Subscribe: Comments for Insanely Low-Level
http://www.ragestorm.net/blogs/?feed=comments-rss2
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
arm disassembler  arm  armstorm –  armstorm  comment armstorm  comment trampolines  comment  disassembler  mask  – arm   
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Comments for Insanely Low-Level

Comments for Insanely Low-Level



An Arkon Blog



Last Build Date: Mon, 27 Jan 2014 06:07:07 +0000

 



Comment on isX64 Gem by Peter Ferrie

Mon, 27 Jan 2014 06:07:07 +0000

I finally noticed the obvious 5 bytes version: XOR ECX, ECX INC ECX ; = DB 0×41 LOOP x64_code ecx is returned to 0 in 32-bit mode, and the inc/loop combination becomes the equivalent of loopq in 64-bit mode, reducing rcx to -1 and taking the branch. That's false and true values right there. ;-)



Comment on Trampolines In x64 by arkon

Thu, 25 Jul 2013 11:43:13 +0000

0000 (10) 48a10102030405060708 MOV RAX, [0x807060504030201] 000a (02) ffe0 JMP RAX This is 12 bytes indeed! At the time I thought that's we don't need the 48 byte prefix, as diStorm fix says: "MOV MEM-OFFSET instructions are NOT automatically promoted to 64bits, only with a REX." Sorry, haven't updated this post since... Thanks



Comment on Trampolines In x64 by Thierry

Mon, 22 Jul 2013 16:10:28 +0000

What are the opcodes for method 5 ? I end up with 12 bytes and not 11 :-( Regards



Comment on Hot Patching (/Detouring) by Ilya

Sun, 19 May 2013 08:45:09 +0000

As to the reason to choose MOV EDI, EDI, Raymond Chen and his commentators spill light on this: http://blogs.msdn.com/b/oldnewthing/archive/2013/01/02/10381672.aspx Statistically they saw EDI is the least likely to still be in the pipeline at the start of a function.



Comment on Armstorm – ARM Disassembler by Jurriaan Bremer

Sun, 24 Feb 2013 22:18:40 +0000

You will want to check the __builtin_ctz() function (for GCC) and/or _BitScanReverse() (for MSVC, iirc.)



Comment on Trampolines In x64 by Sönke

Sun, 30 Dec 2012 01:00:17 +0000

Hi guys, I'm currently experimenting with the subject and found that 2) can be cured from the destruction of the register if you do the following: push rax; mov rax, ; xchg rax, [rsp]; ret; unfortunately the price is a 4 bytes longer code but seems to work fine. Greetings



Comment on Armstorm – ARM Disassembler by arkon

Sat, 15 Dec 2012 17:38:17 +0000

Sweet, thanks. I really like the (~mask & 1) -> !(mask & 1), I wonder if the compiler could know to do it on its own...



Comment on Armstorm – ARM Disassembler by Peter Ferrie

Fri, 14 Dec 2012 20:15:26 +0000

actually, that first while should say !(mask & 1). you don't want to be performing ~mask every time, either.



Comment on Armstorm – ARM Disassembler by Peter Ferrie

Fri, 14 Dec 2012 20:13:45 +0000

of course, it's faster if you avoid checking mask==0 repeatedly: if (mask) { int base = 0; int runLength = 0; while (~mask & 1) base++, mask >>= 1; //mask is never zero here, always &1 initially while (mask & 1) runLength++, mask >>= 1; if (!mask && runLength > 2) { ... } }



Comment on Armstorm – ARM Disassembler by arkon

Thu, 13 Dec 2012 10:42:27 +0000

Nice Ofek! It could be really shortened, that what happens when you write code at 2:30 AM :) I use this code to format a registers-list for some instructions. For example: PUSH {R0-R7} STMIA R0!, {R4-R6} I want to show a sequence of more than 2 registers in the %d-%d format, and the rest will be separated (it wasn't part of the snippet). Suppose: POP {R0, R5, R7} Thumbs up ;)