0

Yesterday, I got caught a problem on re-asselembling the disassembly.
My experiment was like below. : 

1. Disassemble binary_A into A.s  
2. Re-assemble A.s into binary_A'



I expected binary_A and binary_A' to be completely identical.
However, it wasn't !


1. disassembly of binary_A was : 

53                  #  push %ebx
83 ec 08            #  sub $0x8,%esp
81 c3 4b 1d 00 00   #  add $0x1d4b,%ebx
8b 83 fc ff ff ff   #  mov -0x4(%ebx),%eax      <= Here
85 c0               #  test %eax,%eax



2. I parsed it and made A.s file: 

push %ebx
sub $0x8,%esp
add $0x1d4b,%ebx
mov -0x4(%ebx),%eax
test %eax,%eax



3. finally I re-assembled it into binary_A' (Look carefully at the arrow): 

53                  #  push %ebx
83 ec 08            #  sub $0x8,%esp
81 c3 4b 1d 00 00   #  add $0x1d4b,%ebx
8b 43 fc            #  mov -0x4(%ebx),%eax     <= Here!
85 c0               #  test %eax,%eax



Here is my problem :
I want binary_A and binary_A' to be completely identical.
However, it wasn't because mov eax, DWORD PTR [ebx - 0x4]is assembled in a different way.

Question :
Can I direct assembler to use specific encoding?
(using assembler directive or sth like that?)

Jiwon
  • 1,074
  • 1
  • 11
  • 27
  • On linux, I used GNU assembler using `as` command. – Jiwon Jul 24 '18 at 06:05
  • @MichaelPetch Code shown in the body is result of gdb. However, the real code is written in att style. Below is the actual code that I used. `push %ebx; sub $0x8,%esp; add $0x1d4b,%ebx; mov -0x4(%ebx),%eax; test %eax,%eax` – Jiwon Jul 24 '18 at 06:25
  • 2
    @최지원 you could have edited your previous question with the additional info. Also this AT&T source can be part of your new question, just use [edit]. And generally don't expect after binary->disasm->asm steps to receive identical binary, that's not common target for the common tools, so unless you are using some kind of specific disassembler+assembler pair (and I'm not aware of such, but I never needed that, when I was doing some binary patching, I was usually patching binary directly), which is targetted to maintain binary identity, it will break on many spots (with ordinary tools). – Ped7g Jul 24 '18 at 06:30
  • BTW, did you try the advice from comments from previous question? `{disp32} mov -4(%ebx), %eax` was the one for AT&T. – Ped7g Jul 24 '18 at 06:42
  • @ped7g : gnu assembler only supports `addr32` and `data32` for an instruction like this unless you have a newer binutils (like 2.29+) – Michael Petch Jul 24 '18 at 07:11
  • 3
    Of course I forgot that the old versions of binutils support the instruction suffix `.d32`. This should work `mov.d32 -0x4(%ebx),%eax` – Michael Petch Jul 24 '18 at 07:18
  • My answer on the linked duplicate has details and examples (at the bottom) of the exact syntax for GAS and NASM. IDK why you deleted [your previous question of the same title](https://stackoverflow.com/questions/51483821/how-to-enforce-the-assembler-to-use-specific-encoding-for-machine-code-emission) which was also asking for asm syntax for longer-than-default instruction encodings. – Peter Cordes Jul 24 '18 at 13:22
  • @PeterCordes Thank you for the helpful comment. I re-wrote this question to explain my situation in more detail. @MichaelPetch Thank you very much! `.d32`,`.d8` was very helpful to my situation. – Jiwon Jul 26 '18 at 13:57
  • Note there is no reason to assume a disassembler which has one job, produces output compatible with an assembler which has another job. The disassembler is to help the human see the instructions in more readable form, not necessarily to create re-assembleable source. So you need to adjust your expectations accordingly. – old_timer Jul 26 '18 at 14:02
  • Once more I profoundly disagree with the idea that this is a duplicate. It is a demand for a reverse engineering assembler such as I can provide. The answer I would provide is not found nor related to any of the other questions marked as duplicates. Is there a way to protest towards the "powers that be" that do such things, or at least teach them what they miss? – Albert van der Horst May 07 '20 at 11:25

0 Answers0