flat assembler
Message board for the users of flat assembler.

Index > Main > How to get instruction length from encoding?

Author
Thread Post new topic Reply to topic
system error



Joined: 01 Sep 2013
Posts: 670
system error 13 Apr 2016, 18:10
How?

Say I have a binary starting with 0x48 0xff 0x05 ...

Which part of the encoding fields that mathematically can help me figure out the total length of that particular instruction? Is this possible? That brings another questions (if you don't mind);

i) How to figure out whether an opcode needs a ModRM byte or not, judging from that opcode byte alone? Possible or not?

ii) ModRM byte: how to tell that this byte is a valid byte and not something else or belong to the next instruction?

iii) Opcode byte: I don't see any field definitions of it anywhere except those last 2 bits. That leaves only the next 6 bits as the real opcode field. Where can I find the field definitions of these 6-bit ops?

iv) I forgot this important question. I'll come back later for this question.
Post 13 Apr 2016, 18:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 13 Apr 2016, 18:22
There are already some posts and code on this board demonstrating Length disassembly engines. A possible other search term is LDE.
Post 13 Apr 2016, 18:22
View user's profile Send private message Visit poster's website Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 13 Apr 2016, 18:31
Didn't know that this thing I am asking is about disassembly. HAHA. Thought it was like a walk in the park. But it is mathematically possible right, even without using LDE? Maybe using a lookup table?
Post 13 Apr 2016, 18:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 13 Apr 2016, 18:54
That is what an LDE does, exactly what you are trying to do. Have a look at the existing solutions, maybe you can find improvements or something.
Post 13 Apr 2016, 18:54
View user's profile Send private message Visit poster's website Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 15 Apr 2016, 07:46
Yeah, I've seen the code. Lots and lots of lookup tables. I suspect FASM source have something similar but I can't find it.
Post 15 Apr 2016, 07:46
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 15 Apr 2016, 08:23
fasm is an assembler, and doesn't have any need for determining the length from the byte output stream. Your question is the opposite of that, hence they are called length disassembly engines.
Post 15 Apr 2016, 08:23
View user's profile Send private message Visit poster's website Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 01 May 2016, 11:46
btw mom, i have completed my own length engine up to VEX prefix. Not that difficult anyway.

The only problem is when xacquire (0xF3) is followed next by xgetbv (0x0F01D0). It gives the wrong length. Don't know how to deal with this since my lookup table isn't really a lookup table but rather as simple reference. All calculations are done internally using code. If u know anything around this little problem, do let me know.

Still need some time to build a symbolic lookies and then voila, I have written my own disassembler and become a useful earthling finally ^_^
Post 01 May 2016, 11:46
View user's profile Send private message Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 01 May 2016, 11:52
And frankly speaking, binaries produced by FASM is very clean and extremely accurate. Congrats Tomasz! ^_^
Post 01 May 2016, 11:52
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 01 May 2016, 14:31
system error wrote:
i have completed my own length engine up to VEX prefix.
Good. Where is the source code?
Post 01 May 2016, 14:31
View user's profile Send private message Visit poster's website Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 11 May 2016, 04:16
Sorry for the delay. Still working on the symbol translations. But for the length engine alone, here's the code plus the old table. It's messy. For windows only, but for linux, you just need the length_engine, decoder, init functions and the table.

Just added XOP prefix lookup. I need help testing it because I can't possibly know all instructions and variants..

All table entries are single ops of 4 byte chunks. Length calculation is done via code, not by lookup.
Post 11 May 2016, 04:16
View user's profile Send private message Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 11 May 2016, 04:22
oh oh btw, if you decided to use the length_engine in other forms (command-line, DLL, etc), you need to point RAX to the offset of the instruction you want to calculate. It returns the length in RAX.
Post 11 May 2016, 04:22
View user's profile Send private message Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 14 May 2016, 13:32
Mom, does FASM support RDPKRU? It gives me illegal instruction.

Code:
flat assembler  version 1.71.51  (16384 kilobytes memory)
analytix.asm [11]:
        rdpkru
error: illegal instruction.    


It's a 3-byte opcode in my table.
Post 14 May 2016, 13:32
View user's profile Send private message Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 14 May 2016, 13:38
and WRPKRU too!
Post 14 May 2016, 13:38
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 14 May 2016, 14:13
fasm v1.71.52 wrote:
version 1.71.52 (May 13, 2016)

[+] Added "rdpkru" and "wrpkru" instructions.
Post 14 May 2016, 14:13
View user's profile Send private message Visit poster's website Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 14 May 2016, 15:59
the timing is just perfect! Surprised

There's one still missing; VMFUNC (0x0F01D4)
Post 14 May 2016, 15:59
View user's profile Send private message Reply with quote
system error



Joined: 01 Sep 2013
Posts: 670
system error 14 May 2016, 16:07
VMFUNC takes no operand and belongs to the same 3-byte instruction class as RDPKRU/WRPKRU.
Post 14 May 2016, 16:07
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.