flat assembler
Message board for the users of flat assembler.
Index
> Main > disassemble opcode |
Author |
|
revolution 02 Aug 2019, 12:27
If you just want something quick then you can download a disassembler, or a debugger.
Or are you intending to write your own in assembly? |
|||
02 Aug 2019, 12:27 |
|
int0x50 02 Aug 2019, 13:01
I have to write on my own. Later on, I may have to increase the bytes. Also, I may have to identify call jumps, packer identification; etc.
|
|||
02 Aug 2019, 13:01 |
|
revolution 02 Aug 2019, 13:29
Decoding x86 instructions is probably easiest done one byte at a time.
Scan forward for the four basic components: Prefix bytes, opcode bytes, offset bytes and immediate bytes. You also have to know the executing mode: 16, 32 or 64 bit. |
|||
02 Aug 2019, 13:29 |
|
Tomasz Grysztar 02 Aug 2019, 13:35
I would recommend starting with a simple subset of your general objective, for example write a routine that would determine how long the instruction is. In order to find out how many bytes an instruction occupies, you need to identify all its components.
I'm attaching a figure taken from Intel SDM (Volume 2). To decode an instruction, or even just to determine its length, you need to identify the components it contains. Only the Opcode component is always present - others may or may not be present depending on opcode or bits in some other components. You start by recognizing prefixes. This used to be a simple set of byte values that act as prefix, like segment overrides (26h and other), size overrides (66h and 67h), LOCK (0F0h), REPNZ/REPZ (0F2h, 0F3h), and in long mode entire 40h-4Fh range for REX prefixes. Nowadays this got even more complex, with VEX and EVEX prefixes which are multi-byte. There are also other considerations, like REX/VEX/EVEX having to be the last prefix before the opcode. Once you have identified prefixes, you are at the position of Opcode byte and can identify the instruction. If this byte is 0Fh, the opcode occupies more than one byte, if the second byte is also 0Fh, it is a 3-byte opcode. Once you know the opcode, you can look it up and find out what other components should follow it. Instructions that have no operands, like 0C3h (plain RET), have no further components, others have at least the ModR/M byte. The value of ModR/M in turn determines whether there is a SIB byte after it and whether there is a Displacement. And then instructions that have an immediate operand have an Immediate component at the very end.
|
||||||||||
02 Aug 2019, 13:35 |
|
Tomasz Grysztar 02 Aug 2019, 13:58
Also: if you're looking for a basic tutorial, I have once recorded a couple of streams where I was showing how to start decoding x86 instructions.
|
|||
02 Aug 2019, 13:58 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.