86装配台 - Windows下的非法操作code为0xFF / 7 [英] x86 assember - illegal opcode 0xff /7 under Windows

问题描述

我目前正在开发一个x86的反汇编，我开始拆卸一个Win32 PE文件。大部分拆解code的看起来不错，但有非法为0xFF / 7运算code的一些OCCURENCES（/ 7指章= 111，将0xFF运code组INC / DEC /电话/ CALLF / JMP / jmpf /推/的非法的操作数与R / M 16/32）。第一个猜测是，那/ 7是POP指令，但它是带0x8f / 0 codeD。我检查了这对官方英特尔架构软件开发人员手册第2卷：指令集 - 所以我不只是missleaded

I'm currently developing an x86 disassembler, and I started disassembling a win32 PE file. Most of the disassembled code looks good, however there are some occurences of the illegal 0xff /7 opcode (/7 means reg=111, 0xff is the opcode group inc/dec/call/callf/jmp/jmpf/push/illegal with operand r/m 16/32). The first guess was, that /7 is the pop instruction, but it is encoded with 0x8f /0. I've checked this against the official Intel Architecture Software Developer’s Manual Volume 2: Instruction Set Reference - so I'm not just missleaded.

例拆解：（S0000O0040683a是拉布勒另一条指令被跳楼）

Example disassembly: (S0000O0040683a is a lable being jumped to by another instruction)

S0000O0040683a: inc    edi                      ; 0000:0040683a  ff c7
                test   dword ptr [eax+0xff],edi ; 0000:0040683c  85 78 ff
                0xff/7 edi                      ; 0000:0040683f  ff ff

BTW：gdb的反汇编这同样（除了错误0xFF的没有产生-1在我的拆卸）：

BTW: gdb disassembles this equally (except the bug 0xff not yielding -1 in my disassembly):

(gdb) disassemble 0x0040683a 0x00406840
Dump of assembler code from 0x40683a to 0x406840:
0x0040683a:     inc    %edi
0x0040683c:     test   %edi,0xffffffff(%eax)
0x0040683f:     (bad)  
End of assembler dump.

所以现在的问题是：有没有在Windows中，它实现了在这个非法操作code的任何功能的非法操作code异常处理程序，如果是任何违约处理程序：什么happends有

So the question is: Is there any default handler in the illegal opcode exception handler of Windows, which implements any functionality in this illegal opcode, and if yes: What happends there?

问候，博德

推荐答案

很多很多额外的时间让我的反汇编产生完全相同的语法比GDB不会输出之后，我可以在差异比较两个版本。这揭示了我的disassember一个比较尴尬的错误：我忘了顾及，那为0x0F 0x8x跳转指令有一个两字节操作code（加上rel16 / 32操作数）。因此，每个为0x0F 0x8x跳转目标是关闭的一条通往code这是不是在现实中到达。修复这个错误后，没有为0xFF / 7运算codeS被拆开下去了。

After many many additional hours getting my disassembler to produce the output in the exact same syntax than gdb does, I could diff over the two versions. This revealed a rather awkward bug in my disassember: I forgot to take into account, that the 0x0f 0x8x jump instruction have a TWO byte opcode (plus the rel16/32 operand). So each 0x0f 0x8x jump target was off by one leading to code which is not reachable in reality. After fixing this bug, no 0xff/7 opcodes are disassembled any longer.

去感谢大家回答我的问题（和评论，回答也一样），因此至少想帮我。

Thanks go to everyone answering to my question (and commenting that answers as well) and thus at least trying to help me.

这篇关于86装配台 - Windows下的非法操作code为0xFF / 7的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！