问题描述
我目前正在开发一个x86的反汇编,我开始拆卸一个Win32 PE文件。大部分拆解code的看起来不错,但有非法为0xFF / 7运算code的一些OCCURENCES(/ 7指章= 111,将0xFF运code组INC / DEC /电话/ CALLF / JMP / jmpf /推/的非法的操作数与R / M 16/32)。第一个猜测是,那/ 7是POP指令,但它是带0x8f / 0 codeD。我检查了这对官方英特尔架构软件开发人员手册第2卷:指令集 - 所以我不只是missleaded
I'm currently developing an x86 disassembler, and I started disassembling a win32 PE file. Most of the disassembled code looks good, however there are some occurences of the illegal 0xff /7 opcode (/7 means reg=111, 0xff is the opcode group inc/dec/call/callf/jmp/jmpf/push/illegal with operand r/m 16/32). The first guess was, that /7 is the pop instruction, but it is encoded with 0x8f /0. I've checked this against the official Intel Architecture Software Developer’s Manual Volume 2: Instruction Set Reference - so I'm not just missleaded.
例拆解:(S0000O0040683a是拉布勒另一条指令被跳楼)
Example disassembly: (S0000O0040683a is a lable being jumped to by another instruction)
S0000O0040683a: inc edi ; 0000:0040683a ff c7
test dword ptr [eax+0xff],edi ; 0000:0040683c 85 78 ff
0xff/7 edi ; 0000:0040683f ff ff
BTW:gdb的反汇编这同样(除了错误0xFF的没有产生-1在我的拆卸):
BTW: gdb disassembles this equally (except the bug 0xff not yielding -1 in my disassembly):
(gdb) disassemble 0x0040683a 0x00406840
Dump of assembler code from 0x40683a to 0x406840:
0x0040683a: inc %edi
0x0040683c: test %edi,0xffffffff(%eax)
0x0040683f: (bad)
End of assembler dump.
所以现在的问题是:有没有在Windows中,它实现了在这个非法操作code的任何功能的非法操作code异常处理程序,如果是任何违约处理程序:什么happends有
So the question is: Is there any default handler in the illegal opcode exception handler of Windows, which implements any functionality in this illegal opcode, and if yes: What happends there?
问候,博德
推荐答案
很多很多额外的时间让我的反汇编产生完全相同的语法比GDB不会输出之后,我可以在差异比较两个版本。这揭示了我的disassember一个比较尴尬的错误:我忘了顾及,那为0x0F 0x8x跳转指令有一个两字节操作code(加上rel16 / 32操作数)。因此,每个为0x0F 0x8x跳转目标是关闭的一条通往code这是不是在现实中到达。修复这个错误后,没有为0xFF / 7运算codeS被拆开下去了。
After many many additional hours getting my disassembler to produce the output in the exact same syntax than gdb does, I could diff over the two versions. This revealed a rather awkward bug in my disassember: I forgot to take into account, that the 0x0f 0x8x jump instruction have a TWO byte opcode (plus the rel16/32 operand). So each 0x0f 0x8x jump target was off by one leading to code which is not reachable in reality. After fixing this bug, no 0xff/7 opcodes are disassembled any longer.
去感谢大家回答我的问题(和评论,回答也一样),因此至少想帮我。
Thanks go to everyone answering to my question (and commenting that answers as well) and thus at least trying to help me.
这篇关于86装配台 - Windows下的非法操作code为0xFF / 7的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!