Part of GStreamer Family
SourceForge Logo


nopcodes is designed to manipulate instructions for multiple architectures in such a way as to allow a wide range of new applications. Existing programs can be disassembled and reassembled at run-time, as well as analyzed in all sorts of ways.


The first project written with nopcodes will be Hyperopt, and the first function written in that project was one that could find the absolute length of any function. The ELF headers of a binary contain the necessary information on the length of a function, but are only accessible through libelf operating on the original file. There is no known way (yet) to find the length of an arbitrary symbol handed to Hyperopt in the middle of an executing program.

The technique used in this case is to trace through the function instruction by instruction, keeping track of the maximum byte offset used. When a non-conditional branch is found, the function follows the branch to other parts of the code being inspected. When a conditional branch is encountered, it falls through, but only after recording the target address of the branch. As it walks through the code, it keeps a bitmask of which bytes it has analyzed so far, so that when it hits either a ret instruction or an instruction it has already seen, it continues by following the next pending branch target. When there are no more branch targets, it exits with the length of the function.

In order for this to be possible, the internals of the instruction must be available. The code must be able to find branches and their targets, at a minimum. By decoding instructions into an object that can be inspected, Hyperopt can detect a jump by the expected operand type as defined by the Intel reference manual: Jb.