disassembly

问题 I was wondering if it is possible to decode x86-64 instructions in reverse? I need this for a runtime dissembler. Users can point to a random location in memory and then should be able to scroll upwards and see what instructions came before the specified address. I want to do this by reverse decoding. 回答1: The basic format of x86 instructions is like this Modern CPUs can support VEX and EVEX prefixes. In x86-64 there might also be the REX prefix at the beginning Looking at the format it can

问题 I've been trying to understand the purpose of the 0x40 REX opcode for ASM x64 instructions. Like for instance, in this function prologue from Kernel32.dll: As you see they use push rbx as: 40 53 push rbx But using just the 53h opcode (without the prefix) also produces the same result: According to this site, the layout for the REX prefix is as follows: So 40h opcode seems to be not doing anything. Can someone explain its purpose? 回答1: the 04xh bytes (i.e. 040h , 041h ... 04fh ) are indeed REX

问题 lea 0x0(%esi),%esi I believe it has no result and is simply filling space. Is this the case? 回答1: Its a NOP. It adds the contents of %esi and 0x0, and puts the result in %esi. Somebody either has a clumsy code generator or needs to fill N bytes, where this instruction is the right size. LEA instructions execute quite fast (typically 1 clock), so this is a lot better than N nops. The x86 being as quirky as it is, has a variety of instructions that effectively don't do anything but fill

问题 I'm in middle of rewriting my assembler. While at it I'm curious about implementing disassembly as well. I want to make it simple and compact, and there's concepts I can exploit while doing so. It is possible to determine rest of the x86 instruction encoding from opcode (maybe prefix bytes are required too, a bit). I know many people have written tables for doing it. I'm not interested about mnemonics but instruction encoding, because it is an actual hard problem there. For each opcode number

问题 I'm seeing what I think is strange behaviour from object files output by the Microsoft Visual Studio 2003 tools. The file utility tells me: asmfile.obj: 80386 COFF executable not stripped - version 30821 For objects created by the assembler, but for objects coming from C files, I get just: cfile.obj: data Using Microsoft's dumpbin utility and the objdump I got from cygwin, I can disassemble the assembly-built file, but I get no useful results from either utility for the C-built files. I have

问题 If I have the virtual address of system call, can I disassemble that system call? I want to do it on running kernel to find what all address are handled by the particular system call while running. I am running 32 bit 2.6.38 kernel (x86). 回答1: I am not sure you question is very meaningful. Please read more about system calls, kernels, operating systems, linux, and the linux kernel Essentially, a system call is (from the application point of view) an atomic operation implemented by one machine

问题 I have a C Function which tries to copy a framebuffer to FSMC RAM. The functions eats the frame rate of the game loop to 10FPS. I would like to know how to analyze the disassembled function, should I count each instruction cycle ? I want to know where the CPU spend its time, in which part. I'm sure that the algorithm is also a problem, because its O(N^2) The C Function is: void LCD_Flip() { u8 i,j; LCD_SetCursor(0x00, 0x0000); LCD_WriteRegister(0x0050,0x00);//GRAM horizontal start position

问题 I want to disassemble part of a program directly in memory. I am interested how generated code looks like when I investigate the stack and check how and where a certain routine was loaded and how it is bind and invoked. Is there a ready to use program or library I can use to disassemble a certain byte sequence I extracted from a given location? 来源： https://stackoverflow.com/questions/29562098/disassemble-memory

问题 See title. Reflection.Emit seems to be more about creating a new dynamic assembly, not for loading an exisitng assembly and inspecting its IL. 回答1: Common Compiler Infrastructure 回答2: Reflector does this, and last time I checked, Reflector could still inspect (i.e. disassemble) itself this way, so it will show you exactly how it works. 来源： https://stackoverflow.com/questions/2824086/is-it-possible-to-inspect-an-assemblys-il-instructions-programmatically-using-m

问题 I have an ELF 32-bit dynamically linked, stripped file which I wish to debug. While trying to set a breakpoint at an address a message saying that the symbol table is not loaded. My questions are: When you say that an ELF file is stripped what exactly is happening? How do you strip an ELF file? Is it possible to reconstruct the symbol table somehow? Is it not possible to set breakpoints in gdb on a stripped executable? 回答1: Stripping ELFs is is done with the gnu binutils tool strip, from the