Backward disassembling (was: Re: 2.5.63 accesses below %esp)

Szakacsits Szabolcs (szaka@sienet.hu)
Fri, 14 Mar 2003 13:16:12 +0100 (MET)


On Fri, 14 Mar 2003, Denis Vlasenko wrote:
> On 13 March 2003 23:04, Horst von Brand wrote:
> > Szakacsits Szabolcs <szaka@sienet.hu> said:
> > >
> > > Of course, it's a bad approach. You start earlier and stop at EIP.
> > > Repeat this for max(instruction length) different offsets and you
> > > will have the winner. Figure it out from the context after EIP.
> >
> > By hand, OK. Automatically, no.
>
> Why not? Disassemble from, say, EIP-16 and check whether you have
> an instruction starting exactly at EIP. If no, repeat from EIP-15,
> -14... You are guaranteed to succeed at EIP-0 ;)

Disassembling must be started "much" earlier. From your example one
could get the impression you want to get the instruction right before
EIP. It's not possible to go back this way. For example if you want to
disassemble 100 bytes before EIP you must start at EIP-100 and EIP-99
and ... and EIP-100-max_instruction_length+1. Then you have the right
one among them (well, 99.9% but let's don't be too pedantic).

You also can't stop the above max_instruction_length iteration when
the next instruction address matches EIP. You can have even
max_instruction_length matches. But from the additional info (code
after EIP, assembly "quality", available source where the crash
happend) you could choose the right one.

Szaka

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/