search

justinstenning / SharpDisasm

SharpDisasm - x86 / x86-64 disassembler for .NET
https://www.nuget.org/packages/SharpDisasm
Other
210 stars 39 forks source link

Wrong disasm #23

Open meza2003 opened 3 years ago

meza2003 commented 3 years ago

x64 Input: eb 02 90 90 eb 02 90 90 48 89 5c 24 08

Output: 0000000000000000 eb 02 jmp 0x4 0000000000000002 90 nop 0000000000000003 90 nop 0000000000000004 eb 02 jmp 0x8 0000000000000006 90 nop 0000000000000007 90 nop 0000000000000008 48 89 5c 24 08 mov [rsp+0x8], rbx

ida output: .text:000000018044F6FC ; =============== S U B R O U T I N E ===== .text:000000018044F6FC .text:000000018044F6FC .text:000000018044F6FC public MSO_5997 .text:000000018044F6FC MSO_5997 proc near ; CODE XREF: MSO_5252+D1↑p .text:000000018044F6FC ; sub_18044F5BC+CE↑p ... .text:000000018044F6FC jmp short loc_18044F700 .text:000000018044F6FC ; --------------------------------------------------------------------------- .text:000000018044F6FE align 20h .text:000000018044F700 .text:000000018044F700 loc_18044F700: ; CODE XREF: MSO_5997↑j .text:000000018044F700 jmp short sub_18044F704 .text:000000018044F700 MSO_5997 endp .text:000000018044F700 .text:000000018044F700 ; --------------------------------------------------------------------------- .text:000000018044F702 align 4 .text:000000018044F704 .text:000000018044F704 ; =============== S U B R O U T I N E ====== .text:000000018044F704 .text:000000018044F704 .text:000000018044F704 sub_18044F704 proc near ; CODE XREF: MSO_5997:loc_18044F700↑j .text:000000018044F704 ; DATA XREF: .pdata:00000001815CC594↓o .text:000000018044F704 .text:000000018044F704 arg_0 = qword ptr 8 .text:000000018044F704 .text:000000018044F704 mov [rsp+arg_0], rbx

Fonger commented 3 years ago

The result is correct however SharpDisasm starts address with zero in cli mode because it has no idea where your bytes input start.

meza2003 commented 3 years ago

why offset of 2th jmp is 0x8?

Fonger commented 3 years ago

0x000000018044F6FC + 0x8 = 0x000000018044F704 = sub_18044F704

meza2003 commented 3 years ago

in generally, jmp offset is relative to where?

Fonger commented 3 years ago

If you watch the byte code, you can see eb 02 This is a short jump, 02 comes the target address relative to the next instruction: 8(target) - 6(next) = 02

Most disassembler will show the absolute target address so it shows 8 here.