Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Missing NOP instructions in x86_64
See original GitHub issueI confirmed that 0f 1f 00 is correctly disassembled into a NOP (for x86)
Below is a list of NOP instructions that objdump decodes into NOPs but that Ghidra can’t disassemble (the list may not be complete, and tries to only show one instruction per instruction class):
0f 18 20 nop/reserved BYTE PTR [eax]
0f 18 28 nop/reserved BYTE PTR [eax]
0f 18 30 nop/reserved BYTE PTR [eax]
0f 18 38 nop/reserved BYTE PTR [eax]
0f 19 00 nop DWORD PTR [eax]
0f 19 c0 nop eax
0f 1a c0 nop eax
0f 1b c0 nop eax
0f 1c 00 nop DWORD PTR [eax]
0f 1c 08 nop DWORD PTR [eax]
0f 1c 10 nop DWORD PTR [eax]
0f 1c 18 nop DWORD PTR [eax]
0f 1c 20 nop DWORD PTR [eax]
0f 1c 28 nop DWORD PTR [eax]
0f 1c 30 nop DWORD PTR [eax]
0f 1c 38 nop DWORD PTR [eax]
0f 1c c0 nop eax
0f 1d 00 nop DWORD PTR [eax]
0f 1d c0 nop eax
0f 1e 00 nop DWORD PTR [eax]
0f 1e c0 nop eax
66 0f 1e c0 nop ax
f2 0f 1c 00 repnz nop DWORD PTR [eax]
f2 0f 1e c0 nop eax
f3 0f 1b c0 nop eax
f3 0f 1c 00 repz nop DWORD PTR [eax]
f3 0f 1e c0 nop eax
f3 0f 1e d0 nop eax
f3 0f 1e d8 nop eax
f3 0f 1e e0 nop eax
f3 0f 1e e8 nop eax
f3 0f 1e f0 nop eax
f3 0f 1e f8 nop eax
f3 0f 1e f9 nop ecx
f3 0f 1e fc nop esp
f3 0f 1e fd nop ebp
f3 0f 1e fe nop esi
f3 0f 1e ff nop edi
I can share a test binary with these instructions (and the ones from https://github.com/NationalSecurityAgency/ghidra/issues/53#issuecomment-470682674) if that’d be helpful
_Originally posted by @recvfrom in https://github.com/NationalSecurityAgency/ghidra/issues/22#issuecomment-472606492_
Issue Analytics
- State:
- Created 5 years ago
- Reactions:1
- Comments:12 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The Aggressive Instruction Finder “attempts” in a very simplistic way to look at how other functions start in your code. There are many improvements that could be done to it.
Simply finding and marking NOP’s is not always the best solution, since those NOP’s could actually be data bytes. Many processor’s NOP instruction are some number of 0x00’s.
I guess the real issue is automatically disassembling the code. Ghidra is generally conservative in where it starts disassembling. In my mind, the NOP’s are arbitrary bytes, they could be invalid random bytes if the compiler had been done that way. They really aren’t code, and disassemblers that find the code such as objdump are cheating on the fact that they do disassemble without figuring out why they disassemble.
In your case with the offset of the address from EDI as a data reference, the MOV access is an indication that the bytes at address DAT_0001cc90 could be data.
You can select an area and disassemble it. This isn’t the suggested method to start, unless you are sure there is no data in the are and it is all instructions. Ghidra will follow flow, as much as it can starting at the first location, then start again at the next undefined location. If this works for you, it is cheap and easy. There are most likely some scripts that do this, but one doesn’t come to mind.
Not disassembling an area, can help you understand the program and look for the way a location is actually disassembled or accessed. That said, automating as much as possible without making mistakes is a goal. It’s all a matter of false positives / false negatives balanced on your motivation for doing the RE in the first place.
The Reference analyzer does have some heuristics to follow pure pointer references (no read/write) to see if it looks like code. It may be the “looks” like code may need to be relaxed, but that is a delicate balance that may cause bad code disassembly in other areas.
Closing this issue since the missing NOP instructions were added in 9.0.1.