EDB's disassembler needs to be aware of memory context of an instruction

[10110111]

Currently, if you have a sequence of bytes like 18 bf 49 40 in Thumb mode, you'll have as disassembly:

18 bf    it    ne
49 40    eors  r1, r1

This is obviously wrong, since the second instruction is in the IT block and must have a condition:

18 bf    it    ne
49 40    eorne r1, r1

This won't work until EDB starts at least passing something like 18 bytes to cs_disasm (maximum for an IT block). Of course, another problem would be the need to look "back" for a possible preceding IT instruction, especially when CPSR.IT≠0.

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/48679227-edb-s-disassembler-needs-to-be-aware-of-memory-context-of-an-instruction?utm_campaign=plugin&utm_content=tracker%2F14326212&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F14326212&utm_medium=issues&utm_source=github).

[eteran]

Yea, I've been thinking that this would be a difficult challenge to deal with. My current thought is that if the user has run analysis on the region (maybe make it just happen auto-magically?) then we could look back to the beginning of the current basic block and and determine the "mode" from there?

[10110111]

Well, if the analysis results are available, this matter is trivial. But analysis is not instant, and it seems there's a possibility to confuse the analyser (although it's just my guess, I've not looked into what the analysis does). Might be a good idea to add a "quick analysis" mode to the analyzer, so that details like this can be easily found out. Without analysis, EDB can at least check current CPU state and, if CPSR.IT≠0, then try to disassemble the block instead of single instructions.

[eteran]

Yea, analysis isn't instant, and it certainly isn't perfect. I was just thinking that things such as Ollydbg always do an analysis (as far as I can tell), and while sometimes it does introduce a pause (usually during dll load), user's seem to be OK with that given the usefulness of the results.

So, my thought is that perhaps, if the analysis proves to make this task significantly simpler, then it may be worth it for the average user. I'm a bit torn on this one though, as I am a fan of not wasting the user's time as well.

[10110111]

In OllyDbg it's always possible to skip analysis (by pressing Space or Esc).

[eteran]

Agreed, it is cancelable of course. But it is often time consuming and is opt out, as opposed to edb's opt in analysis. We could make it cancelable, and have a config option to auto analyze as needed.