From arc-probe
Resolves RIP-relative addresses in x86-64 disassembled instructions to absolute targets. Useful for MOV/LEA [rip+disp32], CALL/JMP rel32 patterns in binary analysis.
npx claudepluginhub vzco/arc-probe --plugin arc-probeThis skill uses the workspace's default tool permissions.
Resolve a RIP-relative address from a disassembled instruction.
Analyzes a single x64 function in a binary: disassembles code, identifies arguments and calling convention, finds string refs and xrefs, detects RTTI, generates signatures, labels in GUI.
Queries IDA disassembly for functions, segments, instructions, blocks, operands, control flow, and raw code structure. Use for binary inspection and low-level analysis.
Provides disassembly patterns for x86-64 (System V/Microsoft) and ARM binaries, including function prologues/epilogues and calling conventions. Use for static analysis of executables.
Share bugs, ideas, or general feedback.
Resolve a RIP-relative address from a disassembled instruction.
You see a disassembled instruction like:
mov rax, [rip+0x1A2B3C] ; loads a global variable
lea rcx, [rip+0x5678] ; loads the address of a string or struct
call 0x7FF612345678 ; calls a function (already resolved by Zydis)
The [rip+disp32] addressing means the target address depends on where the instruction is. You need to resolve it to an absolute address.
target = instruction_address + instruction_length + displacement
Where:
instruction_address = the address shown in the disassemblyinstruction_length = number of bytes in the instruction (sum up the hex bytes)displacement = the signed 32-bit value encoded in the instruction48 8B 05 XX XX XX XX ; MOV RAX, [RIP+disp32]
target = addr + 7 + int32_at(addr + 3)48 8D 0D XX XX XX XX ; LEA RCX, [RIP+disp32]
48 8D 15 XX XX XX XX ; LEA RDX, [RIP+disp32]
4C 8D 05 XX XX XX XX ; LEA R8, [RIP+disp32]
target = addr + 7 + int32_at(addr + 3)E8 XX XX XX XX ; CALL rel32
target = addr + 5 + int32_at(addr + 1)E9 XX XX XX XX ; JMP rel32
target = addr + 5 + int32_at(addr + 1)0F 84 XX XX XX XX ; JE rel32
0F 85 XX XX XX XX ; JNE rel32
target = addr + 6 + int32_at(addr + 2)Disassemble the instruction:
probe_disassemble address=<addr> count=1
Note the instruction bytes and text.
Read the raw displacement (4 bytes, little-endian signed):
probe_read address=<addr + rip_offset> size=4
Where rip_offset is where the 4-byte displacement starts (3 for MOV/LEA, 1 for CALL/JMP, 2 for Jcc).
Calculate the target:
target = instruction_address + instruction_length + signed_displacement
Verify the target:
probe_read_pointer address=<target> ; if it's a global pointer
probe_read_string address=<target> ; if it's a string reference
probe_disassemble address=<target> ; if it's a function call
The probe_pattern_scan command has a --resolve flag that does this automatically:
probe_pattern_scan pattern="48 8B 05 ?? ?? ?? ??" module="client.dll" resolve=3
This scans for the pattern and resolves the RIP-relative address at offset 3, returning the absolute target.
The displacement is a signed 32-bit integer. Negative values mean the target is BEFORE the instruction:
FF FF FF E0 = -32 in signed int32 → target is 32 bytes before (instruction_address + instruction_length - 32)00 00 10 00 = 4096 → target is 4096 bytes afterAlways treat the 4 bytes as signed when calculating.