Disassembler lengths

A length disassembler is a translator that converts machine code into its length; an analogue of the disassembler , but calculating only the size of the processor command. Typically used with machine code architectures that allow significant differences in instruction lengths, usually from the CISC class. For example, in x86 and x86_64 ( Intel and AMD ), a command takes from 1 to 15 bytes ^[1] . Moreover, in the common RISC architectures, a command either always takes 4 bytes or 2 and 4 byte commands are allowed.

The length disassembler considers the machine code of the processor only to estimate how many bytes the current command takes and when the next one will start.

A similar “apparatus” exists in the processor, prefetching commands from memory and pipelining the executed commands ^[2] ^[1] . The first stage of the instruction decoder in processors with internal parallelism determines the instruction lengths in order to find the beginning of the following instructions ^[3] ^[4] . In case of successful determination of lengths, it is possible to transmit for decoding several instructions at a time. In some implementations, instruction length information may be stored in the instruction cache. By observing a hardware length decoder, researchers were able to find previously undocumented instruction spaces in some processors ^[5] ^[6] .

A software length disassembler is required for:

decoding instructions by a disassembler;
recompilation of function prologs;
quick analysis of program commands;

Recompilation of function prologs is necessary when intercepting function calls and is widely used in Windows (on all 32-bit processors compatible with i 80386 ).

To intercept calls to the function, its first 5 bytes are replaced with the command “jmp f_ptr_my_func”, but to maintain the functionality of the function, the first 5 bytes of the original function must be stored somewhere, for this, the size of the commands present and their purpose are analyzed.

Often you have to save more than 5 bytes, because you can not transfer part of the command (and x86 commands have different formats and sizes). In order for the transferred teams to remain operational, they are recompiled, replaced with equivalent ones, and complete with an unconditional switch to the original function (to continue codes). This method of interception (with the substitution of the prologue of the function) is called interception by the slicing method. This is the most efficient interception method, requiring a good knowledge of x86 assembler .

Examples of length disassemblers can be found in Yuan Feng’s book "Programming Graphics for Windows" (the length disassembler presented there has two errors in the description of x86 commands). Also, a length disassembler can be found on wasm.ru

Due to the possible use of multiple prefixes, some combinations of which may be prohibited or ignored, while others may change the length of instructions, there are a number of widespread errors in determining lengths for rare combinations. Sometimes hardware implementations of different companies implement such cases in different ways ^[7] ^[8] .

Notes

↑ ¹ ² https://www.agner.org/optimize/blog/read.php?i=25 "The length of an instruction can be anywhere from one to fifteen bytes. If we want to decode several instructions simultaneously, then we have a serious problem. We have to know the length of the first instruction before we know where the second instruction begins. "
↑ United States Patent 8930678
↑ Antonio Gonzalez. 4.4.1 Instruction Length Decoder // Processor Microarchitecture: An Implementation Perspective . - Morgan & Claypool Publishers, 2010 .-- P. 35. - 116 p.
↑ PC Mag 21 Feb 1995 page 196 "Pentium Alternatives" "In NexGen's Nx586, prefetch circuitry determines instruction length and performs alignment of the x86 instructions"
↑ domas @xoreaxeaxeax. Breaking the x86 ISA 123. Black Hat (2017). Date of treatment November 2, 2018.
↑ N-version Disassembly: Differential Testing of x86 Disassemblers . International Conference on Software Testing and Analysis (2010). Date of treatment November 2, 2018.
↑ domas @xoreaxeaxeax. Breaking the x86 ISA (Eng.) 132. Black Hat (2017). Date of treatment November 2, 2018.
↑ Roberto Paleari. N-version Disassembly: Differential Testing of x86 Disassemblers . International Conference on Software Testing and Analysis (2010). Date of treatment November 2, 2018.

Links

Popular Disassemblers
"xed_decoded_inst_get_length" in intel xed - examples
https://github.com/greenbender/lend
http://z0mbie.daemonlab.org/lde_eng.html

[автоссылка1-1] ¹ ² https://www.agner.org/optimize/blog/read.php?i=25 "The length of an instruction can be anywhere from one to fifteen bytes. If we want to decode several instructions simultaneously, then we have a serious problem. We have to know the length of the first instruction before we know where the second instruction begins. "

[2] United States Patent 8930678

[3] Antonio Gonzalez. 4.4.1 Instruction Length Decoder // Processor Microarchitecture: An Implementation Perspective . - Morgan & Claypool Publishers, 2010 .-- P. 35. - 116 p.

[4] PC Mag 21 Feb 1995 page 196 "Pentium Alternatives" "In NexGen's Nx586, prefetch circuitry determines instruction length and performs alignment of the x86 instructions"

[5] domas @xoreaxeaxeax. Breaking the x86 ISA 123. Black Hat (2017). Date of treatment November 2, 2018.

[6] N-version Disassembly: Differential Testing of x86 Disassemblers . International Conference on Software Testing and Analysis (2010). Date of treatment November 2, 2018.

[7] domas @xoreaxeaxeax. Breaking the x86 ISA (Eng.) 132. Black Hat (2017). Date of treatment November 2, 2018.

[8] Roberto Paleari. N-version Disassembly: Differential Testing of x86 Disassemblers . International Conference on Software Testing and Analysis (2010). Date of treatment November 2, 2018.

Disassembler lengths

See also

Notes

Links

More articles: