Is it possible to decode x86-64 instructions in reverse?
I was wondering if it is possible to decode x86-64 instructions in reverse?
I need this for a runtime dissembler. Users can point to a random location in memory and then should be able to scroll upwards and see what instructions came before the specified address.
I want to do this by reverse decoding.
The basic format of x86 instructions is like this
Modern CPUs can support VEX and EVEX prefixes. In x86-64 there might also be the REX prefix at the beginning
Looking at the format it can easily be seen that the instructions aren't palindromes and you can't read from the end.
Regarding determining which instruction an arbitrary address belongs to, unfortunately it can't be done either, because x86 instructions are not self-synchronizable, and (generally) not aligned. You have to know exactly the begin of an instruction, otherwise the instruction will be decoded differently.
You can even give addresses that actually contain data and the CPU/disassembler will just decode those as code, because no one knows what those bytes actually mean. Jumping into the middle of instructions is often used for code obfuscation. The technique has also been applied for code size saving in the past, because a byte can be reused and has different meanings depending on which instruction it belongs to
- Jump into the middle of instruction - in IA-32
- Why are disassembled data becoming instructions?
- Designing an instruction sequence so that it does something else if decoded with an offset
- What is "overlapping instructions" obfuscation?
- Jump into the instructions, is it a case
objdumpcan't handle? - What is the reason for this method to call itself?
That said, it might be possible to guess in many cases since functions and loops are often aligned to 16 or 32 bytes, with NOPs padding around
- AVR Instruction Sets and "missing" instructions by device
- What registers to save in the ARM C calling convention?
- Assembly/gdb: add behavior
- STM32 Thumb Mode Reset Vector
- Why do modern compilers prefer SSE over FPU for single floating-point operations
- Arm bootloader and kernel visualisation error
- Push all and pop all in emu8086
- Why does my conversion from LBA to CHS not work?
- Bootloader doesn't jump to stage 2 to display a message
- Why does my data section appear twice in the compiled binary? Ubuntu, x86, nasm, gdb, readelf
- Referencing the contents of a memory location. (x86 addressing modes)
- How to detect if a binary number has a 0 in Decimal
- A hand-coded branch to a bounce bed was not taken but taken with debugger attached
- Why does the VMCS ES selector have a index of 0 instead of 3?
- What is the result of this Assembly program?
- Is it "too clever" for using LEA to load constant to register?
- How to get function Argument from Stack - Assembly
- simple adder array int value in RISC-V asm
- Assembly ADC (Add with carry) to C++
- Why does Clang do this optimization trick only from Sandy Bridge onward?
- Why does a call to a pointer to member function handle virtual functions even if the class has no virtual methods?
- nasm assembly linux timer or sleep
- Instruction FYL2XP1
- About ARMv8-A `SVC #0x0f0f` to machine code
- QtSPIM: Explanation for code shown without loading program
- Codemirror x86 assembly (Intel) syntax
- GCC generate Canary or not?
- Using the operand-size override prefix 0x66 for instruction alignment
- What happens with the Frame Pointer in the Stack, if the Stack Pointer enters a second, nested function?
- How to build .rodata string table when PIE is enabled?