Tweet
I am working on a Error Handler, but the more I read the Intel docs as to how instructions are formatted etc. The more confused I get. So I was hoping if I provide 1 example someone can assist me in where my confusion is.
If I have a "Divide by Zero" Error then the following is what I think is happening.
1.) I get the location of the Error (Given by the EIP copy of the actual IP when passed to my exception handler)
2.) If there is a prefix (up to 4 possible) I increment my EIP by 1 byte for each prefix (in this case none found, so I sit at offset 0)
3.) I then look at the OpCode starting at where my point now is. (in this case offset 0)
4.) I then determine if a 1 byte or 2 byte op-code (in this case I get "F7 /6")
Now for this particular example this becomes confusing to me. As the docs say
which would be where my "/6" comes into play.
The rest of the below may be incorrect because I got confused at #4
5.) At this point my OpCode is F7 and 0 so if a 1 byte opcode (which I think it is) I look at the next byte for the ModR/M
6.) If the ModR/M exists then I increment to look at the SIB byte (at this point I now have Prefix = 0 bytes, OpCode = 1 byte, ModRM bytes = 1
7.) If the SIB byte exists then I Increment on to the Immediate and Displacement bytes. But "Wait for it.....Wait for it...." where the heck do I find the immediate and displacement bytes????? they could each be 1,2, or 4 bytes......what did I miss????
Now I may be amiss with using Divide by zero as an example but I am more for figuring out procedure than I am 1 particular code. If my guess is right then in the case of my example,
1.) no prefix codes (none that I found anyways)
2.) 1 byte OpCode
3.) 1 byte ModR/M
4.) 1 byte SIB
Total of 3 bytes to increment and look at the next instruction.....but I could be WAYYYYyyyyy off because of confusion points above.
If I have a "Divide by Zero" Error then the following is what I think is happening.
1.) I get the location of the Error (Given by the EIP copy of the actual IP when passed to my exception handler)
2.) If there is a prefix (up to 4 possible) I increment my EIP by 1 byte for each prefix (in this case none found, so I sit at offset 0)
3.) I then look at the OpCode starting at where my point now is. (in this case offset 0)
4.) I then determine if a 1 byte or 2 byte op-code (in this case I get "F7 /6")
Now for this particular example this becomes confusing to me. As the docs say
/digit—A digit between 0 and 7 indicates that the ModR/M byte of the instruction uses
only the r/m (register or memory) operand. The reg field contains the digit that provides an
extension to the instruction's opcode.
only the r/m (register or memory) operand. The reg field contains the digit that provides an
extension to the instruction's opcode.
The rest of the below may be incorrect because I got confused at #4
5.) At this point my OpCode is F7 and 0 so if a 1 byte opcode (which I think it is) I look at the next byte for the ModR/M
6.) If the ModR/M exists then I increment to look at the SIB byte (at this point I now have Prefix = 0 bytes, OpCode = 1 byte, ModRM bytes = 1
7.) If the SIB byte exists then I Increment on to the Immediate and Displacement bytes. But "Wait for it.....Wait for it...." where the heck do I find the immediate and displacement bytes????? they could each be 1,2, or 4 bytes......what did I miss????
Now I may be amiss with using Divide by zero as an example but I am more for figuring out procedure than I am 1 particular code. If my guess is right then in the case of my example,
1.) no prefix codes (none that I found anyways)
2.) 1 byte OpCode
3.) 1 byte ModR/M
4.) 1 byte SIB
Total of 3 bytes to increment and look at the next instruction.....but I could be WAYYYYyyyyy off because of confusion points above.
Comment