flat assembler
Message board for the users of flat assembler.

flat assembler > Projects and Ideas > The importance of a disassembler by hopcode (output source)

Author
Thread Post new topic Reply to topic
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
- They need to use Visual C++ because it is a wonderful tool. (They!)
- They want Visual C++ to output asm-ed code
- They require that Fasm reassemble that sort of like-asm-ed code
but Fasm cannot do yet so simply the miracles from the Sky that they claim , so
- They invest time in studying deeply macros for Fasm&Fun (i will copyright this dword!!!)
- They let their macro-prog eat the VC asm-ed otputted code
- They take the output of the macro-prog
- They purge the macroed-output by hand from the few silliness and textual imperfections
- They let Fasm eat the output of the macro-prog
but Fasm refuses to compile again because too low memory for symbols, so
- They post a thread to ask Tomasz a new more-memory-integral-feature
- They receive full fasm answer-satisfaction (i cannot say from who.Should i say from who ?)
- They, with the right solution, they increment memory to fasm with -m switch option
seriously speaking: this is a secure feature; it will be continued for the eternity!!
- And here the recompiled fas-t application ready to be launched.
- Also,They are launching a fas-t application that is
the fasm-output
of the macro-prog output
from the VC output
made in Microsoft VC++

-- -------------------
Ok,I like girls!

But you could:
Give your App to di-fasm. It does Fasm code.
Now modify it. Reassemble it with fasm.Stop

Follow a screen of my 4kb di-fasm.
It is only a baby!!!!, Please take patience,it will grow.
Hope it turns to be funny out for the majority of you.

Regards,
hopcode


Description: Di-fasm dissassembling part of itself
Filesize: 40.06 KB
Viewed: 9766 Time(s)

fasm_disasm.gif




Last edited by hopcode on 07 Jul 2009, 09:41; edited 1 time in total
Post 26 Jun 2009, 14:33
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
Updated at [Dienstag] - 07.Juli.2009 - 11:31:33
di-fasm disassembling itself...
Enjoy,Very Happy
hopcode[mrk]
Code:
 ; di-fasm disassembler 
 ; Copyright c 2009, Marc Rainer Kranz.
 ; All rights reserved.

 ; This is the correct disassembled code of di-fasm disassembling
 ; itself. This code stops at 403C0Bh, because analysis of DD datas in
 ; the code not yet implemented. It parses all the main instructions
 ; for 1-byte opcode, plus some main 0F-prefixed opcodes.
 ; This code is full compilable with fasm using
 ; format binary
 ; use32
 ; at the moment.

 403000 2  XOR EAX,EAX 
 403002 5  MOV ESI,0x403000 ;<--- disassemble itself
 403007 2  XOR EDX,EDX
 403009 5  MOV ECX,0x1079             ;<--- size .code section to disassemble
 40300E 5  MOV EDI,0x402000     ;<--- .data section 
 403013 2  TEST ECX,ECX
 403015 6  JE 0xB2                                    ;<--- relative addresses not yet calculated
 40301B 6  MOV DWORD0x402A58,ESI  ;<-------------- and now...----
 403021 6  MOV DWORD0x402A5C,ECX      ;<----go!! go!! go!!-----------
 403027 6  MOV DWORD0x402A60,ESI      ;<-- --------------------------
 40302D 2  XOR EDX,EDX
 40302F 1  LODSB
 403030 1  DEC ECX
 403031 6  JS 0x96
 403037 2  CMP AL,0xF3
 403039 2  JE 0x14
 40303B 5  MOV BYTE0x402A77,AL
 403040 2  CMP AL,0x0F
 403042 2  JE 0x1D
 403044 2  CMP AL,0x66
 403046 2  JE 0x10
 403048 5  MOV EBX,0x4026C4
 40304D 2  JMP 0x25
 40304F 7  OR BYTE0x402A76,0x10
 403056 2  JMP 0xD7
 403058 7  OR BYTE0x402A76,0x01
 40305F 2  JMP 0xCE
 403061 3  SHL EAX,0x08
 403064 1  LODSB 
 403065 1  DEC ECX
 403066 2  MOV DL,AL
 403068 5  MOV EBX,0x4028C4
 40306D 5  MOV BYTE0x402A78,AL
 403072 2  JMP 0x02
 403074 2  MOV DL,AL
 403076 1  PUSH EBX
 403077 1  PUSH EDI
 403078 1  PUSH EBP
 403079 4  MOVZX EDX,WORDEBX+EDX
 40307D 6  ADD EDX,0x4030D4
 403083 2  CALL EDX
 403085 2  TEST EAX,EAX
 403087 2  JE 0x45
 403089 2  JS 0x34
 40308B 1  PUSH ECX
 40308C 1  PUSH EAX
 40308D 7  MOVZX EAX,BYTE0x402A75
 403094 5  PUSH 0x402000
 403099 1  PUSH EAX
 40309A 6  PUSH DWORD0x402A60
 4030A0 5  PUSH 0x402A48
 4030A5 6  CALL DWORD0x40103C
 4030AB 3  ADD ESP,0x10
 4030AE 6  LEA EDI,DWORD0x402A68
 4030B4 5  MOV ECX,0x22
 4030B9 2  XOR EAX,EAX
 4030BB 2  STOSB 
 4030BD 1  POP EAX
 4030BE 1  POP ECX
 4030BF 1  POP EBP
 4030C0 1  POP EDI
 4030C1 1  POP EBX
 4030C2 2  TEST ECX,ECX
 4030C4 2  JE 0x07
 4030C6 2  XOR EAX,EAX
 4030C8 5  JMP 0xFFFFFF5A
 4030CD 1  RET 
 4030CE 2  XOR ECX,ECX
 4030D0 2  JMP 0xED
 4030D2 1  NOP 
 4030D3 1  NOP 
 4030D4 5  PUSH 0x403C38
 4030D9 5  CALL 0x0E2B
 4030DE 7  MOV BYTE0x402A74,0x01
 4030E5 5  JMP 0x020F
 4030EA 5  PUSH 0x40231B
 4030EF 5  JMP 0xE5
 4030F4 5  PUSH 0x402446
 4030F9 5  JMP 0xDB
 4030FE 5  PUSH 0x402302
 403103 5  JMP 0xD1
 403108 5  PUSH 0x402428
 40310D 5  JMP 0xC7
 403112 5  PUSH 0x40230C
 403117 5  JMP 0xBD
 40311C 5  PUSH 0x402440
 403121 5  JMP 0xB3
 403126 5  PUSH 0x40242E
 40312B 5  JMP 0xA9
 403130 5  PUSH 0x4022FD
 403135 5  JMP 0x9F
 40313A 5  PUSH 0x402325
 40313F 5  JMP 0x95
 403144 5  PUSH 0x402452
 403149 5  JMP 0x8B
 40314E 5  PUSH 0x402320
 403153 5  JMP 0x81
 403158 5  PUSH 0x40244C
 40315D 2  JMP 0x7A
 40315F 5  PUSH 0x402316
 403164 2  JMP 0x73
 403166 5  PUSH 0x402434
 40316B 2  JMP 0x6C
 40316D 5  PUSH 0x40243A
 403172 2  JMP 0x65
 403174 5  PUSH 0x402311
 403179 2  JMP 0x5E
 40317B 5  PUSH 0x403C7C
 403180 5  CALL 0x0D84
 403185 2  TEST DL,DL
 403187 2  JE 0x2E
 403189 7  MOV BYTE0x402A74,0x04
 403190 5  JMP 0x0164
 403195 5  CALL 0x0CD0
 40319A 5  PUSH 0x402208
 40319F 5  CALL 0x0C75
 4031A4 2  JMP 0x11
 4031A6 5  PUSH 0x403C38
 4031AB 2  JMP 0x05
 4031AD 5  PUSH 0x403C58
 4031B2 5  CALL 0x0D52
 4031B7 7  MOV BYTE0x402A74,0x02
 4031BE 5  JMP 0x0136
 4031C3 5  PUSH 0x403C1C
 4031C8 5  CALL 0x0D3C
 4031CD 7  MOV BYTE0x402A74,0x04
 4031D4 5  JMP 0x0120
 4031D9 7  MOV BYTE0x402A74,0x04
 4031E0 2  JMP 0x37
 4031E2 5  PUSH 0x403C38
 4031E7 5  CALL 0x0D1D
 4031EC 7  MOV BYTE0x402A7B,0x01
 4031F3 5  JMP 0x0101
 4031F8 5  PUSH 0x40234D
 4031FD 2  JMP 0x1A
 4031FF 5  PUSH 0x4024B0
 403204 2  JMP 0x13
 403206 5  PUSH 0x402352
 40320B 2  JMP 0x0C
 40320D 5  PUSH 0x402208
 403212 2  JMP 0x05
 403214 5  PUSH 0x40233E
 403219 5  CALL 0x0C4C
 40321E 5  CALL 0x0BF6
 403223 5  JMP 0xD1
 403228 5  PUSH 0x402208
 40322D 5  CALL 0x0BE7
 403232 2  AND AL,0x07
 403234 3  MOVZX EDX,AL
 403237 8  MOV AX,WORDEDX*04+0x402040
 40323F 2  JMP 0x79
 403241 5  PUSH 0x40221C
 403246 5  CALL 0x0BCE
 40324B 5  CALL 0x0BF3
 403250 5  CALL 0x0DA8
 403255 2  MOV AL,0x2C
 403257 1  STOSB 
 403258 4  MOV AX,0x4C41
 40325C 2  STOSD 
 40325E 5  JMP 0x0B7F
 403263 5  PUSH 0x402208
 403268 5  CALL 0x0BAC
 40326D 7  MOV BYTE0x402A7B,0x00
 403274 2  JMP 0x1A
 403276 7  MOV BYTE0x402A74,0x04
 40327D 5  PUSH 0x402208
 403282 5  CALL 0x0B92
 403287 4  MOV AX,0x4C41
 40328B 2  STOSD 
 40328D 2  MOV AL,0x2C
 40328F 1  STOSB 
 403290 2  MOV AL,0x02
 403292 2  JMP 0x7D
 403294 5  PUSH 0x403C58
 403299 5  CALL 0x0C65
 40329E 2  JMP 0x16
 4032A0 5  PUSH 0x402161
 4032A5 5  CALL 0x0B6F
 4032AA 2  JMP 0x0A
 4032AC 5  PUSH 0x40233E
 4032B1 5  CALL 0x0B63
 4032B6 4  MOV AX,0x4C41
 4032BA 2  STOSD 
 4032BC 7  MOV BYTE0x402A74,0x02
 4032C3 5  JMP 0x012E
 4032C8 5  PUSH 0x403C58
 4032CD 5  CALL 0x0C49
 4032D2 5  CALL 0x0C69
 4032D7 1  PUSH EAX
 4032D8 5  PUSH 0x402040
 4032DD 5  CALL 0x0BC7
 4032E2 7  MOV BYTE0x402A74,0x04
 4032E9 2  MOV AL,0x2C
 4032EB 1  STOSB 
 4032EC 1  POP EAX
 4032ED 2  JMP 0x22
 4032EF 5  PUSH 0x403C58
 4032F4 5  CALL 0x0C22
 4032F9 5  CALL 0x0C42
 4032FE 2  CMP AL,0x09
 403300 2  JNE 0x0F
 403302 5  PUSH 0x402040
 403307 5  CALL 0x0BB4
 40330C 5  JMP 0xE5
 403311 2  CMP AL,0x02
 403313 2  JNE 0x1E
 403315 5  CALL 0x0B14
 40331A 6  MOV DWORDEDI,0x45545942
 403320 3  ADD EDI,0x04
 403323 2  MOV AL,0x5B
 403325 1  STOSB 
 403326 5  CALL 0x0CCC
 40332B 2  MOV AL,0x5D
 40332D 1  STOSB 
 40332E 5  JMP 0xC3
 403333 2  CMP AL,0x01
 403335 2  JNE 0x1E
 403337 6  MOV DWORDEDI,0x45545942
 40333D 3  ADD EDI,0x04
 403340 2  MOV AL,0x5B
 403342 1  STOSB 
 403343 5  PUSH 0x4020A0
 403348 5  CALL 0x0B73
 40334D 2  MOV AL,0x5D
 40334F 1  STOSB 
 403350 5  JMP 0xA1
 403355 2  CMP AL,0x04
 403357 2  JNE 0x28
 403359 6  MOV DWORDEDI,0x45545942
 40335F 3  ADD EDI,0x04
 403362 2  MOV AL,0x5B
 403364 1  STOSB 
 403365 5  PUSH 0x4020A0
 40336A 5  CALL 0x0B51
 40336F 2  MOV AL,0x2B
 403371 1  STOSB 
 403372 5  CALL 0x0AB7
 403377 5  CALL 0x0C7B
 40337C 2  MOV AL,0x5D
 40337E 1  STOSB 
 40337F 2  JMP 0x75
 403381 2  CMP AL,0x05
 403383 2  JNE 0x35
 403385 6  MOV DWORDEDI,0x45545942
 40338B 3  ADD EDI,0x04
 40338E 2  MOV AL,0x5B
 403390 1  STOSB 
 403391 5  PUSH 0x4020A0
 403396 5  CALL 0x0B05
 40339B 2  MOV AL,0x2B
 40339D 1  STOSB 
 40339E 5  PUSH 0x4020A0
 4033A3 5  CALL 0x0AEF
 4033A8 2  MOV AL,0x2B
 4033AA 1  STOSB 
 4033AB 5  CALL 0x0A82
 4033B0 5  CALL 0x0C42
 4033B5 2  MOV AL,0x5D
 4033B7 1  STOSB 
 4033B8 2  JMP 0x3C
 4033BA 2  CMP AL,0x06
 4033BC 2  JNE 0x46
 4033BE 6  MOV DWORDEDI,0x45545942
 4033C4 3  ADD EDI,0x04
 4033C7 2  MOV AL,0x5B
 4033C9 1  STOSB 
 4033CA 5  PUSH 0x4020A0
 4033CF 5  CALL 0x0ACC
 4033D4 2  MOV AL,0x2B
 4033D6 1  STOSB 
 4033D7 5  PUSH 0x4020A0
 4033DC 5  CALL 0x0AB6
 4033E1 5  CALL 0x0A17
 4033E6 2  MOV AL,0x2B
 4033E8 1  STOSB 
 4033E9 5  CALL 0x0A40
 4033EE 5  CALL 0x0C04
 4033F3 2  MOV AL,0x5D
 4033F5 1  STOSB 
 4033F6 5  MOV AL,BYTE0x402A74
 4033FB 2  TEST AL,0x04
 4033FD 2  JE 0x05
 4033FF 5  JMP 0x09DE
 403404 2  TEST AL,0x02
 403406 2  JE 0x07
 403408 5  CALL 0x0A36
 40340D 2  JMP 0x0B
 40340F 2  TEST AL,0x01
 403411 2  JE 0x14
 403413 7  MOV BYTE0x402A86,0x01
 40341A 2  MOV AL,0x2C
 40341C 1  STOSB 
 40341D 5  CALL 0x0BDB
 403422 5  JMP 0x09BB
 403427 2  MOV AL,0x2C
 403429 1  STOSB 
 40342A 5  PUSH 0x402040
 40342F 5  CALL 0x0A75
 403434 5  JMP 0x09A9
 403439 1  NOP 
 40343A 1  NOP 
 40343B 1  NOP 
 40343C 5  CALL 0x0A29
 403441 5  PUSH 0x4023EC
 403446 5  CALL 0x09CE
 40344B 7  MOV BYTE0x402A74,0x04
 403452 5  PUSH 0x4020A0
 403457 5  CALL 0x0A4D
 40345C 7  MOV BYTE0x402A76,0x01
 403463 2  MOV AL,0x2C
 403465 1  STOSB 
 403466 5  CALL 0x0AD5
 40346B 2  CMP AL,0x09
 40346D 6  JNE 0x029C
 403473 5  PUSH 0x402060
 403478 5  CALL 0x0A43
 40347D 5  JMP 0x0960
 403482 5  PUSH 0x4023EC
 403487 5  CALL 0x098D
 40348C 5  CALL 0x09D9
 403491 7  MOV BYTE0x402A74,0x04
 403498 5  PUSH 0x4020A0
 40349D 5  CALL 0x0A07
 4034A2 2  MOV AL,0x2C
 4034A4 1  STOSB 
 4034A5 5  JMP 0xFFFFFE4F
 4034AA 5  PUSH 0x403C58
 4034AF 5  CALL 0x0A55
 4034B4 7  MOV BYTE0x402A74,0x02
 4034BB 5  JMP 0x0237
 4034C0 5  PUSH 0x403C38
 4034C5 5  CALL 0x0A3F
 4034CA 7  MOV BYTE0x402A74,0x02
 4034D1 5  JMP 0x0221
 4034D6 5  PUSH 0x403C38
 4034DB 5  CALL 0x0A29
 4034E0 7  MOV BYTE0x402A74,0x01
 4034E7 5  JMP 0x020B
 4034EC 5  PUSH 0x403C7C
 4034F1 5  CALL 0x0A13
 4034F6 2  TEST DL,DL
 4034F8 2  JE 0x27
 4034FA 7  MOV BYTE0x402A74,0x04
 403501 5  JMP 0x01F1
 403506 5  CALL 0x095F
 40350B 5  PUSH 0x402208
 403510 5  CALL 0x0904
 403515 2  JMP 0x0A
 403517 5  PUSH 0x403C58
 40351C 5  CALL 0x09E8
 403521 7  MOV BYTE0x402A74,0x20
 403528 7  TEST BYTE0x402A76,0x01
 40352F 6  JE 0x01C2
 403535 7  MOV BYTE0x402A74,0x10
 40353C 5  JMP 0x01B6
 403541 5  PUSH 0x402220
 403546 5  CALL 0x08CE
 40354B 5  CALL 0x091A
 403550 2  JMP 0x0A
 403552 5  PUSH 0x403C1C
 403557 5  CALL 0x09AD
 40355C 7  MOV BYTE0x402A74,0x04
 403563 5  JMP 0x018F
 403568 5  PUSH 0x403C38
 40356D 5  CALL 0x0997
 403572 7  MOV BYTE0x402A74,0x40
 403579 5  JMP 0x0179
 40357E 5  PUSH 0x40234D
 403583 2  JMP 0x1A
 403585 5  PUSH 0x4024B0
 40358A 2  JMP 0x13
 40358C 5  PUSH 0x402352
 403591 2  JMP 0x0C
 403593 5  PUSH 0x402208
 403598 2  JMP 0x05
 40359A 5  PUSH 0x40233E
 40359F 5  CALL 0x08C6
 4035A4 5  CALL 0x0870
 4035A9 5  JMP 0x0149
 4035AE 5  PUSH 0x402208
 4035B3 5  CALL 0x0861
 4035B8 2  AND AL,0x07
 4035BA 3  MOVZX EDX,AL
 4035BD 5  MOV EAX,0x4020A0
 4035C2 7  TEST BYTE0x402A76,0x01
 4035C9 2  JE 0x05
 4035CB 5  MOV EAX,0x402060
 4035D0 1  PUSH EAX
 4035D1 1  PUSH EDX
 4035D2 5  CALL 0x0A85
 4035D7 5  JMP 0xA5
 4035DC 5  PUSH 0x40221C
 4035E1 5  CALL 0x0833
 4035E6 5  CALL 0x0858
 4035EB 5  CALL 0x0A0D
 4035F0 2  MOV AL,0x2C
 4035F2 1  STOSB 
 4035F3 2  MOV AL,0x45
 4035F5 1  STOSB 
 4035F6 4  MOV AX,0x5841
 4035FA 2  STOSD 
 4035FC 5  JMP 0x07E1
 403601 5  PUSH 0x402208
 403606 5  CALL 0x080E
 40360B 7  MOV BYTE0x402A7B,0x00
 403612 2  JMP 0x1D
 403614 7  MOV BYTE0x402A74,0x04
 40361B 5  PUSH 0x402208
 403620 5  CALL 0x07F4
 403625 2  MOV AL,0x45
 403627 1  STOSB 
 403628 4  MOV AX,0x5841
 40362C 2  STOSD 
 40362E 2  MOV AL,0x2C
 403630 1  STOSB 
 403631 2  MOV AL,0x02
 403633 5  JMP 0xD7
 403638 5  PUSH 0x403C58
 40363D 5  CALL 0x08C1
 403642 2  JMP 0x2B
 403644 5  PUSH 0x402161
 403649 5  CALL 0x07CB
 40364E 7  TEST BYTE0x402A76,0x01
 403655 2  JNE 0x03
 403657 2  MOV AL,0x45
 403659 1  STOSB 
 40365A 4  MOV AX,0x5841
 40365E 2  STOSD 
 403660 5  JMP 0xFFFFFC57
 403665 5  PUSH 0x40233E
 40366A 5  CALL 0x07AA
 40366F 7  TEST BYTE0x402A76,0x01
 403676 2  JNE 0x03
 403678 2  MOV AL,0x45
 40367A 1  STOSB 
 40367B 4  MOV AX,0x5841
 40367F 2  STOSD 
 403681 7  MOV BYTE0x402A74,0x20
 403688 7  TEST BYTE0x402A76,0x01
 40368F 6  JE 0x01E9
 403695 7  MOV BYTE0x402A74,0x10
 40369C 5  JMP 0x01DD
 4036A1 5  PUSH 0x4021FC
 4036A6 5  CALL 0x076E
 4036AB 5  CALL 0x07BA
 4036B0 5  PUSH 0x4020A0
 4036B5 5  CALL 0x07EF
 4036BA 2  MOV AL,0x2C
 4036BC 1  STOSB 
 4036BD 7  MOV BYTE0x402A74,0x04
 4036C4 2  JMP 0x31
 4036C6 5  PUSH 0x403C58
 4036CB 5  CALL 0x084B
 4036D0 5  CALL 0x086B
 4036D5 1  PUSH EAX
 4036D6 5  PUSH 0x4020A0
 4036DB 5  CALL 0x07C9
 4036E0 7  MOV BYTE0x402A74,0x04
 4036E7 2  MOV AL,0x2C
 4036E9 1  STOSB 
 4036EA 1  POP EAX
 4036EB 2  JMP 0x22
 4036ED 5  PUSH 0x403C58
 4036F2 5  CALL 0x0824
 4036F7 5  CALL 0x0844
 4036FC 2  CMP AL,0x09
 4036FE 2  JNE 0x0F
 403700 5  PUSH 0x4020A0
 403705 5  CALL 0x07B6
 40370A 5  JMP 0x016F
 40370F 2  CMP AL,0x02
 403711 2  JNE 0x1D
 403713 5  CALL 0x0716
 403718 6  PUSH DWORD0x402A76
 40371E 5  CALL 0x07B2
 403723 5  CALL 0x08CF
 403728 2  MOV AL,0x5D
 40372A 1  STOSB 
 40372B 5  JMP 0x014E
 403730 2  CMP AL,0x01
 403732 2  JNE 0x1D
 403734 6  PUSH DWORD0x402A76
 40373A 5  CALL 0x0796
 40373F 5  PUSH 0x4020A0
 403744 5  CALL 0x0777
 403749 2  MOV AL,0x5D
 40374B 1  STOSB 
 40374C 5  JMP 0x012D
 403751 2  CMP AL,0x04
 403753 2  JNE 0x2A
 403755 6  PUSH DWORD0x402A76
 40375B 5  CALL 0x0775
 403760 5  PUSH 0x4020A0
 403765 5  CALL 0x0756
 40376A 2  MOV AL,0x2B
 40376C 1  STOSB 
 40376D 5  CALL 0x06BC
 403772 5  CALL 0x0880
 403777 2  MOV AL,0x5D
 403779 1  STOSB 
 40377A 5  JMP 0xFF
 40377F 2  CMP AL,0x03
 403781 2  JNE 0x2A
 403783 6  PUSH DWORD0x402A76
 403789 5  CALL 0x0747
 40378E 5  PUSH 0x4020A0
 403793 5  CALL 0x0728
 403798 2  MOV AL,0x2B
 40379A 1  STOSB 
 40379B 5  CALL 0x0692
 4037A0 5  CALL 0x0852
 4037A5 2  MOV AL,0x5D
 4037A7 1  STOSB 
 4037A8 5  JMP 0xD1
 4037AD 2  CMP AL,0x05
 4037AF 2  JNE 0x37
 4037B1 6  PUSH DWORD0x402A76
 4037B7 5  CALL 0x0719
 4037BC 5  PUSH 0x4020A0
 4037C1 5  CALL 0x06DA
 4037C6 2  MOV AL,0x2B
 4037C8 1  STOSB 
 4037C9 5  PUSH 0x4020A0
 4037CE 5  CALL 0x06C4
 4037D3 2  MOV AL,0x2B
 4037D5 1  STOSB 
 4037D6 5  CALL 0x0657
 4037DB 5  CALL 0x0817
 4037E0 2  MOV AL,0x5D
 4037E2 1  STOSB 
 4037E3 5  JMP 0x96
 4037E8 2  CMP AL,0x07
 4037EA 2  JNE 0x2C
 4037EC 6  PUSH DWORD0x402A76
 4037F2 5  CALL 0x06DE
 4037F7 5  PUSH 0x4020A0
 4037FC 5  CALL 0x0696
 403801 5  CALL 0x05F7
 403806 2  MOV AL,0x2B
 403808 1  STOSB 
 403809 5  CALL 0x0620
 40380E 5  CALL 0x07E4
 403813 2  MOV AL,0x5D
 403815 1  STOSB 
 403816 2  JMP 0x66
 403818 2  CMP AL,0x08
 40381A 2  JNE 0x27
 40381C 6  PUSH DWORD0x402A76
 403822 5  CALL 0x06AE
 403827 5  PUSH 0x4020A0
 40382C 5  CALL 0x066F
 403831 2  MOV AL,0x2B
 403833 1  STOSB 
 403834 5  PUSH 0x4020A0
 403839 5  CALL 0x0659
 40383E 2  MOV AL,0x5D
 403840 1  STOSB 
 403841 2  JMP 0x3B
 403843 2  CMP AL,0x06
 403845 2  JNE 0x45
 403847 6  PUSH DWORD0x402A76
 40384D 5  CALL 0x0683
 403852 5  PUSH 0x4020A0
 403857 5  CALL 0x0644
 40385C 2  MOV AL,0x2B
 40385E 1  STOSB 
 40385F 5  PUSH 0x4020A0
 403864 5  CALL 0x062E
 403869 5  CALL 0x058F
 40386E 2  MOV AL,0x2B
 403870 1  STOSB 
 403871 5  CALL 0x05B8
 403876 5  CALL 0x077C
 40387B 2  MOV AL,0x5D
 40387D 1  STOSB 
 40387E 5  MOV AL,BYTE0x402A74
 403883 2  TEST AL,0x04
 403885 2  JE 0x05
 403887 5  JMP 0x0556
 40388C 2  TEST AL,0x10
 40388E 2  JE 0x12
 403890 5  CALL 0x05AA
 403895 2  MOV AL,0x2C
 403897 1  STOSB 
 403898 5  CALL 0x0760
 40389D 5  JMP 0x0540
 4038A2 2  TEST AL,0x20
 4038A4 2  JE 0x12
 4038A6 5  CALL 0x0590
 4038AB 2  MOV AL,0x2C
 4038AD 1  STOSB 
 4038AE 5  CALL 0x074A
 4038B3 5  JMP 0x052A
 4038B8 2  TEST AL,0x02
 4038BA 2  JE 0x07
 4038BC 5  CALL 0x0582
 4038C1 2  JMP 0x0B
 4038C3 2  TEST AL,0x01
 4038C5 2  JE 0x14
 4038C7 7  MOV BYTE0x402A86,0x01
 4038CE 2  MOV AL,0x2C
 4038D0 1  STOSB 
 4038D1 5  CALL 0x0727
 4038D6 5  JMP 0x0507
 4038DB 2  TEST AL,0x40
 4038DD 2  JE 0x0E
 4038DF 2  MOV AL,0x2C
 4038E1 1  STOSB 
 4038E2 4  MOV AX,0x4C43
 4038E6 2  STOSD 
 4038E8 5  JMP 0x04F5
 4038ED 2  MOV AL,0x2C
 4038EF 1  STOSB 
 4038F0 5  PUSH 0x4020A0
 4038F5 5  CALL 0x05AF
 4038FA 5  JMP 0x04E3
 4038FF 7  TEST BYTE0x402A76,0x01
 403906 2  JE 0x1B
 403908 7  MOV BYTE0x402A74,0x10
 40390F 5  CALL 0x0505
 403914 5  CALL 0x0526
 403919 5  CALL 0x06DF
 40391E 5  JMP 0x04BF
 403923 7  MOV BYTE0x402A74,0x20
 40392A 5  CALL 0x04EA
 40392F 5  CALL 0x0507
 403934 5  CALL 0x06C4
 403939 5  JMP 0x04A4
 40393E 7  MOV BYTE0x402A74,0x02
 403945 5  CALL 0x04CF
 40394A 5  CALL 0x04F4
 40394F 5  CALL 0x06A9
 403954 5  JMP 0x0489
 403959 5  PUSH 0x4021B0
 40395E 2  JMP 0xDE
 403960 5  PUSH 0x4022DA
 403965 2  JMP 0xD7
 403967 5  PUSH 0x4021CC
 40396C 2  JMP 0xD0
 40396E 5  PUSH 0x4022BC
 403973 2  JMP 0xC9
 403975 5  PUSH 0x4022C1
 40397A 2  JMP 0xC2
 40397C 5  PUSH 0x4023CE
 403981 2  JMP 0xBB
 403983 5  PUSH 0x4024A9
 403988 2  JMP 0xB4
 40398A 5  PUSH 0x4022DA
 40398F 5  JMP 0xFFFFFF6B
 403994 5  PUSH 0x4021CC
 403999 5  JMP 0xFFFFFF61
 40399E 5  PUSH 0x402271
 4039A3 5  JMP 0xFFFFFF57
 4039A8 5  PUSH 0x4022EE
 4039AD 5  JMP 0xFFFFFF4D
 4039B2 5  PUSH 0x4022EE
 4039B7 5  JMP 0xFFFFFF43
 4039BC 5  PUSH 0x4023A4
 4039C1 5  CALL 0x0453
 4039C6 5  CALL 0x0474
 4039CB 5  CALL 0x062D
 4039D0 2  MOV AL,0x2C
 4039D2 1  STOSB 
 4039D3 5  CALL 0x046B
 4039D8 5  CALL 0x0620
 4039DD 5  JMP 0x0400
 4039E2 2  XOR EAX,EAX
 4039E4 1  RET 
 4039E5 2  XOR EDX,EDX
 4039E7 5  MOV BYTE0x402A77,AL
 4039EC 2  MOV DL,AL
 4039EE 3  SUB DL,0x40
 4039F1 3  SHR EDX,0x03
 4039F4 7  PUSH DWORDEDX*04+0x403C0C
 4039FB 5  CALL 0x0419
 403A00 2  AND AL,0x07
 403A02 5  PUSH 0x4020A0
 403A07 1  PUSH EAX
 403A08 5  CALL 0x064F
 403A0D 5  JMP 0x03D0
 403A12 5  PUSH 0x402155
 403A17 2  JMP 0x70
 403A19 5  PUSH 0x4021E8
 403A1E 2  JMP 0x69
 403A20 5  PUSH 0x402146
 403A25 2  JMP 0x62
 403A27 5  PUSH 0x4021B4
 403A2C 2  JMP 0x5B
 403A2E 5  PUSH 0x40214C
 403A33 2  JMP 0x54
 403A35 5  PUSH 0x4021DC
 403A3A 2  JMP 0x4D
 403A3C 5  PUSH 0x4021B8
 403A41 2  JMP 0x46
 403A43 5  PUSH 0x402143
 403A48 2  JMP 0x3F
 403A4A 5  PUSH 0x40215B
 403A4F 2  JMP 0x38
 403A51 5  PUSH 0x4021F0
 403A56 2  JMP 0x31
 403A58 5  PUSH 0x402158
 403A5D 2  JMP 0x2A
 403A5F 5  PUSH 0x4021EC
 403A64 2  JMP 0x23
 403A66 5  PUSH 0x402152
 403A6B 2  JMP 0x1C
 403A6D 5  PUSH 0x4021BC
 403A72 2  JMP 0x15
 403A74 5  PUSH 0x4021C0
 403A79 2  JMP 0x0E
 403A7B 5  PUSH 0x40214F
 403A80 2  JMP 0x07
 403A82 5  CALL 0x0392
 403A87 2  JMP 0x09
 403A89 5  CALL 0x038B
 403A8E 2  TEST AL,0x80
 403A90 2  JNE 0x0C
 403A92 5  CALL 0x03AC
 403A97 5  CALL 0x0561
 403A9C 2  JMP 0x0A
 403A9E 5  CALL 0x0398
 403AA3 5  CALL 0x0555
 403AA8 5  JMP 0x0335
 403AAD 2  XOR EAX,EAX
 403AAF 1  RET 
 403AB0 5  PUSH 0x40216C
 403AB5 2  JMP 0x2F
 403AB7 5  PUSH 0x402168
 403ABC 2  JMP 0x28
 403ABE 5  PUSH 0x402404
 403AC3 2  JMP 0x21
 403AC5 5  PUSH 0x4022DF
 403ACA 2  JMP 0x1A
 403ACC 5  PUSH 0x402170
 403AD1 2  JMP 0x13
 403AD3 5  PUSH 0x402164
 403AD8 2  JMP 0x0C
 403ADA 5  PUSH 0x40219C
 403ADF 2  JMP 0x05
 403AE1 5  PUSH 0x402198
 403AE6 2  JMP 0x7D
 403AE8 5  PUSH 0x402214
 403AED 2  JMP 0x76
 403AEF 5  PUSH 0x402184
 403AF4 2  JMP 0x6F
 403AF6 5  PUSH 0x40224C
 403AFB 2  JMP 0x68
 403AFD 5  PUSH 0x40218C
 403B02 2  JMP 0x61
 403B04 5  PUSH 0x402254
 403B09 2  JMP 0x5A
 403B0B 5  PUSH 0x402188
 403B10 2  JMP 0x53
 403B12 5  PUSH 0x402250
 403B17 2  JMP 0x4C
 403B19 5  PUSH 0x4021A8
 403B1E 2  JMP 0x45
 403B20 5  PUSH 0x402190
 403B25 2  JMP 0x3E
 403B27 5  PUSH 0x4023AA
 403B2C 2  JMP 0x37
 403B2E 5  PUSH 0x4022F3
 403B33 2  JMP 0x30
 403B35 5  PUSH 0x402357
 403B3A 2  JMP 0x29
 403B3C 5  PUSH 0x4023B0
 403B41 2  JMP 0x22
 403B43 5  PUSH 0x402299
 403B48 2  JMP 0x1B
 403B4A 5  PUSH 0x402294
 403B4F 5  CALL 0x02C5
 403B54 5  JMP 0x0289
 403B59 5  PUSH 0x4023B6
 403B5E 2  JMP 0x05
 403B60 5  PUSH 0x4022E9
 403B65 2  JMP 0x75
 403B67 5  PUSH 0x402224
 403B6C 2  JMP 0x6E
 403B6E 5  PUSH 0x402458
 403B73 2  JMP 0x67
 403B75 5  PUSH 0x40245E
 403B7A 2  JMP 0x60
 403B7C 5  PUSH 0x4023BC
 403B81 2  JMP 0x59
 403B83 5  PUSH 0x4023C2
 403B88 2  JMP 0x52
 403B8A 5  PUSH 0x402416
 403B8F 2  JMP 0x4B
 403B91 5  PUSH 0x40241C
 403B96 2  JMP 0x44
 403B98 5  PUSH 0x402392
 403B9D 2  JMP 0x3D
 403B9F 5  PUSH 0x402398
 403BA4 2  JMP 0x36
 403BA6 5  PUSH 0x4023DA
 403BAB 2  JMP 0x2F
 403BAD 5  PUSH 0x4023E6
 403BB2 2  JMP 0x28
 403BB4 5  PUSH 0x4022F8
 403BB9 2  JMP 0x21
 403BBB 5  PUSH 0x4022A3
 403BC0 2  JMP 0x1A
 403BC2 5  PUSH 0x4022E4
 403BC7 2  JMP 0x13
 403BC9 5  PUSH 0x40240A
 403BCE 2  JMP 0x0C
 403BD0 5  PUSH 0x402276
 403BD5 2  JMP 0x05
 403BD7 5  PUSH 0x402180
 403BDC 5  CALL 0x0238
 403BE1 5  JMP 0x01FC
 403BE6 5  PUSH 0x4020A0
 403BEB 2  PUSH 0x00
 403BED 5  MOV EBX,0x40405C
 403BF2 5  PUSH 0x402352
 403BF7 5  CALL 0x021D
 403BFC 3  MOVZX EAX,AL
 403BFF 2  AND AL,0x07
 403C01 5  PUSH 0x4020A0
 403C06 1  PUSH EAX
 403C07 2  CALL EBX
 403C09 2  JMP 0xD1
 403C0B 1  NOP 

; Correct disassembled code stops here. Here follow DD datas,whose
; analysis not yet implemented.

; 403C0C 1  LODSB 
; 403C0D 3  AND DWORDEAX+0x00,EAX
; 403C10 5  MOV AL,BYTE0xDA004021
; 403C15 3  AND AL,0x00
; 403C18 2  AND BYTEEDX,AH
; 403C1A 1  INC EAX
; 403C1B 7  ADD BYTEECX+ESP*01+0x21A00040,CH
; 403C22 1  INC EAX
; 403C23 3  ADD EAX,0x22
; 403C26 1  INC EAX
; 403C27 3  ADD EAX,0x22
; 403C2A 1  INC EAX
; 403C2B 2  ADD AH,CL
; 403C2D 3  AND DWORDEAX+0x00,EAX
; 403C30 1  INT3 
; 403C31 3  AND DWORDEAX+0x00,EAX
    
Post 07 Jul 2009, 09:39
View user's profile Send private message Visit poster's website Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 953
Location: Czechoslovakia
Quote:
to MazeGen
Do you like it ?
What your hints/suggestion about analyzing datas embedded in the code
section ?

Well, you have to analyze the code as much as possible to find data references (MOV EAX, [0x403000] suggests that there are DWORD data).

You can't always make 100% code flow analysis automatically (to find all instructions and therefore to find all data references) because it can be often impossible to resolve all labels of indirect jumps like JMP EAX. That's why disassemblers like IDA are interactive - they need a human intervention in case the binary is impossible to analyse from the algorithmic point of view.

As I wrote, you should try to ask these questions on places like http://openrce.org.
Post 07 Jul 2009, 10:27
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
MazeGen wrote:
IDa... interactive..a human intervention...

I see that concept very positiv. (lot of ideas i have about)
Ok.Thanks for the precious tip/help.

Here a general scenario and personal notes when disassembling di-fasm
with align4 on that chunk of data embedded in code at 403C0C

- PWDasm doesent understand almost the whole
- IDA Disassembler (free) doesnt understand a little part of it
- Borg Disassembler doesnt understand
- PeBrowse Disassembler doesent understand
- my baby 4kb di-fasm stops

because while decoding that datas finds a DA opcode;
in this case it must stop because i have told it to do so !!
I have not yet implemented FIADD/FIMUL/etc..!! but the few bytes
it speaks before stopping are almost the same
of the above nn*100kb-sized-disassemblers' Company
(excluded PWDasm,perhaps i have done the error to mark
the code section as "writeable").

Running it in a debugger:

- IDA free ok
- PeBrowse ok
- Borg --
- PWDasm --
- Syser doesnt understand it (ok,it will re-analyze that chunk when referenced!!)

Olly, finally, or simply finOllyVery Happy
understand it at once when the process is started and,
as expected, when the program will be debugged.

Different approaches...ok

These must show other people,

    1) why they should abandon to reinvent the wheel of disassembling. Very Happy.
    2) the difference between debugger/disassembler
    3) that Kilos of overbloated linear algebra to decode aligned4 datas are not
    strictly required to disassemble it, in a program. in fact Olly understand it totally,
    without need to re-analyzing that chunk just before debugging/being referenced.
    4) that one could be more sad when thinking about the "extinction" of SoftIce,
    as relatively glad when using a wonderful tool like IDA.

Regards,
hopcode
Post 08 Jul 2009, 08:50
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
Preview version of my flde32 engine.
Code:
;---------------------------------------------
; flde v0.1 Fasmlab Disassembler Engine 32 bit
; ----------    BSD License   ----------------
; Copyright c 2009, Marc Rainer Kranz
; All rights reserved
;---------------------------------------------
;- code size  450 byte to be optimized
;- table size 284 byte
    


1/2/3 opcode AMD/MMX/3DNOW, then SSE->SSE5 (integrated, but not fully tested)

SVN Repository at http://code.google.com/p/flde/
download package with test32 at http://flde.googlecode.com/files/flde32.7z

Could you please run a couple of tests, and report whatever gigantic to correct, or simply your impressions ?

I will appreciate that much Very Happy
(especially on complex instruction like SSE)

Thanks,
hopcode

btw. if you want you could collaborate to the project.
I will give you the google SVN access to it.
Post 18 Jan 2010, 22:56
View user's profile Send private message Visit poster's website Reply with quote
alorent



Joined: 05 Dec 2005
Posts: 201
Great work hopcode! Keep it up!! Wink
Post 19 Jan 2010, 17:35
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
Will you add support for JMP and CALL to be disassembled showing the target address rather than the plain rel value?

Anyway, good job, keep improving it.
Post 21 Jan 2010, 17:39
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
mmmmhh, could you give us the steps to get the disassembly you shown above? All I get is something like this:
Code:
>test_32.exe
40218Ch01 | 55
40218Dh01 | 53
40218Eh01 | 57
40218Fh01 | 56
402190h02 | 31 C0
402192h05 | BD 70 20 40 00
402197h04 | 8B 74 24 14
40219Bh02 | 31 DB
40219Dh01 | 56
40219Eh01 | AC
.
.
.    
This of course is the LDE part, but where is the actual disassembler?
Post 21 Jan 2010, 17:59
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2145
Location: Estonia
I think you can read from the source that there is not "literal" disassembly. It knows all the right instructions, but translating them to proper NOP, IMUL eax,edx,-3, PCMPISTRI xmm1,xmm2,3 strings would require another ~4KB or binary .. I think Smile
Post 21 Jan 2010, 21:46
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
Yes Madis, before posting that I searched in the sources for things like 'call' and found no strings, but you see, he claimed to have the solution to decide whether imm8 is signed or not and pointed us in another thread to see here how he solved the problem. Then there was some PMs about that, and finally I see there is no handling of that at all and this whole thread is advertising something not really present in the provided code.

For the steps I'm obviously expecting to have a link to download this "di-fasm" since the link posted here is only for the LDE.
Post 21 Jan 2010, 22:04
View user's profile Send private message Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
Madis731 wrote:
...strings would require another ~4KB or binary...
~6kb, a cut'n'paste of the rearranged TABLES.INC.
I am sorry, i have my responsibility into creating tons of misunderstanding.
First of all, that is only the LDE and, as you can see, less than 700 bytes.
Ok,
LocoDelAssembly wrote:
...he claimed to have the solution to decide whether imm8 is signed or not and pointed us in another thread to see here how he solved the problem...

There, i hoped too, before all other posts, about the usefulness of my post.
But what a pity is... not having the phpbb like the SVN ! Wink
The reason is implicit, and i will explain it now again, to improve my dialectics. As you know, the engine parses only opcodes for their mere functionality.
The meaning and coherence of this values should be treated in another higher stage. As for academic example, int -3 is not int 3 but both values could be manually compiled, generating
different things. Related to the instruction ENTER imm16,imm8, imm8 is a byte for intel/fasm/flde, (and MOD 32 will be executed on imm8 always internally). In this case, one should not worry about the signedness of imm8 at that LDE "functional" level.

I parse accordingly fasm rules and intel rules.

Ok, after all I cannot claim nothing, but if the thing was so intended,
i apologize here with all involved forumers: i am sorry!

I hope it will be useful for all my flde and i hope in the future to pay more
attention to all what happens on this forum.

Thank you all
hopcode (AKA Marc Rainer Kranz)
.
.
.
Post 22 Jan 2010, 00:54
View user's profile Send private message Visit poster's website Reply with quote
hopcode



Joined: 04 Mar 2008
Posts: 563
Location: Germany
simple intel/amd 32 opcodes skemata

Image
Post 25 Jan 2010, 11:45
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.