2

what's meaning of %? at 402cce? Is this a invalid instruction?

402cca: 80 c6 28                add    $0x28,%dh
402ccd: 9d                      popf   
402cce: 8e 3e                   mov    (%esi),%?
402cd0: 23 7b 05                and    0x5(%ebx),%edi
402cd3: fc                      cld    
402cd4: b2 de                   mov    $0xde,%dl
Nate Eldredge
  • 48,811
  • 6
  • 54
  • 82
mxw
  • 23
  • 3
  • In case you didn't already realize, this looks like you're disassembling data, not bytes that were intended to decode as x86 machine code. Even apart from the load into segment reg, this sequence of instructions looks weird unlikely to be part of hand-written asm. (And even less likely compiler output.) – Peter Cordes Aug 23 '21 at 03:13

1 Answers1

1

Yes, it's invalid. Opcode 8e is mov sreg, r/m, the instruction to load a segment register, where the desired segment register is to be encoded in the 3-bit reg field of the ModRM byte (bits 3-5). But there are only 6 segment registers, so having 110 or 111 in this field is undefined.

Nate Eldredge
  • 48,811
  • 6
  • 54
  • 82
  • so when executing the file, this instruction would be ignore/skip, is it? – mxw Aug 23 '21 at 05:21
  • @mxw: Intel's manuals just say this encoding is "reserved" and say "do not use" without elaborating on what happens (SDM vol 2D table B-8). It might execute as a no-op, or cause an illegal instruction fault, or do something even stranger. You could test to see what it does on your system, but other CPUs might not behave the same. – Nate Eldredge Aug 23 '21 at 12:51
  • 1
    On my machine I get SIGILL, so I guess that's an invalid opcode exception (#UD). – Nate Eldredge Aug 23 '21 at 22:01
  • this code is a part of objdump output of a file named vs_installerservice.exe on windows . When using dumpbin, I get 00402CCD: 9D popfd 00402CCE: 8E 3E mov st(-1),word ptr [esi] 00402CD0: 23 7B 05 and edi,dword ptr [ebx+5] 00402CD3: FC cld for file built on ubuntu, objdump never get things like %? (for tested files of my project). so is there will be reason caused by OS difference? but anyway, architecture is the same. I'm not sure why these phenomena happen. – mxw Aug 25 '21 at 07:00
  • It seems that dumpbin chooses a different way to disassemble this invalid instruction - since it's invalid, there isn't really a right or wrong way. But either way, by far the most likely explanation is that you are disassembling a part of the file that is really data, and is not intended to be executed at all, so that interpreting it as instructions is just meaningless. Are you using a version of objdump that knows about .exe files and their format, so that it can accurately tell which parts are code and which are data? – Nate Eldredge Aug 25 '21 at 13:10
  • I'm getting with a project using capstone to disassemble,focus on elf/linux. And with elf, I havn't get any errors or things like %? or "(bad)". However, for windows files, these problems seems more common. I don't know the difference is caused by OS or complier or other reasons. For elf, I‘m not sure whether should I take objdump output as a standard to check and test my project as there's difference between objdump and capstone(open skipdata) when getting with %? or like "bad". But anyway, the mixture of data and ins is still hard to be solved perfectly in a static disassembler – mxw Aug 25 '21 at 14:10