distorm64将bx与ebx混淆

时间:2013-01-15 23:52:32

标签: assembly x86 x86-64 nasm

我有以下代码用distorm64解码字节0x66 0x5b 0xc3(pop ebx / ret)(代码来自this示例)

    // Holds the result of the decoding.
    _DecodeResult res;
    // Decoded instruction information.
    _DecodedInst decodedInstructions[MAX_INSTRUCTIONS];
    // next is used for instruction's offset synchronization.
    // decodedInstructionsCount holds the count of filled instructions' array by the decoder.
    unsigned int decodedInstructionsCount = 0, i, next;

    // Default decoding mode is 32 bits, could be set by command line.
    _DecodeType dt;
    if(!x64)
        dt = Decode32Bits;
    else
        dt = Decode64Bits;

    // Default offset for buffer is 0, could be set in command line.
    _OffsetType offset = 0;
    char* errch = NULL;
    char tempBuf[500];

    // Decode the buffer at given offset (virtual address).
    while (1) 
    {
        // If you get an unresolved external symbol linker error for the following line,
        // change the SUPPORT_64BIT_OFFSET in distorm.h.
        res = distorm_decode(offset, (const unsigned char*)byteCodeBuffer, byteCodeBufferSize, dt, decodedInstructions, MAX_INSTRUCTIONS, &decodedInstructionsCount);
        if (res == DECRES_INPUTERR) 
        {
            // Null buffer? Decode type not 16/32/64?
            printf("Input error, halting!");
            return EXIT_FAILURE;
        }

        for (i = 0; i < decodedInstructionsCount; i++) 
        {
#ifdef SUPPORT_64BIT_OFFSET
            sprintf_s(tempBuf, 500, "%0*I64x (%02d) %-24s %s%s%s\n", dt != Decode64Bits ? 8 : 16, decodedInstructions[i].offset, decodedInstructions[i].size, (char*)decodedInstructions[i].instructionHex.p, (char*)decodedInstructions[i].mnemonic.p, decodedInstructions[i].operands.length != 0 ? " " : "", (char*)decodedInstructions[i].operands.p);
            outputText.append(tempBuf);
#else
            printf("%08x (%02d) %-24s %s%s%s\n", decodedInstructions[i].offset, decodedInstructions[i].size, (char*)decodedInstructions[i].instructionHex.p, (char*)decodedInstructions[i].mnemonic.p, decodedInstructions[i].operands.length != 0 ? " " : "", (char*)decodedInstructions[i].operands.p);
#endif
        }

        if (res == DECRES_SUCCESS) break; // All instructions were decoded.
        else if (decodedInstructionsCount == 0) break;

        // Synchronize:
        next = (unsigned long)(decodedInstructions[decodedInstructionsCount-1].offset - offset);
        next += decodedInstructions[decodedInstructionsCount-1].size;
        // Advance ptr and recalc offset.
        byteCodeBuffer += next;
        byteCodeBufferSize -= next;
        offset += next;
    }
    return EXIT_SUCCESS;

结果是

00000000 (02) 665b                     POP BX
00000002 (01) c3                       RET

这是错误的,因为寄存器不是BX而是EBX。

如果我尝试编译(使用nasm)“pop bx / ret”序列,我会得到0x5b 0xc3并将distorm转换为

00000000 (01) 5b                       POP EBX
00000001 (01) c3                       RET

同样错误(不是EBX,但应退回BX!)

我哪里出错了?它是一个distorm64 bug还是什么?

1 个答案:

答案 0 :(得分:1)

当处理器处于32位模式时,66 bb是POP BX(64位模式下的操作码无效,因为只有“整个”64位寄存器可以在64位模式下被推送和弹出)。如果您使用32位反汇编程序拆分16位代码,那么您可能会得到错误的结果。

请注意,66前缀“切换”一条指令的32/16位标志,因此如果您有32位代码,66将下一条指令转为16位,如果您有16位代码,它将其转换为32位指令。

所以我只能假设你的代码在什么模式下存在一些混淆 - 反汇编程序将16位代码解释为32位代码,或类似thiat。

相关问题
最新问题