flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Projects and Ideas > Extended Length Disassembler Engine

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
Extended Length Disassembler Engine
Hi guys,
I wrote a small length disassembler engine for easy use with FASM.
It splits an instruction into its parts and fills a structure with these.

I've written one in x64 asm for use with x64 instructions and one in x86 for x86.
They support general-purpose instructions, FPU, MMX, 3DNow!, SSE-SSE4.2, AVX, VMX und SMX.

Hopefully someone finds it useful :)


Description: engine-size: 1337 bytes
Download
Filename: fde64.zip
Filesize: 25.24 KB
Downloaded: 579 Time(s)

Description: engine-size: 1225 bytes
Download
Filename: fde32.zip
Filesize: 18.56 KB
Downloaded: 641 Time(s)



Last edited by yoshimitsu on 03 Dec 2012, 16:18; edited 4 times in total
Post 01 Dec 2012, 01:05
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3459
Location: Bulgaria
Where are the sources?
Post 01 Dec 2012, 07:03
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
attached.
Post 01 Dec 2012, 12:36
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3459
Location: Bulgaria
Ah, sorry I missed it. What is the reason to use the library this strange way: "fde32.inc"?
Post 01 Dec 2012, 13:17
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
yoshimitsu



Joined: 07 Jul 2011
Posts: 96

Quote:
Last edited by yoshimitsu on 01 Dec 2012, 12:35; edited 2 times in total


I edited the attachments and included the source after your post.
fde64/32.inc is the already assembled source packed into db's for a more universal way of including it (and assembling it faster).
For example, if you'd want to use it with masm, only a few changes to fdeXX.inc are needed instead of changing the whole syntax like .labels, word [] to word ptr [], etc.
decoder64/32.inc is the actual source.
Post 01 Dec 2012, 13:38
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3459
Location: Bulgaria
It is clear now. Smile I needed such a library several years ago for Fresh IDE, but now I can't remember why. Very Happy It is good to have one around.
Post 01 Dec 2012, 16:08
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
neville



Joined: 13 Jul 2008
Posts: 503
Location: New Zealand
I just tried to download FDE32.zip but Avast kicked in with a Suspicious File warning. Has anybody else had a similar problem, or know why it happened?

(I tried it twice with the same result, but FDE64 downloaded fine)

_________________
FAMOS - the first memory operating system
Post 19 Jun 2013, 22:38
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15301
Location: Bigweld Industries

neville wrote:
I just tried to download FDE32.zip but Avast kicked in with a Suspicious File warning. Has anybody else had a similar problem, or know why it happened?

For a complete answer you would need to ask AVAST, but I would suggest that AVAST is crap and is merely giving you one of those all-too-numerous false positive AV warnings that users freak out over. You can also try with virustotal.com and see what other AVs have to say on the matter.
Post 20 Jun 2013, 06:24
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

revolution wrote:

neville wrote:
I just tried to download FDE32.zip but Avast kicked in with a Suspicious File warning. Has anybody else had a similar problem, or know why it happened?

For a complete answer you would need to ask AVAST, but I would suggest that AVAST is crap and is merely giving you one of those all-too-numerous false positive AV warnings that users freak out over. You can also try with virustotal.com and see what other AVs have to say on the matter.



virustotal is cloud-based. If once the file is scanned and found to be "malicious", anyone having an AV will have to add the zip file to the AV's white list otherwise it's "malicious". Smile Smile
Post 20 Jun 2013, 09:37
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15301
Location: Bigweld Industries
Seems like all the more reason to forget about using a useless AV. Wink
Post 20 Jun 2013, 10:33
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2624
Location: dank orb
The FDE executable builds with the included source code.

So, how could there be a problem with the package itself?

_________________
The generation of random numbers is too important to be left to chance - Robert R Coveyou
Post 20 Jun 2013, 18:29
View user's profile Send private message Visit poster's website Reply with quote
neville



Joined: 13 Jul 2008
Posts: 503
Location: New Zealand

revolution wrote:
... I would suggest that AVAST is crap and is merely giving you one of those all-too-numerous false positive AV warnings...

Seems a bit harsh. If I was writing a reliable AV program, I would err on the side of the odd false positive, rather than the possibility of a false nagative, ANYTIME!
If this is a false positive, it would be the first instance in more than 7 years of using AVAST, so I think maybe they've got the balance about right Wink

_________________
FAMOS - the first memory operating system
Post 21 Jun 2013, 00:16
View user's profile Send private message Visit poster's website Reply with quote
neville



Joined: 13 Jul 2008
Posts: 503
Location: New Zealand

bitRAKE wrote:
The FDE executable builds with the included source code.

So, how could there be a problem with the package itself?

There is an EXE in the package - EXAMPLE.EXE which appears to be the problem.

_________________
FAMOS - the first memory operating system
Post 21 Jun 2013, 00:20
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2624
Location: dank orb
Delete EXAMPLE.EXE and compile a new one, read the source code, and conclude the anti-virii programs are crap when it reaches the same conclusion. If you are confused by the binary blob in the "unfancy" version then compile the "fancy" version and confirm it's the same bytes.

It appears AVAST is the problem.

_________________
The generation of random numbers is too important to be left to chance - Robert R Coveyou
Post 21 Jun 2013, 02:13
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15301
Location: Bigweld Industries

neville wrote:
Seems a bit harsh. If I was writing a reliable AV program, I would err on the side of the odd false positive, rather than the possibility of a false nagative, ANYTIME!

Sure. And here is the code that will never give a false negative, ever (but may give the occasional false positive, but don't worry about those false positives, just ignore them):

Code:
;This procedure will never return a false negative, ANYTIME!
test_incoming_file:
  call LoadTheSuspectedFileIntoMemory,name,...
  mov eax,TRUE ;mark this file as a problem and tell the user to be very worried
  ret

Laughing

neville wrote:
If this is a false positive, it would be the first instance in more than 7 years of using AVAST, so I think maybe they've got the balance about right Wink

Unfortunately a false sense of security is not any security in reality.
Post 21 Jun 2013, 05:31
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

Quote:

If this is a false positive, it would be the first instance in more than 7 years of using AVAST, so I think maybe they've got the balance about right



Some of these flags are mostly because of hashes in the cloud submitted by other "not-so good" AVs (as if they were all good). Some of which detected themselves as a virus Laughing
Post 21 Jun 2013, 05:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15301
Location: Bigweld Industries
typedef: What do you mean by "hashes in the cloud"? Are you suggesting that AVs writers merely use each others detection algorithms and come to the same conclusions based upon some matching hash? Do you have evidence of this or is it just some "hackers common knowledge"? Something else?
Post 21 Jun 2013, 06:14
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

revolution wrote:
typedef: What do you mean by "hashes in the cloud"? Are you suggesting that AVs writers merely use each others detection algorithms and come to the same conclusions based upon some matching hash? Do you have evidence of this or is it just some "hackers common knowledge"? Something else?


"hackers common knowledge"?

Now what the monkey-shit is that? Twisted Evil

It's proven and tested. Also, I didn't say they use each other's detection algorithms. That would make no sense because then all the AVs would provide the same level of detection and "protection".

Besides you wouldn't know because you've never used an AV before. Just download AVAST and open the advanced settings and you'll find a "cloud" option.
Another one is COMODO... There are lots of them..
Post 21 Jun 2013, 07:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15301
Location: Bigweld Industries
To get the same hash then you must also use the same algorithm. SHA1 != MD5 != Whirlpool != Skein. Else how?
Post 21 Jun 2013, 07:21
View user's profile Send private message Visit poster's website Reply with quote
neville



Joined: 13 Jul 2008
Posts: 503
Location: New Zealand

revolution wrote:
Sure. And here is the code that will never give a false negative, ever (but may give the occasional false positive, but don't worry about those false positives, just ignore them):

Code:
;This procedure will never return a false negative, ANYTIME!
test_incoming_file:
  call LoadTheSuspectedFileIntoMemory,name,...
  mov eax,TRUE ;mark this file as a problem and tell the user to be very worried
  ret

:lol:Unfortunately a false sense of security is not any security in reality.

I know we're not supposed to take this code seriously, but if we need an example of crap code (revolution's words for AVAST) this is surely it. Razz Talking of a false sense of security, revolution's crapware above would certainly give that, but in a very short time it would instead become extremely tedious! But not only is it CRAPware, it is also BLOATware, since it assumes the binary variable TRUE has been allocated 32 times more memory than is necessary. Very Happy (At a pinch, 8 times might have been acceptable)

If I had nothing else better to do I would try to find out exactly why AVAST objected to EXAMPLE.EXE in the archive, but frankly I don't Wink (unless anybody else can offer some helpful insight?)

_________________
FAMOS - the first memory operating system
Post 21 Jun 2013, 23:48
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2016, Tomasz Grysztar.