Xed / Objdump errors in disassembly of Intel compiled executables...

twilkens · ‎02-26-2010

I recently noticed that both XED and OBJDUMP are unable to accurately disassemble Intel executables built with Intel 11.1 and Intel 11.0 compilers. The source of the issue appears to be the __intel_new_memcpy function. Below is the disassembly of the function using XED from a binary built with Intel 11.1 w/AVX flags:

XDIS 48c2bd: BINARY BASE 4983E802 sub r8, 0x2
XDIS 48c2c1: BINARY BASE 4883C102 add rcx, 0x2
XDIS 48c2c5: BINARY BASE 4883C202 add rdx, 0x2
XDIS 48c2c9: UNCOND_BR BASE E90BFFFFFF jmp 0x48c1d9
XDIS 48c2ce: DATAXFER BASE 448A1A mov r11b, byte ptr [rdx]
XDIS 48c2d1: DATAXFER BASE 448819 mov byte ptr [rcx], r11b
XDIS 48c2d4: BINARY BASE 49FFC8 dec r8
XDIS 48c2d7: BINARY BASE 48FFC1 inc rcx
XDIS 48c2da: BINARY BASE 48FFC2 inc rdx
XDIS 48c2dd: UNCOND_BR BASE E9F7FEFFFF jmp 0x48c1d9
XDIS 48c2e2: NOP BASE 66666690 data16 nop
XDIS 48c2e6: NOP BASE 66666690 data16 nop
XDIS 48c2ea: NOP BASE 666690 data16 nop
XDIS 48c2ed: NOP BASE 666690 data16 nop
XDIS 48c2f0: UNCOND_BR BASE E9FEFFFFFF jmp 0x48c2f3
ERROR: GENERAL_ERROR Could not decode at offset 0x8c115: [FFFFFF27FFFFFFFFFFFFFF4DFFFFFF]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c116: [FFFF27FFFFFFFFFFFFFF4DFFFFFFFF]
XDIS 48c2f7: UNCOND_BR BASE FF27 jmp qword ptr [rdi]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c119: [FFFFFFFFFFFFFF4DFFFFFFFFFFFFFF]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c11a: [FFFFFFFFFFFF4DFFFFFFFFFFFFFF6E]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c11b: [FFFFFFFFFF4DFFFFFFFFFFFFFF6EFF]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c11c: [FFFFFFFF4DFFFFFFFFFFFFFF6EFFFF]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c11d: [FFFFFF4DFFFFFFFFFFFFFF6EFFFFFF]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c11e: [FFFF4DFFFFFFFFFFFFFF6EFFFFFFFF]
XDIS 48c2ff: BINARY BASE FF4DFF dec dword ptr [rbp-0x1]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c122: [FFFFFFFFFFFF6EFFFFFFFFFFFFFF8D]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c123: [FFFFFFFFFF6EFFFFFFFFFFFFFF8DFF]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c124: [FFFFFFFF6EFFFFFFFFFFFFFF8DFFFF]
ERROR: GENERAL_ERROR Could not decode at offset 0x8c125: [FFFFFF6EFFFFFFFFFFFFFF8DFFFFFF]

It would be helpful to characterize this such that executables built with Intel compilers can be decoded without error. After this function in the disassembly there are many errors, maybe related to this or not.

Can someone tell me why this is occuring..

Best regards..

Tim Wilkens

MarkC_Intel · ‎02-26-2010

Hi, yes, I've seen this a few times :-) Disassembling the variable length instruction set is surprisingly nontrivial especially when there is data in the code stream. Depending on what version of the xed command line disassembler you are using and if XED can find the symbols for your binary, it has different levels of success. It attempts to resynchronize when it encounters a symbol in the middle of what it thinks is an instruction. I've been thinking about beefing up the algorithm by using branch targets as known markers for resynchronization. For now, you can also use the "-as 0xHEXADDR" knob to specify a start address for when the disassembler gets confused. See "xed -help".

(The next version of xed that I release has -resync knob to control this symbol-based resynchronization. XED is released with Intel SDE and with Pin.)

Regards,

Mark

twilkens · ‎02-26-2010

Thanks Mark for the reply. I suspected there was data there.. but wanted to querery you as well. I have all the sde versions, very useful tools btw :o). I didn't try an xed other than that released with sde 1.13.. but will try the others. Thanks for the advice and have a great weekend..

Tim Wilkens