All geek questions in one place

Disassembling the 'faddl' instruction

In my quest for disassembler coding for the x86-32 Linux platform, I ran into a problem. I saw the following sequence of operations after I parsed a simple ELF-32 executable using "objdump":

> dc 82 04 08 0d 00 faddl 0xd0804(%edx)

But when I look at the Intel manual [1], I don’t see the correspondence of the operation code. The command "fadd" begins with 0xdc, but then it requires the operand "m64fp", which is the "operand of the memory square memory". Now, does this mean that the operand is a 64-bit address (which then means that the fadd command is a 64-bit instruction, but does not have a rex byte prefix), or is it just a 32-bit address that points to quadword (64 bits )?

Am I missing something trivial here, or is my understanding of x86 coding rules wrong?

[1] http://www.intel.com/design/intarch/manuals/243191.HTM

Thanks and respect,
Hrishikesh Murali

+4
source share
2 answers

Let me break it.

 > dc 82 04 08 0d 00 faddl 0xd0804(%edx) | | \____ ____/ | | V | | | | | +---------> 32-bit displacement | +-----------------> ModRM byte +--------------------> Opcode

Looking in detail at the docs, dc indeed a m64real floating point argument as the source. It will add this 64-bit argument to the ST(0) floating-point register.

However, this is the second byte 82 , which decides where this 64-bit value comes from. This results in a binary ModRM byte:

 +---+---+---+---+---+---+---+---+ | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | +---+---+---+---+---+---+---+---+ | MOD | REG/OPCD | R/M |

If you look at table 2.2 in a related document (one that is designed for 32-bit addressing modes), you will see that this means disp32[EDX] .

In other words, it takes the next 32 bits (four bytes), adds this to the edx and uses this address to extract the 64-bit value from memory.

+5
source

“Quadword operator in memory” means that the value is 64 bits in RAM. The size of the address will depend on whether it is compiled as a 32 or 64-bit process, and not on how large the operands are. Here is a complete analysis of the disassembly.

  • First byte, DC is the opcode. Combined with the fact that the next byte is not between C0 and C7 and contains 0 in the register field (bits 3-5), this indicates a fadd instruction with a 64-bit memory operand. Interestingly, l at the end of the operation code will indicate a 32-bit operand. This should be faddq .

  • The second byte contains 3 fields.

    • Bits 6-7 indicate the last field mode.
    • Bits 3-5 are a register field. Since a register operand is not required for this instruction, they are used as part of the operation code.
    • Bits 0-2 are an R / M field. It may contain a register or indicate a memory operand. Combined mode 10 and R / M 010 indicate that the operand is a memory operand with a 32-bit address relative to the edx .

  • The last 4 bytes represent the relative offset of the operand in the small end value (the least significant byte).

+2
source

Source: https://habr.com/ru/post/1381239/

More articles:


All Articles