SharpDisasm
SharpDisasm copied to clipboard
justinstenning
Wrong disasm
x64 Input: eb 02 90 90 eb 02 90 90 48 89 5c 24 08
Output: 0000000000000000 eb 02 jmp 0x4 0000000000000002 90 nop 0000000000000003 90 nop 0000000000000004 eb 02 jmp 0x8 0000000000000006 90 nop 0000000000000007 90 nop 0000000000000008 48 89 5c 24 08 mov [rsp+0x8], rbx
ida output: .text:000000018044F6FC ; =============== S U B R O U T I N E ===== .text:000000018044F6FC .text:000000018044F6FC .text:000000018044F6FC public MSO_5997 .text:000000018044F6FC MSO_5997 proc near ; CODE XREF: MSO_5252+D1↑p .text:000000018044F6FC ; sub_18044F5BC+CE↑p ... .text:000000018044F6FC jmp short loc_18044F700 .text:000000018044F6FC ; --------------------------------------------------------------------------- .text:000000018044F6FE align 20h .text:000000018044F700 .text:000000018044F700 loc_18044F700: ; CODE XREF: MSO_5997↑j .text:000000018044F700 jmp short sub_18044F704 .text:000000018044F700 MSO_5997 endp .text:000000018044F700 .text:000000018044F700 ; --------------------------------------------------------------------------- .text:000000018044F702 align 4 .text:000000018044F704 .text:000000018044F704 ; =============== S U B R O U T I N E ====== .text:000000018044F704 .text:000000018044F704 .text:000000018044F704 sub_18044F704 proc near ; CODE XREF: MSO_5997:loc_18044F700↑j .text:000000018044F704 ; DATA XREF: .pdata:00000001815CC594↓o .text:000000018044F704 .text:000000018044F704 arg_0 = qword ptr 8 .text:000000018044F704 .text:000000018044F704 mov [rsp+arg_0], rbx
The result is correct however SharpDisasm starts address with zero in cli mode because it has no idea where your bytes input start.
If you watch the byte code, you can see eb 02
This is a short jump, 02 comes the target address relative to the next instruction:
8(target) - 6(next) = 02
Most disassembler will show the absolute target address so it shows 8 here.