x86 is Self-Healing?

If you know x86 assembly, you know that it’s pretty quirky and irregular. Instructions are between one and fifteen bytes long. You need to know the length of current instruction in order to find the beginning of the next.

Pie Chart

I’ve often wondered, if one got lost in the middle of an x86 byte stream, is there any way to get back on track? Well, I did an experiment and the results were sort-of surprising.

I took a 4k chunk of assembly from the middle of a C++ hello world program, and began disassembling it at arbitrary offsets. Well over half the time, the disassembler recovered in less than three instructions. In other words, it got zero, one, or two instructions wrong. It was never confused for more than 12 instructions.

I investigated a little further, and here’s my explanation: quite often, if you lop off the first byte or two of an x86 instruction, you get another valid x86 instruction which ends on the same byte.


%d bloggers like this: