machine-code

问题 Let's say I've the following set of instructions: 00E79E00 | E8 AE580000 CALL someprocess.00E7F6B3 00E79E05 | 85C0 TEST EAX, EAX (output taken from OllyDbg) How do I encode the rel32 offset from the near call(0xE8) so I can get the absolute position I can jump to? I know that the offset is relative to the next instruction and is calculated by subtracting the target with it. My question is: how do I 'reverse' this so I get the function addres 00E7F6B3 from the relative offset AE580000 回答1: You

问题 Let's say I've the following set of instructions: 00E79E00 | E8 AE580000 CALL someprocess.00E7F6B3 00E79E05 | 85C0 TEST EAX, EAX (output taken from OllyDbg) How do I encode the rel32 offset from the near call(0xE8) so I can get the absolute position I can jump to? I know that the offset is relative to the next instruction and is calculated by subtracting the target with it. My question is: how do I 'reverse' this so I get the function addres 00E7F6B3 from the relative offset AE580000 回答1: You

问题 I'm currently trying to write a disassembler. I found the following list of opcodes and their meanings, so i decided to parse it at runtime: http://mprolab.teipir.gr/vivlio80X86/pentium.txt But i am stuck at the opcode 0x00: It is followed by a reg/modbyte. Parsing it was not much of a problem for me. But I'm having trouble with the Scale-Index-Base byte: If you actually specify esp as index register, it actually means that there is no index register. The same applies for the base register

问题 I understand that jump in assembly is basically going from one location to another. Say we have 804828f: 74 05 je XXXXXXX 8048291: e8 1e 00 00 00 call 80482b4 According to the book, all I'm really doing is adding 0x05 to 8048291 which yields 8048291, but I am confused by what the command here is asking. According to the book, operand je is je which is equal / 0 Then we have a complicated one that I really am having a hard time wrapping my head around. 8048357: 72 e7 jb XXXXXXXX 8048359: c6 05

问题 I am reading Intel doc, vol. 1 and There is a chapter of 3.6.1 Operand Size and Address Size in 64-Bit Mode . There are three prefixes REX.W , operand-size 66 and address-size 67 prefix. And there is mentioned that operand are defaulted to be 32 bit in size. And is only possible to change it with REX.W instruction prefix (after other prefixes) to make it 64 bits long. I do not know why so, why cannot I used the full 64 bit space for example for int operand? Does it have something to do with

问题 I am trying to write shellcode for a CTF challenge that does not allow for 0x00 bytes (it will be interpreted as a terminator). Due to restrictions in the challenge, I must do something like this: [shellcode bulk] [(0x514 - sizeof(shellcode bulk)) filler bytes] [fixed constant data to overwrite global symbols] [shellcode data] It looks something like this .intel_syntax noprefix .code32 shellcode: jmp sc_data shellcode_main: #open xor eax, eax pop ebx //file string xor ecx, ecx //flags xor edx

问题 From Intel's SDM, section 2.2.1 specifies that the REX prefix is used to: Specify GPRs and SSE registers. Specify 64-bit operand size. Specify extended control registers But what do the letters REX stand for in the acronym? 回答1: This 2002 Hot Chips presentation by AMD expands the acronym on slide 10: "REX (Register Extension)". Kevin McGrath and Dave Christie, "The AMD x86-64 Architecture: Extending the x86 to 64 bits", Hot Chips 14, August 2002. 来源： https://stackoverflow.com/questions

问题 I'm confused about machine code and native code in the context of .NET languages. What is the difference between them? Are they the same? 回答1: The terms are indeed a bit confusing, because they are sometimes used inconsistently. Machine code: This is the most well-defined one. It is code that uses the byte-code instructions which your processor (the physical piece of metal that does the actual work) understands and executes directly. All other code must be translated or transformed into

问题 I have read this answer, but I need to know what is the longest instruction length on Intel 386(which is 32-bit not 64 bit) without using any instruction prefixes. Based on the manual, it is probably 12: Opcode: 2 bytes MOD/Rm: 1 byte SIB: 1 byte Displacement: 4 bytes Immediate: 4 bytes Total: 12 Is this the correct answer? 回答1: On 80386 that would be 11 bytes: Opcode: 1 byte MOD/RM: 1 byte SIB: 1 byte Displacement: 4 bytes Immediate: 4 bytes The 2-byte opcodes are using the 0Fh instruction

问题 I'm going to write and test a bootloader. In order to do this, I am planning to copy the bootloader onto a floppy image file and mount it in a VM. However, I'm not sure where to put the bootloader's machine code. Does it just get dumped into the first few bytes of the file? 回答1: The boot sector of the floppy was the first sector. If you're talking about a raw floppy image (1440K), it should be the first 512 bytes of the image file. From memory, this gets loaded by the BIOS into 7c00:0000