tr1stan
November 12th, 2012, 16:56
Hi all,
and yet another stupid question
I have a code byte stream (from a dump) and I'm using Distorm to disassemble the code at a specific position of the stream.
My problem is how can I make sure that I'm not starting at the wrong position, meaning how can i check if my current position/byte
is not part of another opcode?
Example:
I start inside my buffer with the byte sequence E8 0C 3B CA 8B -> CALL 08C0C41C8 (wrong)
but if I start one byte earlier with 83 E8 0C 3B CA 8B I get the correct disassembled commands:
SUB EAX, 0C
CMP ECX, EDX
I try to search a code section for special calls and jmps but I get a lot of wrong results because of this problem. Even if I check
the call/jmp location if it's in a defined memory area it could be not valid one.
I searched the net up and down (perhaps with the wrong query
) but I can't find any information about this.
Does anyone here know how to handle this situation? Do I have to disassemble a little bit more code and check if CALLs/JMPs
point to meaningfull addresses but what is meaningfull then ?
regards
tr1stan
and yet another stupid question
I have a code byte stream (from a dump) and I'm using Distorm to disassemble the code at a specific position of the stream.
My problem is how can I make sure that I'm not starting at the wrong position, meaning how can i check if my current position/byte
is not part of another opcode?
Example:
I start inside my buffer with the byte sequence E8 0C 3B CA 8B -> CALL 08C0C41C8 (wrong)
but if I start one byte earlier with 83 E8 0C 3B CA 8B I get the correct disassembled commands:
SUB EAX, 0C
CMP ECX, EDX
I try to search a code section for special calls and jmps but I get a lot of wrong results because of this problem. Even if I check
the call/jmp location if it's in a defined memory area it could be not valid one.
I searched the net up and down (perhaps with the wrong query
) but I can't find any information about this.Does anyone here know how to handle this situation? Do I have to disassemble a little bit more code and check if CALLs/JMPs
point to meaningfull addresses but what is meaningfull then
?regards
tr1stan