Hacker News new | past | comments | ask | show | jobs | submit login

An interesting thing worth mentioning here is that many of these techniques work because x86 is a variable length instruction set. A fixed length instruction set (ie, ARM) specifies jump targets as instruction offsets, not byte/word, so you can't jump into the middle of an instruction.



Ah, but Thumb code can use two 16bit values (T32). But If I remember correctly, the first and second such sequence will have disjoint values, so you can't misinterpret the second 16-bit value as the beginning of an instruction. This is, btw, also true for utf-8.


With fixed width instruction sets there are similar tricks that trip up IDA's style of analysis. For example, this MIPS code:

        bal 1f
        nop
        .word DATA      /* some data */
     1: lw REG, 0(ra)   /* some destination register */
Despite it being unreachable, it will attempt to disassemble the word after the branch/nop rather than recognizing it as data.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: