Results 1 to 2 of 2

Thread: how to check if a byte is part of an opcode

  1. #1

    how to check if a byte is part of an opcode

    Hi all,

    and yet another stupid question
    I have a code byte stream (from a dump) and I'm using Distorm to disassemble the code at a specific position of the stream.
    My problem is how can I make sure that I'm not starting at the wrong position, meaning how can i check if my current position/byte
    is not part of another opcode?

    Example:
    I start inside my buffer with the byte sequence E8 0C 3B CA 8B -> CALL 08C0C41C8 (wrong)
    but if I start one byte earlier with 83 E8 0C 3B CA 8B I get the correct disassembled commands:
    SUB EAX, 0C
    CMP ECX, EDX

    I try to search a code section for special calls and jmps but I get a lot of wrong results because of this problem. Even if I check
    the call/jmp location if it's in a defined memory area it could be not valid one.
    I searched the net up and down (perhaps with the wrong query ) but I can't find any information about this.
    Does anyone here know how to handle this situation? Do I have to disassemble a little bit more code and check if CALLs/JMPs
    point to meaningfull addresses but what is meaningfull then ?

    regards
    tr1stan

  2. #2
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    There is no way no know where an opcode starts. Disassemblers start disassembling at entry point and at every address where some previously disassembled opcode jumps to, or at exported addresses in case of DLLs.
    So if you are looking only for "special" calls, you have found yourself the right solution: check for meaningful addresses. Meaningful addresses are inside the image and required DLL ranges (taken from the PE header).

    Best regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

Similar Threads

  1. opcode encodings
    By Maximus in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: March 5th, 2011, 05:54
  2. C# simple byte patcher?
    By fuzzBall in forum The Newbie Forum
    Replies: 11
    Last Post: August 9th, 2009, 00:26
  3. UD2 opcode
    By TBone in forum The Newbie Forum
    Replies: 4
    Last Post: April 20th, 2004, 20:07
  4. 1 byte puzzle
    By evaluator in forum Mini Project Area
    Replies: 57
    Last Post: March 29th, 2004, 06:45
  5. Aspr stolen byte stubs
    By sonkite in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: February 16th, 2004, 13:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •