to analyze individual operands in the code.

>>> print insn.operands[1]
<Operand(n=1, text='[eax+8]')>

>>> print "{0.reg} + {0.offset}".format(insn.operands[1])
eax + 8
Member Usage
n operand index in instruction
type numeric type a-la IDA SDK
size data size of the operand
is_read is the operand read from
is_write is the operand written to
reg the register used in the operand
text the operand text, as displayed in IDA
base the base register in an address-phrase of the form [base + index * scale + offset]
index the index register in a phrase
scale the scale in a phrase
offset the offset in a phrase

Getting Instructions

The best way to retrieve instruction objects is using the .insn member of sark.Line.