Jump to content


asm mania. Stepping through instructions.

Started by bladder, Feb 25 2005 07:39 AM

5 replies to this topic

#1 bladder

    DevMaster Staff

  • Members
  • PipPipPipPip
  • 1057 posts

Posted 25 February 2005 - 07:39 AM

I never imagined that Nick's x86 decoder might have some use for me. But, heh, I guess I was wrong. Im trying to go through instructions in a function. So given a function address, my function should return the next instruction.

I thought getting the first instruction would be easy. Becuase I ran some tests and the first instruction was essentially the address of the function. But just now, I ran into a snag. I tried making some other function, and this time the address of the function was not the address of the first instruction, but it was the address to the jmp instruction that had the real address of the next instruction.

So how can I know if the first address is a jmp to the real address or if the first address is the address itself?

Essentially, I want to be able to do this:

void function()
{
 push    ebp 
 mov     ebp,esp 
 sub     esp,0C0h 
 push    ebx 
 push    esi 
 push    edi
 // other stuff
}

dword i1 = sizeofinstr(function); // return sizeof push instruction (1)
dword i2 = sizeofinstr(function + i1); // return sizeof mov instruction (2)
dword i3 = sizeofinstr(function + i2); // return sizeof sub instruction (6)
// etc...

How will I know when the function ends? Is there a standard terminate function byte or soemthing?
- TripleBuffer

- Me blog

#2 Kenneth Gorking

    Senior Member

  • Members
  • PipPipPipPip
  • 939 posts

Posted 25 February 2005 - 10:34 AM

ret?
"Stupid bug! You go squish now!!" - Homer Simpson

#3 bladder

    DevMaster Staff

  • Members
  • PipPipPipPip
  • 1057 posts

Posted 25 February 2005 - 11:59 AM

ret? how can ret help? Anyway, I did some more testing. I've semi managed to changed Nicks code to calculate the size of an instruction. It seems to be off by a certain amount. Like for the push instruction it returns 1, but for the mov instruction it returns 3 (though it should return 2 right??) and for the sub instruction it returns 3 (though it should return 6 right??)

The thing I changed in nick code, was just wherever Nick put in something like

func++

I'd just add 1 to a 'total' variable. So if he did func +=2, I'd add a total += 2 statement right after the func statement.

But I still have my other problem of getting to the start of a function. Eg: a function address is 404123, but that's actually an address of a jmp to some other memory location which the function really starts at. How can I determine the starting address of a function?
- TripleBuffer

- Me blog

#4 anubis

    Senior Member

  • Members
  • PipPipPipPip
  • 2225 posts

Posted 25 February 2005 - 01:34 PM

test for the jmp opcode ? that's really all i can think of
If Prolog is the answer, what is the question ?

#5 bladder

    DevMaster Staff

  • Members
  • PipPipPipPip
  • 1057 posts

Posted 25 February 2005 - 01:41 PM

I've been trying to do that. I've been trying something like:

(void*)( 0x00ffffff & (*((int*)f1)) )

where f1 is the function name.

But it's not coming out correct :)
- TripleBuffer

- Me blog

#6 bladder

    DevMaster Staff

  • Members
  • PipPipPipPip
  • 1057 posts

Posted 27 February 2005 - 05:01 AM

Fixed the size issue.
- TripleBuffer

- Me blog
Back to General Development · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Devmaster
  2. Game Development
  3. General Development