Why is the first column of the results from otool not continuous?

Question

Hi,

I'm sorry if this is a really noob question. I'm using otool to disassemble a file and this is the result of a method that I'm interested in:

_KTDriverIsRunning:
0000000000000d98 pushq %rbp
0000000000000d99 movq %rsp,%rbp
0000000000000d9c xorl %eax,%eax
0000000000000d9e testq %rdi,%rdi
0000000000000da1 je 0x00000dac
0000000000000da3 xorl %eax,%eax
0000000000000da5 cmpl $__mh_dylib_header,0x14(%rdi)
0000000000000da9 setne %al
0000000000000dac movzbl %al,%eax
0000000000000daf leave
0000000000000db0 ret

As you can see, the first column is not continuous. Does this mean there are some instructions that otool can't disassemble? Or does this mean that some assembly instructions just have different length of the actual (machine) instructions?

Thank you!

Answer 1

Some assembly instructions just have different length of the actual (machine) instructions.

For instance, pushq %rbp is 1 byte long (55), but testq %rdi,%rdi need 3 bytes to represent (48 85 ff). This variable-length encoding is one of the characteristic of x86(-64). Some instructions may be as long as 15 bytes.

There's nothing wrong with otool here.

Answer 2

Hi KennyTM, Thank you very much! That is a very clear answer. (Sorry for having to reply this way. I can't find the 'add a comment' link after clearing the browser cache.)

Can I ask another question? Is there a way to resolve the $__mh_dylib_header in 0000000000000da5 cmpl $__mh_dylib_header,0x14(%rdi)?

Thanks!