assembly - How disassembler extract opcode from memory works? -

-

i'm trying figure out how disassembler works. specifically, how content in memory maps corresponding assembly language opcode.

below content in memory, first column address:

773eed5c  50 ff 15 0c 17 3a 77 90-90 90 90 90 8b ff 55 8b  p....:w.......u. 773eed6c  ec 51 51 83 7d 10 00 74-38 ff 75 10 8d 45 f8 50  .qq.}..t8.u..e.p 773eed7c  e8 14 d7 ff ff 85 c0 74-24 56 ff 75 fc ff 75 0c  .......t$v.u..u. 773eed8c  ff 75 08 e8 ab ff ff ff-83 7d 10 00 8b f0 74 0a  .u.......}....t. 773eed9c  8d 45 f8 50 ff 15 9c 15-3a 77 8b c6 5e c9 c2 0c  .e.p....:w..^... 773eedac  00 83 65 fc 00 eb d2 90-90 90 90 90 8b ff 55 8b  ..e...........u. 773eedbc  ec 57 e8 c7 d6 ff ff 8b-4d 0c 6a 34 5f 03 c7 0f  .w......m.j4_... 773eedcc  b7 00 40 40 03 c9 3b c8-0f 82 07 e5 00 00 56 e8  ..@@..;.......v.

and corresponding disassemble result, first column memory address, second column opcode of instruction, rest columns assembly instructions:

0x773eed5c 50 push    eax 0x773eed63 90 nop 0x773eed65 90 nop 0x773eed67 90 nop 0x773eed6a 55 push    ebp 0x773eed6d 51 push    ecx 0x773eed6f 837d1000 cmp     dword ptr [ebp+10h],0 ss:0023:056cfa8c=778237eb 0x773eed7c e814d7ffff call    kernel32!basep8bitstringtodynamicunicodestring (773ec495)

now can see opcode e814d7ffff on memory literally (e8 14 d7 ff ff)

but how interpret content in memory address 0x773eed5c? how opcode push eax , consecutive nops maps memory content 0c15ff50 90773a17 90909090 8b55ff8b?

update:

the disassemble result gave above incorrect. correct result, shown below, fits content in memory nicely:

0x773eed5c 50 push    eax 0x773eed5d ff150c173a77 call    dword ptr [kernel32+0x170c (773a170c)] ds:0023:773a170c={ntdll!rtlexituserthread (777ef608)} 0x773eed63 90 nop 0x773eed64 90 nop 0x773eed65 90 nop 0x773eed66 90 nop 0x773eed67 90 nop 0x773eed68 8bff mov     edi,edi 0x773eed6a 55 push    ebp 0x773eed6b 8bec mov     ebp,esp 0x773eed6d 51 push    ecx 0x773eed6e 51 push    ecx 0x773eed6f 837d1000 cmp     dword ptr [ebp+10h],0 ss:0023:0447fc24=778237eb 0x773eed73 7438 je      kernel32!openfilemappinga+0x45 (773eedad) [br=1] 0x773eed75 ff7510 push    dword ptr [ebp+10h]  ss:0023:0447fc24=778237eb 0x773eed78 8d45f8 lea     eax,[ebp-8] 0x773eed7b 50 push    eax 0x773eed7c e814d7ffff call    kernel32!basep8bitstringtodynamicunicodestring (773ec495)

for details mistake: i'm using pykd develop tool around windbg. documentation disasm module doesn't cover detail, used wrong param disasm.jumprel function, result in incomplete disassemble result.

there seem stuff missing.

50                push eax ff 15 0c 17 3a 77 call [0x0c173a77] ; did thing go? 90                nop 90                nop 90                nop 90                nop 90                nop 8b ff             mov edi, edi  ; wut? 55                push ebp      ; looks beginning of function 8b ec             mov ebp, esp 51                push ecx 51                push ecx 83 7d 10 00       cmp [ebp + 10], 0

i disassembled manually, may have made mistakes. code weird. disassembly of weirder , have no idea how happened.


Comments

Post a Comment

Popular posts from this blog

java - WrongTypeOfReturnValue exception thrown when unit testing using mockito -

-
my test list<person> mylist; @test public void testisvalidperson() { mylist = new arraylist<person>(); mylist.add(new person("tom")); when(persondao.get(person)).thenreturn(mylist); when((persondao.get(person)).isempty()).thenreturn(false);//------exception thrown boolean result = service.isvalid("tom"); assertfalse(result); } method tested: public boolean isvalid(string person){ persondao = new persondao(); person personobj = new person(person); return (persondao.get(person).isempty())?false : true; } exception thrown: org.mockito.exceptions.misusing.wrongtypeofreturnvalue: boolean cannot returned get() get() should return list *** if you're unsure why you're getting above error read on. due nature of syntax above problem might occur because: 1. exception *might* occur in wrongly written multi-threaded tests. please refer mockito faq on limitations of concurrency testing. 2. sp
Read more

php - Magento - Deleted Base url key -

-
i working on cleaning url: http://mydomain.com/shop/shop/deals i going through settings in configuration tab in admin panel on magento , change secure , unsecure base urls remove first base url "shop" web page read: http://mydomain.com/shop/deals so changed unsecure base urls mydomain.com/shop mydomain.com , secure 12.345.67.89/shop 12.345.67.89. wrong thing do. i cannot reload page or admin console. how access these files through ftp , change correctly there?? when make changes in admin panel changes made in database not in file. have make changes in database. 1.go database , select core_config_data table under table find web/unsecure/base_url , web/secure/base_url . make changes here. don't forget clear cache in var/cache folder
Read more

android - How to disable Button if EditText is empty ? -

-
i have edittext , button in application. when button clicked,the text entered in edittext added listview. i want disable button if edittext empty.how ? this code button click imagebutton imb=(imagebutton)findviewbyid(r.id.btn_send); imb.setonclicklistener(new onclicklistener() { @override public void onclick(view arg0) { edittext et = (edittext)findviewbyid(r.id.edittext1); string str = et.gettext().tostring(); web1.add(str); toast.maketext(shoutsingleprogram.this, "you entered...."+str, toast.length_short).show(); adapter1.notifydatasetchanged(); et.settext(""); } }); } how can ? edittext1.addtextchangedlistener(new textwatcher() { @override public void ontextchanged(charsequence s, int start, int before, in
Read more