MIPS汇编中的两个顺序分支指令?
[英]Two sequential branch instructions in MIPS assembly?
问题描述
I am trying to reverse engineer a MIPS firmware. 
我正在尝试对MIPS固件进行逆向工程。 The firmware is big endian encoded, for a 32bit r4kec processor. 对于32位r4kec处理器,固件采用大端编码。
I have disassembled (using objdump) the binary to see what the assembly looks like, and everything looks like valid code, but right at the beginning of the code I see the following two instructions: 我已经反汇编(使用objdump)二进制文件来查看程序集的外观,并且所有内容看起来都像是有效的代码,但是在代码的开头我看到了以下两条指令:
bfc00220 152a0001 bne t1, t2, 0xbfc00228
bfc00224 10000009 b 0xbfc0024c
The first instruction checks the values of the t1 and t2 registers, and jumps to an address if they are not equal. 第一条指令检查t1和t2寄存器的值,如果它们不相等则跳转到一个地址。 The second instruction seems to handle the fall-through case, to skip directly to a subsequent address. 第二条指令似乎处理掉落的情况,直接跳到后续地址。 So far so good, or not? 到目前为止这么好还是没有?
To my knowledge, this is not legal. 据我所知,这不合法。 All of the available MIPS documentation that I have read state that the instruction directly following any branch/jump instruction is treated as a jump delay slot, whose instruction is always (except for the branch-likely class of instructions) executed before the actual jump is performed. 我读过的所有可用MIPS文档都声明直接跟随任何分支/跳转指令的指令被视为跳转延迟槽,其指令总是(除了可能的分支指令类)在实际跳转之前执行执行。
The key problem here is that another branch/jump is not allowed in the jump delay slot, and this will leave the processor in an undefined state. 这里的关键问题是跳转延迟槽中不允许另一个分支/跳转,这将使处理器处于未定义状态。
So what I am to make of this code? 那么我要对这段代码做些什么呢? I don't believe that this is handcrafted assembly (although it would not be too farfetched for it to be) for a cpu that handles this situation in a known deterministic fashion. 我不认为这是一个以已知的确定性方式处理这种情况的cpu的手工组装(尽管它不会太过牵强)。 I also cannot believe that a compiler will knowingly produce code like this. 我也无法相信编译器会故意生成这样的代码。 The other possibility is that I am using the wrong decompiler for the binary, or that I have the endianness wrong, or something else... 另一种可能性是我使用错误的反编译器来处理二进制文件,或者我有错误的字节序,或者别的......
Can anyone explain what is going on here? 谁能解释一下这里发生了什么?
2 个解决方案
解决方案1
2 2014-02-10 12:31:03
The "undefined behavior" means just that - that it's not specified what will happen. “未定义的行为”仅仅意味着 - 没有指明会发生什么。 It may lead to CPU locking up, or it might actually execute the instruction. 它可能导致CPU锁定,或者它可能实际执行指令。
See this post about some tricks with delay slots that were used in M88K: 有关M88K中使用的延迟槽的一些技巧,请参阅此文章:
http://www.pagetable.com/?p=313 http://www.pagetable.com/?p=313
Or the answer may be even simpler: you may be looking at data, not code. 或者答案可能更简单:您可能正在查看数据,而不是代码。 Since a raw binary has no info about code/data boundaries, objdump defaults to disassembling everything, whether it makes sense or not. 由于原始二进制文件没有关于代码/数据边界的信息,因此objdump默认为反汇编所有内容,无论它是否有意义。
解决方案2
0 已采纳 2014-02-10 20:50:25
While this is undefined behavior, a particular CPU implementation might do something useful and repeatable for this instruction sequence. 虽然这是未定义的行为,但是特定的CPU实现可能会对此指令序列执行一些有用且可重复的操作。 The only way to tell is by running the code on that actual implementation. 要告诉的唯一方法是在实际实现上运行代码。 Use a debugger to put a breakpoint on the target of each branch, and see which one you get to. 使用调试器在每个分支的目标上放置一个断点,并查看您获得的断点。
This could even be an error in the hand generated assembly that was never caught because the actual behavior of the code was not incorrect. 这甚至可能是手动生成的程序集中的错误,因为代码的实际行为不正确,所以从未捕获过。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.