assembly - How disassembler extract opcode from memory works? -

-

i'm trying figure out how disassembler works. specifically, how content in memory maps corresponding assembly language opcode.

below content in memory, first column address:

773eed5c  50 ff 15 0c 17 3a 77 90-90 90 90 90 8b ff 55 8b  p....:w.......u. 773eed6c  ec 51 51 83 7d 10 00 74-38 ff 75 10 8d 45 f8 50  .qq.}..t8.u..e.p 773eed7c  e8 14 d7 ff ff 85 c0 74-24 56 ff 75 fc ff 75 0c  .......t$v.u..u. 773eed8c  ff 75 08 e8 ab ff ff ff-83 7d 10 00 8b f0 74 0a  .u.......}....t. 773eed9c  8d 45 f8 50 ff 15 9c 15-3a 77 8b c6 5e c9 c2 0c  .e.p....:w..^... 773eedac  00 83 65 fc 00 eb d2 90-90 90 90 90 8b ff 55 8b  ..e...........u. 773eedbc  ec 57 e8 c7 d6 ff ff 8b-4d 0c 6a 34 5f 03 c7 0f  .w......m.j4_... 773eedcc  b7 00 40 40 03 c9 3b c8-0f 82 07 e5 00 00 56 e8  ..@@..;.......v.

and corresponding disassemble result, first column memory address, second column opcode of instruction, rest columns assembly instructions:

0x773eed5c 50 push    eax 0x773eed63 90 nop 0x773eed65 90 nop 0x773eed67 90 nop 0x773eed6a 55 push    ebp 0x773eed6d 51 push    ecx 0x773eed6f 837d1000 cmp     dword ptr [ebp+10h],0 ss:0023:056cfa8c=778237eb 0x773eed7c e814d7ffff call    kernel32!basep8bitstringtodynamicunicodestring (773ec495)

now can see opcode e814d7ffff on memory literally (e8 14 d7 ff ff)

but how interpret content in memory address 0x773eed5c? how opcode push eax , consecutive nops maps memory content 0c15ff50 90773a17 90909090 8b55ff8b?

update:

the disassemble result gave above incorrect. correct result, shown below, fits content in memory nicely:

0x773eed5c 50 push    eax 0x773eed5d ff150c173a77 call    dword ptr [kernel32+0x170c (773a170c)] ds:0023:773a170c={ntdll!rtlexituserthread (777ef608)} 0x773eed63 90 nop 0x773eed64 90 nop 0x773eed65 90 nop 0x773eed66 90 nop 0x773eed67 90 nop 0x773eed68 8bff mov     edi,edi 0x773eed6a 55 push    ebp 0x773eed6b 8bec mov     ebp,esp 0x773eed6d 51 push    ecx 0x773eed6e 51 push    ecx 0x773eed6f 837d1000 cmp     dword ptr [ebp+10h],0 ss:0023:0447fc24=778237eb 0x773eed73 7438 je      kernel32!openfilemappinga+0x45 (773eedad) [br=1] 0x773eed75 ff7510 push    dword ptr [ebp+10h]  ss:0023:0447fc24=778237eb 0x773eed78 8d45f8 lea     eax,[ebp-8] 0x773eed7b 50 push    eax 0x773eed7c e814d7ffff call    kernel32!basep8bitstringtodynamicunicodestring (773ec495)

for details mistake: i'm using pykd develop tool around windbg. documentation disasm module doesn't cover detail, used wrong param disasm.jumprel function, result in incomplete disassemble result.

there seem stuff missing.

50                push eax ff 15 0c 17 3a 77 call [0x0c173a77] ; did thing go? 90                nop 90                nop 90                nop 90                nop 90                nop 8b ff             mov edi, edi  ; wut? 55                push ebp      ; looks beginning of function 8b ec             mov ebp, esp 51                push ecx 51                push ecx 83 7d 10 00       cmp [ebp + 10], 0

i disassembled manually, may have made mistakes. code weird. disassembly of weirder , have no idea how happened.


Comments

Post a Comment

Popular posts from this blog

php - Magento - Deleted Base url key -

-
i working on cleaning url: http://mydomain.com/shop/shop/deals i going through settings in configuration tab in admin panel on magento , change secure , unsecure base urls remove first base url "shop" web page read: http://mydomain.com/shop/deals so changed unsecure base urls mydomain.com/shop mydomain.com , secure 12.345.67.89/shop 12.345.67.89. wrong thing do. i cannot reload page or admin console. how access these files through ftp , change correctly there?? when make changes in admin panel changes made in database not in file. have make changes in database. 1.go database , select core_config_data table under table find web/unsecure/base_url , web/secure/base_url . make changes here. don't forget clear cache in var/cache folder
Read more

javascript - Tooltipster plugin not firing jquery function when button or any click even occur -

-
i want use tooltipster plugin click element in body show tooltip , want have close button inside tooltip close it. however use jquery click() function handle won't fired. tried solution in post. worked when tooltip triggered hover event. tooltipster plugin not firing jquery function when link in in tooltip clicked the original solution using hover in jsfiddle trigger: 'hover', instead using click show tooltip trigger: 'click', http://jsfiddle.net/bcqyl/7/ it won't fire click event in jquery block. can captured normal javascript function only. checked should code in tooltipster plugin locked , captured "click()" event inside tips when in click trigger mode. i tried other event onchange event of radio button fired when using code in original solution @evan right. tooltip doesn't exist in dom , can't bind/delegate action (even if go way $(document) after domready). if you're after close button inside of too...
Read more

java - WrongTypeOfReturnValue exception thrown when unit testing using mockito -

-
my test list<person> mylist; @test public void testisvalidperson() { mylist = new arraylist<person>(); mylist.add(new person("tom")); when(persondao.get(person)).thenreturn(mylist); when((persondao.get(person)).isempty()).thenreturn(false);//------exception thrown boolean result = service.isvalid("tom"); assertfalse(result); } method tested: public boolean isvalid(string person){ persondao = new persondao(); person personobj = new person(person); return (persondao.get(person).isempty())?false : true; } exception thrown: org.mockito.exceptions.misusing.wrongtypeofreturnvalue: boolean cannot returned get() get() should return list *** if you're unsure why you're getting above error read on. due nature of syntax above problem might occur because: 1. exception *might* occur in wrongly written multi-threaded tests. please refer mockito faq on limitations of concurrency testing. 2. sp...
Read more