Re: Disassembly of 00000

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

almost every bytes could be a legal instruction. A disassembler need
to know where to start to disassemble the code.
When you pass a binary to a disassembler, it knows that it has to
start at the begining of the code. (a disassembler find the code
section by checking some informtion in the header of the binary).
The condition is to start to disassemble at the begining of the code
else you can not find the offset and length for each instruction.


An examle:
imagine you have this:
66 83 84 98 00 10 000003 1234565431
the disassembler start by checking the first byte and continue until
he find an instruction.

66 : It is a prefix, it means that the whole instrusction use 16 bits
addressing instead of the default 32 bits

83: This instruction use 2 operands, and the second operand is a byte.
This opcode is followed by a mod r/m byte

84; the mod r/m byte equal in binary format 10 000 100.
10: the first operand is memory with a dword displacement
000: the instruction is a ADD
100: it means this mod r/m byte is followed by a SIB byte

98: the SIB byte equal 10 011 000 in binary
it means scale = 4 index = ebx, base = eax

Then now we know:
    1 byte prefix   = 66
+ 1 byte opcode instruction = 83
+ 1 byte modr/m = 84
+ 1 byte SIB = 98
+ 4 bytes a displacement = 00 10 00 00 (1000 for human)
+ 1 byte operand = 03
The instruction is 9 bytes long
In other words: add word ptr ds:[ebx*4 + eax + 1000], 3

Here 98 is a SIB byte not the instruction CWD, and 03 an operand of 1
byte not the ADD instruction (yes 03 = ADD also).

As last words, you need to get the context to disassemble, and to get
the context you have to start at the begining of the code section to
disassemble, or at least at an instruction that you have checked and
confirmed.

regards,

Sofiane Akermoun
akersof@xxxxxxxxx




2013/2/4 horseriver <horserivers@xxxxxxxxx>:
>
>>A disassembler just uses a table. The intel documentation describes all
>>the instruction, with the method on how do decode it (not really the method
>>you have to write it of course).
>>A disassembler should know where to start to disassemble, else he will
>>start by disassembling bad data.. and probably fail on an unknown or
>>unlogical instruction, or the worst case everything will be ok.
>
>   Thanks!
>
>   What is the condition that decide one byte is or not a legal instruction's start ?
>
>   Are there some occasions that disassembler need scan more than one byte to detect
>
>   its logic ?
>
>
>
>
>
>



-- 
Sofiane AKERMOUN
akersof@xxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-assembly" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Kernel Newbies]     [Security]     [Linux C Programming]     [Linux for Hams]     [DCCP]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux