Jump to content

  • Log In with Google      Sign In   
  • Create Account

We're offering banner ads on our site from just $5!

1. Details HERE. 2. GDNet+ Subscriptions HERE. 3. Ad upload HERE.


#ActualNypyren

Posted 19 April 2013 - 04:02 PM

5D is also 'POP RBP' when in x64 mode (it doesn't need a REX prefix).

Instructions are decoded differently whether the processor is in 64-bit or 32-bit mode. When I decoded that in 64-bit mode, I got:
POP Rdi
POP Rsi
POP Rbx
MOV Esp, Ebp
POP Rbp
RETN
Although they are valid instructions, notice the MOV instruction is missing a REX prefix necessary to encode Rsp, Rbp, indicating that your program is in fact 32-bit.


I wrote my disassembler from the "opcode map" section of the Intel Processor manuals. It's extremely difficult to understand since the manual is intended for people writing assemblers, not disassemblers. Critical information is scattered throughout hundreds of pages in hard-to-spot places.

#5Nypyren

Posted 19 April 2013 - 04:01 PM

5D is also 'POP RBP' when in x64 mode (it doesn't need a REX prefix).

Instructions are decoded differently whether the processor is in 64-bit or 32-bit mode. When I decoded that in 64-bit mode, I got:
POP Rdi
POP Rsi
POP Rbx
MOV Esp, Ebp
POP Rbp
RETN
Although they are valid instructions, notice the MOV instruction is missing a REX prefix necessary to encode Rsp, Rbp, indicating that your program is in fact 32-bit.


I wrote my disassembler from the "opcode map" section of the Intel Processor manuals. It's extremely difficult to understand since the manual is intended for people writing assemblers, not disassemblers.

#4Nypyren

Posted 19 April 2013 - 03:59 PM

5D is also 'POP RBP' when in x64 mode (it doesn't need a REX prefix).

Instructions are decoded differently whether the processor is in 64-bit or 32-bit mode. When I decoded that in 64-bit mode, I got:
POP Rdi
POP Rsi
POP Rbx
MOV Esp, Ebp
POP Rbp
RETN
Although they are valid instructions, notice the MOV instruction is missing a REX prefix necessary to encode Rsp, Rbp, indicating that your program is in fact 32-bit.

#3Nypyren

Posted 19 April 2013 - 03:59 PM

5D is also 'POP RBP' when in x64 mode (it doesn't need a REX prefix).

Instructions are decoded differently whether the processor is in 64-bit or 32-bit mode. When I decoded that in 64-bit mode, I got:
POP Rdi
POP Rsi
POP Rbx
MOV Esp, Ebp
POP Rbp
RETN
Notice the MOV instruction is missing a REX prefix necessary to encode Rsp, Rbp, indicating that your program is in fact 32-bit.

#2Nypyren

Posted 19 April 2013 - 03:54 PM

5D is also 'POP RBP' when in x64 mode (it doesn't need a REX prefix).

Instructions are decoded differently whether the processor is in 64-bit or 32-bit mode.

Not only is it possible that the code you're looking at is 32-bit, but it's also possible that your disassembler doesn't handle 64-bit mode.

#1Nypyren

Posted 19 April 2013 - 03:53 PM

5D is also 'POP RBP' when in x64 mode (it doesn't need a REX prefix).

Instructions are decoded differently whether the processor is in 64-bit or 32-bit mode.

PARTNERS