Index
> Projects and Ideas > Writing a disassembler?Goto page Previous 1, 2 |
| Author |
|
|
revolution 12 Mar 2023, 11:19
Addition is commutative.
Same for multiplication. Code: mov eax,[ebx*4] == mov eax,[4*ebx] Code: mov eax,[ebx] != mov [ebx],eax |
|||
12 Mar 2023, 11:19 |
|
|
FlierMate11 12 Mar 2023, 11:28
revolution wrote: Addition is commutative. Noted with thanks! 
@revolution, can you help to answer the last question on first page in this thread? Actually I posted it also just now. |
|||
|
12 Mar 2023, 11:28 |
|
|
revolution 12 Mar 2023, 12:23
FlierMate11 wrote: So when to decide 01 or 03 opcode? You can use these types of alternate encoding choices to place a signature in the binary output. Some assembler authors have deliberately used this to place watermarks into the outputs. |
|||
|
12 Mar 2023, 12:23 |
|
|
FlierMate11 12 Mar 2023, 12:35
revolution wrote:
It is nice to know this, thanks. |
|||
|
12 Mar 2023, 12:35 |
|
|
FlierMate11 12 Mar 2023, 20:48
(I typed a long text but suddenly all gone after a keypress)
Long story short, I have prepared the template for my future disassembler. This exedump will hexdump code section in PE file. Please help test. I test examples compiled by FASMW okay, but when try to read Windows Notepad.exe, my program says "Code section not found", weird. Maybe offset to section table is wrong for 64-bit PE, should have check the magic 0x20b, hmm.. Never mind, I fixed it in v0.02 new version.
|
|||||||||||
|
12 Mar 2023, 20:48 |
|
|
FlierMate2 23 Mar 2023, 19:39
Does disassembly sometimes fail if without the human intervention?
Quote: There are many forms of anti-disassembly, the purpose is to create logic problems that a disassembler or I saw this malware sample, in Flare-On challenge 2021, this "Evil" program uses anti-disassembly technique. Code: .text:0040650B 33 C0 xor eax, eax .text:0040650D 8B 00 mov eax, [eax] .text:0040650F 74 03 jz short loc_406514 .text:00406511 75 8B jnz short loc_40649E .text:00406513 4D dec ebp .text:00406514 loc_406514: .text:00406514 E8 89 41 04 85 call near ptr 8544A6A2h Figure 5: Anti-Disassembly null deference followed by junk jumps Code: .text:0040650B 90 nop .text:0040650C 90 nop .text:0040650D 90 nop .text:0040650E 90 nop .text:0040650F 90 nop .text:00406510 90 nop .text:00406511 90 nop .text:00406512 8B 4D E8 mov ecx, [ebp+Block] .text:00406515 89 41 04 mov [ecx+4], eax .text:00406518 85 C0 test eax, eax .text:0040651A 75 22 jnz short loc_40653E.text:00406553 E8 5A Figure 6: Anti-Disassembly removed I wonder why disassembler failed to recognize "8B 4D E8" from "75 8B" and "4D"? (Of course I have plenty to learn before start coding my disassembler 
And then there is anti-debugging and anti-virtualization... Source: https://www.mandiant.com/sites/default/files/2021-10/09-evil.pdf |
|||
|
23 Mar 2023, 19:39 |
|
| Goto page Previous 1, 2 < Last Thread | Next Thread > |
Forum Rules:
|