flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > Extended Length Disassembler Engine

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
yoshimitsu 01 Dec 2012, 01:05
Hi guys,
I wrote a small length disassembler engine for easy use with FASM.
It splits an instruction into its parts and fills a structure with these.

I've written one in x64 asm for use with x64 instructions and one in x86 for x86.
They support general-purpose instructions, FPU, MMX, 3DNow!, SSE-SSE4.2, AVX, VMX und SMX.

Hopefully someone finds it useful Smile

EDIT: attachments removed, you may find GitHub links down below.


Last edited by yoshimitsu on 03 Dec 2012, 16:18; edited 4 times in total
Post 01 Dec 2012, 01:05
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 01 Dec 2012, 07:03
Where are the sources?
Post 01 Dec 2012, 07:03
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
yoshimitsu 01 Dec 2012, 12:36
attached.
Post 01 Dec 2012, 12:36
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 01 Dec 2012, 13:17
Ah, sorry I missed it. What is the reason to use the library this strange way: "fde32.inc"?
Post 01 Dec 2012, 13:17
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
yoshimitsu



Joined: 07 Jul 2011
Posts: 96
yoshimitsu 01 Dec 2012, 13:38
Quote:
Last edited by yoshimitsu on 01 Dec 2012, 12:35; edited 2 times in total

I edited the attachments and included the source after your post.
fde64/32.inc is the already assembled source packed into db's for a more universal way of including it (and assembling it faster).
For example, if you'd want to use it with masm, only a few changes to fdeXX.inc are needed instead of changing the whole syntax like .labels, word [] to word ptr [], etc.
decoder64/32.inc is the actual source.
Post 01 Dec 2012, 13:38
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 01 Dec 2012, 16:08
It is clear now. Smile I needed such a library several years ago for Fresh IDE, but now I can't remember why. Very Happy It is good to have one around.
Post 01 Dec 2012, 16:08
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
neville



Joined: 13 Jul 2008
Posts: 507
Location: New Zealand
neville 19 Jun 2013, 22:38
I just tried to download FDE32.zip but Avast kicked in with a Suspicious File warning. Has anybody else had a similar problem, or know why it happened?

(I tried it twice with the same result, but FDE64 downloaded fine)

_________________
FAMOS - the first memory operating system
Post 19 Jun 2013, 22:38
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20416
Location: In your JS exploiting you and your system
revolution 20 Jun 2013, 06:24
neville wrote:
I just tried to download FDE32.zip but Avast kicked in with a Suspicious File warning. Has anybody else had a similar problem, or know why it happened?
For a complete answer you would need to ask AVAST, but I would suggest that AVAST is crap and is merely giving you one of those all-too-numerous false positive AV warnings that users freak out over. You can also try with virustotal.com and see what other AVs have to say on the matter.
Post 20 Jun 2013, 06:24
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 20 Jun 2013, 09:37
revolution wrote:
neville wrote:
I just tried to download FDE32.zip but Avast kicked in with a Suspicious File warning. Has anybody else had a similar problem, or know why it happened?
For a complete answer you would need to ask AVAST, but I would suggest that AVAST is crap and is merely giving you one of those all-too-numerous false positive AV warnings that users freak out over. You can also try with virustotal.com and see what other AVs have to say on the matter.


virustotal is cloud-based. If once the file is scanned and found to be "malicious", anyone having an AV will have to add the zip file to the AV's white list otherwise it's "malicious". Smile Smile
Post 20 Jun 2013, 09:37
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20416
Location: In your JS exploiting you and your system
revolution 20 Jun 2013, 10:33
Seems like all the more reason to forget about using a useless AV. Wink
Post 20 Jun 2013, 10:33
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4060
Location: vpcmpistri
bitRAKE 20 Jun 2013, 18:29
The FDE executable builds with the included source code.

So, how could there be a problem with the package itself?

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 20 Jun 2013, 18:29
View user's profile Send private message Visit poster's website Reply with quote
neville



Joined: 13 Jul 2008
Posts: 507
Location: New Zealand
neville 21 Jun 2013, 00:16
revolution wrote:
... I would suggest that AVAST is crap and is merely giving you one of those all-too-numerous false positive AV warnings...
Seems a bit harsh. If I was writing a reliable AV program, I would err on the side of the odd false positive, rather than the possibility of a false nagative, ANYTIME!
If this is a false positive, it would be the first instance in more than 7 years of using AVAST, so I think maybe they've got the balance about right Wink

_________________
FAMOS - the first memory operating system
Post 21 Jun 2013, 00:16
View user's profile Send private message Visit poster's website Reply with quote
neville



Joined: 13 Jul 2008
Posts: 507
Location: New Zealand
neville 21 Jun 2013, 00:20
bitRAKE wrote:
The FDE executable builds with the included source code.

So, how could there be a problem with the package itself?
There is an EXE in the package - EXAMPLE.EXE which appears to be the problem.

_________________
FAMOS - the first memory operating system
Post 21 Jun 2013, 00:20
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4060
Location: vpcmpistri
bitRAKE 21 Jun 2013, 02:13
Delete EXAMPLE.EXE and compile a new one, read the source code, and conclude the anti-virii programs are crap when it reaches the same conclusion. If you are confused by the binary blob in the "unfancy" version then compile the "fancy" version and confirm it's the same bytes.

It appears AVAST is the problem.

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 21 Jun 2013, 02:13
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20416
Location: In your JS exploiting you and your system
revolution 21 Jun 2013, 05:31
neville wrote:
Seems a bit harsh. If I was writing a reliable AV program, I would err on the side of the odd false positive, rather than the possibility of a false nagative, ANYTIME!
Sure. And here is the code that will never give a false negative, ever (but may give the occasional false positive, but don't worry about those false positives, just ignore them):
Code:
;This procedure will never return a false negative, ANYTIME!
test_incoming_file:
  call LoadTheSuspectedFileIntoMemory,name,...
  mov eax,TRUE ;mark this file as a problem and tell the user to be very worried
  ret    
Laughing
neville wrote:
If this is a false positive, it would be the first instance in more than 7 years of using AVAST, so I think maybe they've got the balance about right Wink
Unfortunately a false sense of security is not any security in reality.
Post 21 Jun 2013, 05:31
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 21 Jun 2013, 05:51
Quote:

If this is a false positive, it would be the first instance in more than 7 years of using AVAST, so I think maybe they've got the balance about right


Some of these flags are mostly because of hashes in the cloud submitted by other "not-so good" AVs (as if they were all good). Some of which detected themselves as a virus Laughing
Post 21 Jun 2013, 05:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20416
Location: In your JS exploiting you and your system
revolution 21 Jun 2013, 06:14
typedef: What do you mean by "hashes in the cloud"? Are you suggesting that AVs writers merely use each others detection algorithms and come to the same conclusions based upon some matching hash? Do you have evidence of this or is it just some "hackers common knowledge"? Something else?
Post 21 Jun 2013, 06:14
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 21 Jun 2013, 07:09
revolution wrote:
typedef: What do you mean by "hashes in the cloud"? Are you suggesting that AVs writers merely use each others detection algorithms and come to the same conclusions based upon some matching hash? Do you have evidence of this or is it just some "hackers common knowledge"? Something else?

"hackers common knowledge"?

Now what the monkey-shit is that? Twisted Evil

It's proven and tested. Also, I didn't say they use each other's detection algorithms. That would make no sense because then all the AVs would provide the same level of detection and "protection".

Besides you wouldn't know because you've never used an AV before. Just download AVAST and open the advanced settings and you'll find a "cloud" option.
Another one is COMODO... There are lots of them..
Post 21 Jun 2013, 07:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20416
Location: In your JS exploiting you and your system
revolution 21 Jun 2013, 07:21
To get the same hash then you must also use the same algorithm. SHA1 != MD5 != Whirlpool != Skein. Else how?
Post 21 Jun 2013, 07:21
View user's profile Send private message Visit poster's website Reply with quote
neville



Joined: 13 Jul 2008
Posts: 507
Location: New Zealand
neville 21 Jun 2013, 23:48
revolution wrote:
Sure. And here is the code that will never give a false negative, ever (but may give the occasional false positive, but don't worry about those false positives, just ignore them):
Code:
;This procedure will never return a false negative, ANYTIME!
test_incoming_file:
  call LoadTheSuspectedFileIntoMemory,name,...
  mov eax,TRUE ;mark this file as a problem and tell the user to be very worried
  ret    
:lol:Unfortunately a false sense of security is not any security in reality.
I know we're not supposed to take this code seriously, but if we need an example of crap code (revolution's words for AVAST) this is surely it. Razz Talking of a false sense of security, revolution's crapware above would certainly give that, but in a very short time it would instead become extremely tedious! But not only is it CRAPware, it is also BLOATware, since it assumes the binary variable TRUE has been allocated 32 times more memory than is necessary. Very Happy (At a pinch, 8 times might have been acceptable)

If I had nothing else better to do I would try to find out exactly why AVAST objected to EXAMPLE.EXE in the archive, but frankly I don't Wink (unless anybody else can offer some helpful insight?)

_________________
FAMOS - the first memory operating system
Post 21 Jun 2013, 23:48
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.