How?

Say I have a binary starting with 0x48 0xff 0x05 ...

Which part of the encoding fields that mathematically can help me figure out the total length of that particular instruction? Is this possible? That brings another questions (if you don't mind);

i) How to figure out whether an opcode needs a ModRM byte or not, judging from that opcode byte alone? Possible or not?

ii) ModRM byte: how to tell that this byte is a valid byte and not something else or belong to the next instruction?

iii) Opcode byte: I don't see any field definitions of it anywhere except those last 2 bits. That leaves only the next 6 bits as the real opcode field. Where can I find the field definitions of these 6-bit ops?

iv) I forgot this important question. I'll come back later for this question.

There are already some posts and code on this board demonstrating Length disassembly engines. A possible other search term is LDE.

Didn't know that this thing I am asking is about disassembly. HAHA. Thought it was like a walk in the park. But it is mathematically possible right, even without using LDE? Maybe using a lookup table?

That is what an LDE does, exactly what you are trying to do. Have a look at the existing solutions, maybe you can find improvements or something.

Yeah, I've seen the code. Lots and lots of lookup tables. I suspect FASM source have something similar but I can't find it.

fasm is an assembler, and doesn't have any need for determining the length from the byte output stream. Your question is the opposite of that, hence they are called length disassembly engines.

btw mom, i have completed my own length engine up to VEX prefix. Not that difficult anyway.

The only problem is when xacquire (0xF3) is followed next by xgetbv (0x0F01D0). It gives the wrong length. Don't know how to deal with this since my lookup table isn't really a lookup table but rather as simple reference. All calculations are done internally using code. If u know anything around this little problem, do let me know.

Still need some time to build a symbolic lookies and then voila, I have written my own disassembler and become a useful earthling finally ^_^

And frankly speaking, binaries produced by FASM is very clean and extremely accurate. Congrats Tomasz! ^_^

Good. Where is the source code?

Sorry for the delay. Still working on the symbol translations. But for the length engine alone, here's the code plus the old table. It's messy. For windows only, but for linux, you just need the length_engine, decoder, init functions and the table.

Just added XOP prefix lookup. I need help testing it because I can't possibly know all instructions and variants..

All table entries are single ops of 4 byte chunks. Length calculation is done via code, not by lookup.

oh oh btw, if you decided to use the length_engine in other forms (command-line, DLL, etc), you need to point RAX to the offset of the instruction you want to calculate. It returns the length in RAX.

Mom, does FASM support RDPKRU? It gives me illegal instruction.



It's a 3-byte opcode in my table.

and WRPKRU too!

the timing is just perfect!

There's one still missing; VMFUNC (0x0F01D4)

VMFUNC takes no operand and belongs to the same 3-byte instruction class as RDPKRU/WRPKRU.