Re: Previous instruction address

johnywalkyra@xxxxxxxx écrivait news:1161119770.151708.229070


given an address in code, determining the next instructon address is
fairly easy, you skip prefixes, identify the instruction (along with
ModR/M and SIB) plus the displacement and/or immediate data. However,
it seems to me quite difficult to get the address of the previous
instruction. Is there any reliable way, how to achieve this?

Thank you,

John Walker jr.

As jongware wrote, you just have to step enough bytes
backward for having the disassembly self-synchronizing.

But, here, you have a "limit problem": You must be sure
that the forward stepping is real Code, entirely, and
not something else.

So, depending on what you are really doing (i do not
understand the context in which you mean to do that,
and what for...), you may consider another method, that
is slower, but a bit less risky. That is to create a
Map Table of your code, then to:

* Step backward 1 Byte, and analyse...
* Step backward 2 Byte, and analyse...
* Step backward 3 Byte, and analyse...
* ...

.... where "analyse" stand for taking track in your table
of the locations that 1) do not produce irregular Code,
and 2) do not break down your referenced (known) valide

You do that twice (or more), until there is no other
possibility. That is, you try to Synchronize "by hand",
on a reduced set of Bytes, that wil be, at most equal
to two (or more) times the biggest possible Instruction.

Notice that this reduces the risk of analysing parts of
your File that are NOT Code, but this is slower than a
natural synchronization, and does not still save from
wrong interpretations. The only "proper" way is to
implement a set of real recognitions analyses for the
whole file, that is, to write a Disassembler.

And as long as the real job is with the recognition,
and absolutely not with the Instructions, i fail to
imagine in what conditions you could ever need of
analysing back, whereas the information (of "what is
Code") should be previously known.


< >