是否可以反向解码x86-64指令? [英] Is it possible to decode x86-64 instructions in reverse?

问题描述

我想知道是否可以反向解码x86-64指令?

I was wondering if it is possible to decode x86-64 instructions in reverse?

我需要一个运行时反汇编程序.用户可以指向内存中的随机位置，然后应该能够向上滚动并查看在指定地址之前出现了哪些指令.

I need this for a runtime dissembler. Users can point to a random location in memory and then should be able to scroll upwards and see what instructions came before the specified address.

我想通过反向解码来做到这一点.

I want to do this by reverse decoding.

推荐答案

x86指令的基本格式如下

The basic format of x86 instructions is like this

现代CPU可以支持VEX和EVEX前缀.在x86-64中，开头可能还会有REX前缀

Modern CPUs can support VEX and EVEX prefixes. In x86-64 there might also be the REX prefix at the beginning

从格式上可以很容易地看出指令不是回文，而且您从头也看不懂.

Looking at the format it can easily be seen that the instructions aren't palindromes and you can't read from the end.

不幸的是，关于确定任意地址属于哪个指令，因为x86指令不是可自我同步，并且(通常)未对齐.您必须确切地知道一条指令的开头，否则该指令将被不同地解码.

Regarding determining which instruction an arbitrary address belongs to, unfortunately it can't be done either, because x86 instructions are not self-synchronizable, and (generally) not aligned. You have to know exactly the begin of an instruction, otherwise the instruction will be decoded differently.

您甚至可以提供实际包含数据的地址，而CPU/反汇编程序将仅将其解码为代码，因为没人知道这些字节的实际含义.跳转到指令中间通常用于代码混淆.过去该技术还被用于节省代码大小，因为一个字节可以重复使用，并且根据其所属的指令而具有不同的含义

You can even give addresses that actually contain data and the CPU/disassembler will just decode those as code, because no one knows what those bytes actually mean. Jumping into the middle of instructions is often used for code obfuscation. The technique has also been applied for code size saving in the past, because a byte can be reused and has different meanings depending on which instruction it belongs to

• 跳到教学中间-在IA-32中
• 为什么反汇编数据成为指令?
• 设计指令序列，以便在经过偏移解码后还能执行其他操作
• 什么是重叠说明"混淆?
• 跳到说明中，这是objdump无法处理的情况吗?
• 此方法自行调用的原因是什么?

• Jump into the middle of instruction - in IA-32
• Why are disassembled data becoming instructions?
• Designing an instruction sequence so that it does something else if decoded with an offset
• What is "overlapping instructions" obfuscation?
• Jump into the instructions, is it a case objdump can't handle?
• What is the reason for this method to call itself?

话虽如此，由于函数和循环通常对齐16或32字节，而NOP填充

That said, it might be possible to guess in many cases since functions and loops are often aligned to 16 or 32 bytes, with NOPs padding around

这篇关于是否可以反向解码x86-64指令?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！