java byte code in 64bit_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-04-01 04:34 出处：网络

I have looked over开发者_StackOverflow社区 the instruction set for x86_64bit machine and try to match but unfortunately didn\'t get any solution. I don\'t want the exact answer, just asking if someone

相关专题：

I have looked over开发者_StackOverflow社区 the instruction set for x86_64bit machine and try to match but unfortunately didn't get any solution. I don't want the exact answer, just asking if someone know the steps to solve this problem or if there are any tools to solve it.

Thanks for your time

First of all, get that byte stream written to a file. That's a lot easier to work with than a string. There are many ways to solve that particular problem I just used what came first to mind (probably highly suboptimal):

echo -n `echo ba000000004885ff74144889fa8b073b02480f4cd7488b7f084885ff75ef4889d0c3 | sed 's/(..)/\\x\1/g'` > f.bin

Now you can use various tools to disassemble the file:

e.g.

ndisasm -b 64 f.bin

-b selects 64-bit default mode

objdump -D -b binary -m i386:x86-64:intel f.bin

-D means disassemble all sections, -b binary specifies that the file is a binary file (rather than e.g. an object file), and -m i386:x86-64:intel selects 64-bit x86-64 decoding with intel syntax.

You can also look at an opcode map to decode the stream. Starting out we see BA which matches B8+r which is MOV r16/32/64 imm16/32/64. Since the instruction doesn't have a REX prefix it's the r32 imm32 version. In this case is r == 0xBA-0xB8 == 2, looking at the "32/64-bit ModR/M Byte" table we see that r is edx. The immediate follows in the next 4 bytes (in this case it is 0). The instruction in other words decodes to:

mov edx, 0

The next instruction starts with a REX.W prefix (48) followed by TEST r/m16/32/64 r16/32/64 (85). You should be able to decode the follow ModR byte on your own.

A final hint: You might want to look at objdumps --adjust-vma command line option.

Use gdb. You can define data bytes in a sequence, then use the disassembly operation. Let me know if you need this answer expanded.

EDIT. Because this is homework, you should probably do it by hand.

The decoding tables at sandpile.org are pretty good. Click on "one byte opcodes" to start.

Your machine language is:

ba000000004885ff74144889fa8b073b02480f4cd7488b7f084885ff75ef4889d0c3

so your first byte is ba. Look that up in the table. It says MOV rDX,Iv (r10,Iv). There is no REX prefix so it is a move into edx. To understand the I and the v, go to http://www.sandpile.org/x86/opc_enc.htm. Here we see the capital I means immediate and the lower case v is either a word or dword or qword. As you are moving into edx you have a dword, so look at the next 8 bytes after the ba. They are all zeros so your first instruction is mov edx, 0. Painful, yes, but it's homework. If you haven't covered the use of these decoding tables yet, then use the nice techniques presented in user786653's answer.