flat assembler
Message board for the users of flat assembler.

Index > Main > disassemble opcode

Author
Thread Post new topic Reply to topic
int0x50



Joined: 19 Jul 2019
Posts: 54
int0x50 02 Aug 2019, 12:23
I am trying to disassemble 24 bytes from a PE file. The 24 bytes shall be selected from the AddressOfEntryPoint. I have to print only the first 10 instructions.

Since this is a code section, this is going to contain instructions. What is the best way to decode these opcodes? Building the opcode table with instruction names is the only possibility? there are complexities like single-byte opcode, two-byte opcode, displacements, xmm instructions; etc.
Post 02 Aug 2019, 12:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20754
Location: In your JS exploiting you and your system
revolution 02 Aug 2019, 12:27
If you just want something quick then you can download a disassembler, or a debugger.

Or are you intending to write your own in assembly?
Post 02 Aug 2019, 12:27
View user's profile Send private message Visit poster's website Reply with quote
int0x50



Joined: 19 Jul 2019
Posts: 54
int0x50 02 Aug 2019, 13:01
I have to write on my own. Later on, I may have to increase the bytes. Also, I may have to identify call jumps, packer identification; etc.
Post 02 Aug 2019, 13:01
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20754
Location: In your JS exploiting you and your system
revolution 02 Aug 2019, 13:29
Decoding x86 instructions is probably easiest done one byte at a time.

Scan forward for the four basic components: Prefix bytes, opcode bytes, offset bytes and immediate bytes.

You also have to know the executing mode: 16, 32 or 64 bit.
Post 02 Aug 2019, 13:29
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8465
Location: Kraków, Poland
Tomasz Grysztar 02 Aug 2019, 13:35
I would recommend starting with a simple subset of your general objective, for example write a routine that would determine how long the instruction is. In order to find out how many bytes an instruction occupies, you need to identify all its components.

I'm attaching a figure taken from Intel SDM (Volume 2). To decode an instruction, or even just to determine its length, you need to identify the components it contains. Only the Opcode component is always present - others may or may not be present depending on opcode or bits in some other components.

You start by recognizing prefixes. This used to be a simple set of byte values that act as prefix, like segment overrides (26h and other), size overrides (66h and 67h), LOCK (0F0h), REPNZ/REPZ (0F2h, 0F3h), and in long mode entire 40h-4Fh range for REX prefixes. Nowadays this got even more complex, with VEX and EVEX prefixes which are multi-byte. There are also other considerations, like REX/VEX/EVEX having to be the last prefix before the opcode.

Once you have identified prefixes, you are at the position of Opcode byte and can identify the instruction. If this byte is 0Fh, the opcode occupies more than one byte, if the second byte is also 0Fh, it is a 3-byte opcode.

Once you know the opcode, you can look it up and find out what other components should follow it. Instructions that have no operands, like 0C3h (plain RET), have no further components, others have at least the ModR/M byte. The value of ModR/M in turn determines whether there is a SIB byte after it and whether there is a Displacement. And then instructions that have an immediate operand have an Immediate component at the very end.


Description:
Filesize: 26.33 KB
Viewed: 7928 Time(s)

instrform.png


Post 02 Aug 2019, 13:35
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8465
Location: Kraków, Poland
Tomasz Grysztar 02 Aug 2019, 13:58
Also: if you're looking for a basic tutorial, I have once recorded a couple of streams where I was showing how to start decoding x86 instructions.
Post 02 Aug 2019, 13:58
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.