0

我有以下代码用distorm64解码字节0x66 0x5b 0xc3(pop ebx / ret)(代码取自这个例子)

    // Holds the result of the decoding.
    _DecodeResult res;
    // Decoded instruction information.
    _DecodedInst decodedInstructions[MAX_INSTRUCTIONS];
    // next is used for instruction's offset synchronization.
    // decodedInstructionsCount holds the count of filled instructions' array by the decoder.
    unsigned int decodedInstructionsCount = 0, i, next;

    // Default decoding mode is 32 bits, could be set by command line.
    _DecodeType dt;
    if(!x64)
        dt = Decode32Bits;
    else
        dt = Decode64Bits;

    // Default offset for buffer is 0, could be set in command line.
    _OffsetType offset = 0;
    char* errch = NULL;
    char tempBuf[500];

    // Decode the buffer at given offset (virtual address).
    while (1) 
    {
        // If you get an unresolved external symbol linker error for the following line,
        // change the SUPPORT_64BIT_OFFSET in distorm.h.
        res = distorm_decode(offset, (const unsigned char*)byteCodeBuffer, byteCodeBufferSize, dt, decodedInstructions, MAX_INSTRUCTIONS, &decodedInstructionsCount);
        if (res == DECRES_INPUTERR) 
        {
            // Null buffer? Decode type not 16/32/64?
            printf("Input error, halting!");
            return EXIT_FAILURE;
        }

        for (i = 0; i < decodedInstructionsCount; i++) 
        {
#ifdef SUPPORT_64BIT_OFFSET
            sprintf_s(tempBuf, 500, "%0*I64x (%02d) %-24s %s%s%s\n", dt != Decode64Bits ? 8 : 16, decodedInstructions[i].offset, decodedInstructions[i].size, (char*)decodedInstructions[i].instructionHex.p, (char*)decodedInstructions[i].mnemonic.p, decodedInstructions[i].operands.length != 0 ? " " : "", (char*)decodedInstructions[i].operands.p);
            outputText.append(tempBuf);
#else
            printf("%08x (%02d) %-24s %s%s%s\n", decodedInstructions[i].offset, decodedInstructions[i].size, (char*)decodedInstructions[i].instructionHex.p, (char*)decodedInstructions[i].mnemonic.p, decodedInstructions[i].operands.length != 0 ? " " : "", (char*)decodedInstructions[i].operands.p);
#endif
        }

        if (res == DECRES_SUCCESS) break; // All instructions were decoded.
        else if (decodedInstructionsCount == 0) break;

        // Synchronize:
        next = (unsigned long)(decodedInstructions[decodedInstructionsCount-1].offset - offset);
        next += decodedInstructions[decodedInstructionsCount-1].size;
        // Advance ptr and recalc offset.
        byteCodeBuffer += next;
        byteCodeBufferSize -= next;
        offset += next;
    }
    return EXIT_SUCCESS;

结果是

00000000 (02) 665b                     POP BX
00000002 (01) c3                       RET

这是错误的,因为寄存器不是 BX 而是 EBX。

如果我尝试编译(使用 nasm)“pop bx / ret”序列,我得到 0x5b 0xc3 并且 distorm 将其转换为

00000000 (01) 5b                       POP EBX
00000001 (01) c3                       RET

这同样是错误的(不是 EBX,但应该返回 BX!)

我哪里错了?这是一个distorm64错误还是什么?

4

1 回答 1

1

当处理器处于 32 位模式时,66 5b 是 POP BX(并且在 64 位模式下操作码无效,因为在 64 位模式下只能推送和弹出“整个”64 位寄存器)。如果您使用 32 位反汇编程序反汇编 16 位代码,那么您可能会得到错误的结果。

请注意,66 前缀“切换”一条指令的 32/16 位标志,因此如果您有 32 位代码,66 会将下一条指令转换为 16 位指令,如果您有 16 位代码,它将其转换为 32 位指令。

所以我只能假设对于您的代码处于什么模式存在一些混淆 - 并且反汇编程序正在将 16 位代码解释为 32 位代码,或者类似 thiat。

于 2013-01-16T00:05:50.290 回答