64位的Java字节码
[英]java byte code in 64bit
问题描述
I have looked over the instruction set for x86_64bit machine and try to match but unfortunately didn't get any solution. 
我查看了x86_64bit机器的指令集,并尝试进行匹配,但不幸的是没有得到任何解决方案。 I don't want the exact answer, just asking if someone know the steps to solve this problem or if there are any tools to solve it. 我不想要确切的答案,只是问是否有人知道解决此问题的步骤或是否有任何工具来解决它。
Thanks for your time 谢谢你的时间
2 个解决方案
解决方案1
3 2011-08-30 06:13:18
First of all, get that byte stream written to a file. 首先,将字节流写入文件。 That's a lot easier to work with than a string. 使用它比使用字符串要容易得多。 There are many ways to solve that particular problem I just used what came first to mind (probably highly suboptimal): 有很多方法可以解决该特定问题,而我只是使用了首先想到的方法(可能是次优的):
echo -n `echo ba000000004885ff74144889fa8b073b02480f4cd7488b7f084885ff75ef4889d0c3 |
Now you can use various tools to disassemble the file: 现在,您可以使用各种工具来分解文件:
eg 例如
ndisasm -b 64 f.bin
-b selects 64-bit default mode -b选择64位默认模式
or 要么
objdump -D -b binary -m i386:x86-64:intel f.bin
-D means disassemble all sections, -b binary specifies that the file is a binary file (rather than eg an object file), and -m i386:x86-64:intel selects 64-bit x86-64 decoding with intel syntax. -D表示反汇编所有部分, -b binary表示文件是二进制文件(而不是目标文件),- -m i386:x86-64:intel选择使用intel语法的64位x86-64解码。
You can also look at an opcode map to decode the stream. 您也可以查看操作码映射来解码流。 Starting out we see BA which matches B8+r which is MOV r16/32/64 imm16/32/64 . 首先,我们看到BA匹配B8+r ,即MOV r16/32/64 imm16/32/64 。 Since the instruction doesn't have a REX prefix it's the r32 imm32 version. 由于该指令没有REX前缀,因此它是r32 imm32版本。 In this case is r == 0xBA-0xB8 == 2 , looking at the "32/64-bit ModR/M Byte" table we see that r is edx . 在这种情况下, r == 0xBA-0xB8 == 2 ,查看“ 32/64位ModR / M字节”表,我们看到r为edx 。 The immediate follows in the next 4 bytes (in this case it is 0). 立即数紧随其后的4个字节(在本例中为0)。 The instruction in other words decodes to: 换句话说,该指令解码为:
mov edx, 0
The next instruction starts with a REX.W prefix ( 48 ) followed by TEST r/m16/32/64 r16/32/64 ( 85 ). 下一条指令以REX.W前缀( 48 )开头,后跟TEST r/m16/32/64 r16/32/64 ( 85 )。 You should be able to decode the follow ModR byte on your own. 您应该能够自行解码后续的ModR字节。
A final hint: You might want to look at objdump s --adjust-vma command line option. 最后提示:您可能想看看objdump的--adjust-vma命令行选项。
解决方案2
0 2011-08-30 05:39:37
Use gdb. 使用gdb。 You can define data bytes in a sequence, then use the disassembly operation. 您可以按顺序定义数据字节,然后使用反汇编操作。 Let me know if you need this answer expanded. 让我知道您是否需要扩展此答案。
EDIT . 编辑 。 Because this is homework, you should probably do it by hand. 因为这是家庭作业,所以您可能应该手工完成。
The decoding tables at sandpile.org are pretty good. sandpile.org上的解码表非常好。 Click on "one byte opcodes" to start. 单击“一个字节的操作码”开始。
Your machine language is: 您的机器语言是:
ba000000004885ff74144889fa8b073b02480f4cd7488b7f084885ff75ef4889d0c3
so your first byte is ba . 所以你的第一个字节是ba 。 Look that up in the table. 在表中查找。 It says MOV rDX,Iv (r10,Iv) . 它说MOV rDX,Iv (r10,Iv) 。 There is no REX prefix so it is a move into edx. 没有REX前缀,因此已移入edx。 To understand the I and the v , go to http://www.sandpile.org/x86/opc_enc.htm . 要了解I和v ,请访问http://www.sandpile.org/x86/opc_enc.htm 。 Here we see the capital I means immediate and the lower case v is either a word or dword or qword. 在这里,我们看到的大写字母I是立即数,小写的v是单词或dword或qword。 As you are moving into edx you have a dword, so look at the next 8 bytes after the ba . 当您进入edx时,您有一个dword,因此请查看ba之后的下一个8个字节。 They are all zeros so your first instruction is mov edx, 0 . 它们都是零,因此您的第一条指令是mov edx, 0 。 Painful, yes, but it's homework. 痛苦的,是的,但这是家庭作业。 If you haven't covered the use of these decoding tables yet, then use the nice techniques presented in user786653's answer. 如果您尚未涵盖这些解码表的使用,请使用user786653的答案中介绍的不错的技术。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.