Jump to content

  • Log In with Google      Sign In   
  • Create Account

Finding out which x64 instruction the IP points at


Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.

  • You cannot reply to this topic
8 replies to this topic

#1 Idov   Members   -  Reputation: 206

Like
0Likes
Like

Posted 19 April 2013 - 02:36 AM

Hi!
I'm trying to find out if my instruction pointer is in the function's epilog.
To do so I need to know which instruction the IP is pointing at and which parameters the instruction gets.

(From what I understand, I just need to check if it points at a POP, "mov esp,ebp" or a RET instructions - and if it is one of these instruction - I'm in the epilog).

But how can I figure out which instruction the IP is pointing at?

thanks! :)



Sponsor:

#2 Idov   Members   -  Reputation: 206

Like
0Likes
Like

Posted 19 April 2013 - 04:26 AM

I looked at the disassembly of a testing program I wrote and I saw it looked like this:

 

5F                   pop         edi  
5E                   pop         esi  
5B                   pop         ebx  
8B E5                mov         esp,ebp  
5D                   pop         ebp  
C3                   ret 

 

Can I be sure that whenever I see that the IP points at "5D" it's the POP ESI instruction, and the same for the other instructions?



#3 rip-off   Moderators   -  Reputation: 8745

Like
1Likes
Like

Posted 19 April 2013 - 04:39 AM

What are you trying to achieve? In what language? Is this an introspective program, or are you analysing another process?



#4 Idov   Members   -  Reputation: 206

Like
0Likes
Like

Posted 19 April 2013 - 05:24 AM

I'm trying to unwind a x64 callstack of another process (in C++).
 



#5 Vortez   Crossbones+   -  Reputation: 2704

Like
0Likes
Like

Posted 19 April 2013 - 05:27 AM

Why don't you use a debugger??? Even without the source you should still be able to start the program with it and place breakpoints, view call stack ect

 

you should be able to see eip or whatever it's called in x64 in the cpu register debug window

 

EDIT: oh well, if it's in another process, i dunno, i guess the ip is stored somewhere on the stack somewhere like in 32 bits, but i never really tried it in 64 bit...


Edited by Vortez, 19 April 2013 - 05:35 AM.


#6 ApochPiQ   Moderators   -  Reputation: 16407

Like
0Likes
Like

Posted 19 April 2013 - 10:16 AM

I looked at the disassembly of a testing program I wrote and I saw it looked like this:
 
5F                   pop         edi  
5E                   pop         esi  
5B                   pop         ebx  
8B E5                mov         esp,ebp  
5D                   pop         ebp  
C3                   ret 

 
Can I be sure that whenever I see that the IP points at "5D" it's the POP ESI instruction, and the same for the other instructions?

First of all, that's 32-bit x86 assembly, not x64. So if you're trying to analyze an x64 process with those bytecode values, you're going to get incorrect results :-)

Just deference the pointer stored in the RIP register, or if you're unwinding a call stack, the RIP value from the stack frame you want to look at. Its byte values will always be the same for certain series of instructions.

#7 Idov   Members   -  Reputation: 206

Like
0Likes
Like

Posted 19 April 2013 - 03:08 PM

oops,  thanks :)
Is there a place where I can see a list of the op codes for x64 (or how the op code are structured)?
I think it will be much more easy and "safe" than to look for what I need in random assembly code...



#8 Nypyren   Crossbones+   -  Reputation: 4808

Like
0Likes
Like

Posted 19 April 2013 - 03:53 PM

5D is also 'POP RBP' when in x64 mode (it doesn't need a REX prefix).

Instructions are decoded differently whether the processor is in 64-bit or 32-bit mode. When I decoded that in 64-bit mode, I got:
POP Rdi
POP Rsi
POP Rbx
MOV Esp, Ebp
POP Rbp
RETN
Although they are valid instructions, notice the MOV instruction is missing a REX prefix necessary to encode Rsp, Rbp, indicating that your program is in fact 32-bit.


I wrote my disassembler from the "opcode map" section of the Intel Processor manuals. It's extremely difficult to understand since the manual is intended for people writing assemblers, not disassemblers. Critical information is scattered throughout hundreds of pages in hard-to-spot places.

Edited by Nypyren, 19 April 2013 - 04:02 PM.


#9 ApochPiQ   Moderators   -  Reputation: 16407

Like
1Likes
Like

Posted 19 April 2013 - 03:56 PM

I found this quickly by googling "x64 opcode chart":

http://ref.x86asm.net/coder64.html

You can probably find even more resources with a similar search :-)




Old topic!
Guest, the last post of this topic is over 60 days old and at this point you may not reply in this topic. If you wish to continue this conversation start a new topic.



PARTNERS