0

I can't figure out if ghidra is doing messy stuff @ the decompiler or I did enough reversing this day.

Assembly:

00400b76 48 83 45 f8 01       ADD        qword ptr [RBP + local_10],offset DAT_006020c1

where DAT_006020c1 is:

                             DAT_006020c1                                    XREF[2]:     
    006020c1 3c              undefined1 3Ch

So it should be a regular byte addition between local_10 and 0x3C right?

Ghidra Decompiler output for this line:

local_10 = local_10 + 1;

So this makes no sense to me because we don't make an addition with 0x1?

Regards

  • 4
    The instruction `48 83 45 xx yy` is `add qword [rbp + xx], yy`. (You’re missing two of the instruction bytes in the first code block.) The second operand is an immediate value, not a value from memory. Apparently the immediate value is 1, not the address of DAT_006020c1. – prl Aug 02 '20 at 20:18
  • `add qword [rbp+something], immediate` can't be a 3-byte instruction: REX + opcode + modrm + disp8 + imm8 is 5 bytes. Or 8 bytes if it's a 32-bit immediate. (But in this case it's the opcode for a 1-byte sign-extended immediate.) x86-64 can't encode an instruction with two explicit memory operands. Note the `offset` keyword. – Peter Cordes Aug 02 '20 at 20:19
  • Fixed the missing instruction bytes now (copy/paste fault) –  Aug 02 '20 at 20:24
  • Okay should've noticed the opcodes 83 45 f8 01 -> add DWORD PTR [ebp-0x8],0x1 But what does ghidra mean with this DAT_006020c1 ? Radare and IDA translate it as 0x1 –  Aug 02 '20 at 20:28
  • is this the only machine code you are feeding the decompiler? – old_timer Aug 02 '20 at 20:30
  • no the whole function (about 100) instructions –  Aug 02 '20 at 20:33
  • Is this in an object file or executable with a symbol table? IDK why an immediate `1` would get treated as any kind of symbol reference. – Peter Cordes Aug 02 '20 at 20:34
  • it's an ELFx86 with a symbol table –  Aug 02 '20 at 20:35
  • BTW, the decompilation makes perfect sense; the machine code clearly is just adding `1`, as an 8-bit immediate. https://www.felixcloutier.com/x86/add confirms that `REX.W=1 83` is the opcode for `add r/m64, imm8`. The weird thing is the disassembly labeling the immediate as `offset DAT_006020c1`. That would make an interesting question about ghidra's disassembler, but there's so much wrong with your assumptions in the question that it's hard to upvote. e.g. of course it's not adding a value from somewhere else in memory, that's impossible. – Peter Cordes Aug 03 '20 at 05:46
  • i agree with your opinion, thats why i asked this question cause the disassembly makes no sense to me. –  Aug 03 '20 at 05:59

0 Answers0