flat assembler
Message board for the users of flat assembler.
Index
> Projects and Ideas > The importance of a disassembler by hopcode (output source) |
Author |
|
hopcode 07 Jul 2009, 09:39
Updated at [Dienstag] - 07.Juli.2009 - 11:31:33
di-fasm disassembling itself... Enjoy, hopcode[mrk] Code: ; di-fasm disassembler ; Copyright (c) 2009, Marc Rainer Kranz. ; All rights reserved. ; This is the correct disassembled code of di-fasm disassembling ; itself. This code stops at 403C0Bh, because analysis of DD datas in ; the code not yet implemented. It parses all the main instructions ; for 1-byte opcode, plus some main 0F-prefixed opcodes. ; This code is full compilable with fasm using ; format binary ; use32 ; at the moment. 403000 (2) XOR EAX,EAX 403002 (5) MOV ESI,0x403000 ;<--- disassemble itself 403007 (2) XOR EDX,EDX 403009 (5) MOV ECX,0x1079 ;<--- size .code section to disassemble 40300E (5) MOV EDI,0x402000 ;<--- .data section 403013 (2) TEST ECX,ECX 403015 (6) JE 0xB2 ;<--- relative addresses not yet calculated 40301B (6) MOV DWORD[0x402A58],ESI ;<-------------- and now...---- 403021 (6) MOV DWORD[0x402A5C],ECX ;<----go!! go!! go!!----------- 403027 (6) MOV DWORD[0x402A60],ESI ;<-- -------------------------- 40302D (2) XOR EDX,EDX 40302F (1) LODSB 403030 (1) DEC ECX 403031 (6) JS 0x96 403037 (2) CMP AL,0xF3 403039 (2) JE 0x14 40303B (5) MOV BYTE[0x402A77],AL 403040 (2) CMP AL,0x0F 403042 (2) JE 0x1D 403044 (2) CMP AL,0x66 403046 (2) JE 0x10 403048 (5) MOV EBX,0x4026C4 40304D (2) JMP 0x25 40304F (7) OR BYTE[0x402A76],0x10 403056 (2) JMP 0xD7 403058 (7) OR BYTE[0x402A76],0x01 40305F (2) JMP 0xCE 403061 (3) SHL EAX,0x08 403064 (1) LODSB 403065 (1) DEC ECX 403066 (2) MOV DL,AL 403068 (5) MOV EBX,0x4028C4 40306D (5) MOV BYTE[0x402A78],AL 403072 (2) JMP 0x02 403074 (2) MOV DL,AL 403076 (1) PUSH EBX 403077 (1) PUSH EDI 403078 (1) PUSH EBP 403079 (4) MOVZX EDX,WORD[EBX+EDX] 40307D (6) ADD EDX,0x4030D4 403083 (2) CALL EDX 403085 (2) TEST EAX,EAX 403087 (2) JE 0x45 403089 (2) JS 0x34 40308B (1) PUSH ECX 40308C (1) PUSH EAX 40308D (7) MOVZX EAX,BYTE[0x402A75] 403094 (5) PUSH 0x402000 403099 (1) PUSH EAX 40309A (6) PUSH DWORD[0x402A60] 4030A0 (5) PUSH 0x402A48 4030A5 (6) CALL DWORD[0x40103C] 4030AB (3) ADD ESP,0x10 4030AE (6) LEA EDI,DWORD[0x402A68] 4030B4 (5) MOV ECX,0x22 4030B9 (2) XOR EAX,EAX 4030BB (2) STOSB 4030BD (1) POP EAX 4030BE (1) POP ECX 4030BF (1) POP EBP 4030C0 (1) POP EDI 4030C1 (1) POP EBX 4030C2 (2) TEST ECX,ECX 4030C4 (2) JE 0x07 4030C6 (2) XOR EAX,EAX 4030C8 (5) JMP 0xFFFFFF5A 4030CD (1) RET 4030CE (2) XOR ECX,ECX 4030D0 (2) JMP 0xED 4030D2 (1) NOP 4030D3 (1) NOP 4030D4 (5) PUSH 0x403C38 4030D9 (5) CALL 0x0E2B 4030DE (7) MOV BYTE[0x402A74],0x01 4030E5 (5) JMP 0x020F 4030EA (5) PUSH 0x40231B 4030EF (5) JMP 0xE5 4030F4 (5) PUSH 0x402446 4030F9 (5) JMP 0xDB 4030FE (5) PUSH 0x402302 403103 (5) JMP 0xD1 403108 (5) PUSH 0x402428 40310D (5) JMP 0xC7 403112 (5) PUSH 0x40230C 403117 (5) JMP 0xBD 40311C (5) PUSH 0x402440 403121 (5) JMP 0xB3 403126 (5) PUSH 0x40242E 40312B (5) JMP 0xA9 403130 (5) PUSH 0x4022FD 403135 (5) JMP 0x9F 40313A (5) PUSH 0x402325 40313F (5) JMP 0x95 403144 (5) PUSH 0x402452 403149 (5) JMP 0x8B 40314E (5) PUSH 0x402320 403153 (5) JMP 0x81 403158 (5) PUSH 0x40244C 40315D (2) JMP 0x7A 40315F (5) PUSH 0x402316 403164 (2) JMP 0x73 403166 (5) PUSH 0x402434 40316B (2) JMP 0x6C 40316D (5) PUSH 0x40243A 403172 (2) JMP 0x65 403174 (5) PUSH 0x402311 403179 (2) JMP 0x5E 40317B (5) PUSH 0x403C7C 403180 (5) CALL 0x0D84 403185 (2) TEST DL,DL 403187 (2) JE 0x2E 403189 (7) MOV BYTE[0x402A74],0x04 403190 (5) JMP 0x0164 403195 (5) CALL 0x0CD0 40319A (5) PUSH 0x402208 40319F (5) CALL 0x0C75 4031A4 (2) JMP 0x11 4031A6 (5) PUSH 0x403C38 4031AB (2) JMP 0x05 4031AD (5) PUSH 0x403C58 4031B2 (5) CALL 0x0D52 4031B7 (7) MOV BYTE[0x402A74],0x02 4031BE (5) JMP 0x0136 4031C3 (5) PUSH 0x403C1C 4031C8 (5) CALL 0x0D3C 4031CD (7) MOV BYTE[0x402A74],0x04 4031D4 (5) JMP 0x0120 4031D9 (7) MOV BYTE[0x402A74],0x04 4031E0 (2) JMP 0x37 4031E2 (5) PUSH 0x403C38 4031E7 (5) CALL 0x0D1D 4031EC (7) MOV BYTE[0x402A7B],0x01 4031F3 (5) JMP 0x0101 4031F8 (5) PUSH 0x40234D 4031FD (2) JMP 0x1A 4031FF (5) PUSH 0x4024B0 403204 (2) JMP 0x13 403206 (5) PUSH 0x402352 40320B (2) JMP 0x0C 40320D (5) PUSH 0x402208 403212 (2) JMP 0x05 403214 (5) PUSH 0x40233E 403219 (5) CALL 0x0C4C 40321E (5) CALL 0x0BF6 403223 (5) JMP 0xD1 403228 (5) PUSH 0x402208 40322D (5) CALL 0x0BE7 403232 (2) AND AL,0x07 403234 (3) MOVZX EDX,AL 403237 (8) MOV AX,WORD[EDX*04+0x402040] 40323F (2) JMP 0x79 403241 (5) PUSH 0x40221C 403246 (5) CALL 0x0BCE 40324B (5) CALL 0x0BF3 403250 (5) CALL 0x0DA8 403255 (2) MOV AL,0x2C 403257 (1) STOSB 403258 (4) MOV AX,0x4C41 40325C (2) STOSD 40325E (5) JMP 0x0B7F 403263 (5) PUSH 0x402208 403268 (5) CALL 0x0BAC 40326D (7) MOV BYTE[0x402A7B],0x00 403274 (2) JMP 0x1A 403276 (7) MOV BYTE[0x402A74],0x04 40327D (5) PUSH 0x402208 403282 (5) CALL 0x0B92 403287 (4) MOV AX,0x4C41 40328B (2) STOSD 40328D (2) MOV AL,0x2C 40328F (1) STOSB 403290 (2) MOV AL,0x02 403292 (2) JMP 0x7D 403294 (5) PUSH 0x403C58 403299 (5) CALL 0x0C65 40329E (2) JMP 0x16 4032A0 (5) PUSH 0x402161 4032A5 (5) CALL 0x0B6F 4032AA (2) JMP 0x0A 4032AC (5) PUSH 0x40233E 4032B1 (5) CALL 0x0B63 4032B6 (4) MOV AX,0x4C41 4032BA (2) STOSD 4032BC (7) MOV BYTE[0x402A74],0x02 4032C3 (5) JMP 0x012E 4032C8 (5) PUSH 0x403C58 4032CD (5) CALL 0x0C49 4032D2 (5) CALL 0x0C69 4032D7 (1) PUSH EAX 4032D8 (5) PUSH 0x402040 4032DD (5) CALL 0x0BC7 4032E2 (7) MOV BYTE[0x402A74],0x04 4032E9 (2) MOV AL,0x2C 4032EB (1) STOSB 4032EC (1) POP EAX 4032ED (2) JMP 0x22 4032EF (5) PUSH 0x403C58 4032F4 (5) CALL 0x0C22 4032F9 (5) CALL 0x0C42 4032FE (2) CMP AL,0x09 403300 (2) JNE 0x0F 403302 (5) PUSH 0x402040 403307 (5) CALL 0x0BB4 40330C (5) JMP 0xE5 403311 (2) CMP AL,0x02 403313 (2) JNE 0x1E 403315 (5) CALL 0x0B14 40331A (6) MOV DWORD[EDI],0x45545942 403320 (3) ADD EDI,0x04 403323 (2) MOV AL,0x5B 403325 (1) STOSB 403326 (5) CALL 0x0CCC 40332B (2) MOV AL,0x5D 40332D (1) STOSB 40332E (5) JMP 0xC3 403333 (2) CMP AL,0x01 403335 (2) JNE 0x1E 403337 (6) MOV DWORD[EDI],0x45545942 40333D (3) ADD EDI,0x04 403340 (2) MOV AL,0x5B 403342 (1) STOSB 403343 (5) PUSH 0x4020A0 403348 (5) CALL 0x0B73 40334D (2) MOV AL,0x5D 40334F (1) STOSB 403350 (5) JMP 0xA1 403355 (2) CMP AL,0x04 403357 (2) JNE 0x28 403359 (6) MOV DWORD[EDI],0x45545942 40335F (3) ADD EDI,0x04 403362 (2) MOV AL,0x5B 403364 (1) STOSB 403365 (5) PUSH 0x4020A0 40336A (5) CALL 0x0B51 40336F (2) MOV AL,0x2B 403371 (1) STOSB 403372 (5) CALL 0x0AB7 403377 (5) CALL 0x0C7B 40337C (2) MOV AL,0x5D 40337E (1) STOSB 40337F (2) JMP 0x75 403381 (2) CMP AL,0x05 403383 (2) JNE 0x35 403385 (6) MOV DWORD[EDI],0x45545942 40338B (3) ADD EDI,0x04 40338E (2) MOV AL,0x5B 403390 (1) STOSB 403391 (5) PUSH 0x4020A0 403396 (5) CALL 0x0B05 40339B (2) MOV AL,0x2B 40339D (1) STOSB 40339E (5) PUSH 0x4020A0 4033A3 (5) CALL 0x0AEF 4033A8 (2) MOV AL,0x2B 4033AA (1) STOSB 4033AB (5) CALL 0x0A82 4033B0 (5) CALL 0x0C42 4033B5 (2) MOV AL,0x5D 4033B7 (1) STOSB 4033B8 (2) JMP 0x3C 4033BA (2) CMP AL,0x06 4033BC (2) JNE 0x46 4033BE (6) MOV DWORD[EDI],0x45545942 4033C4 (3) ADD EDI,0x04 4033C7 (2) MOV AL,0x5B 4033C9 (1) STOSB 4033CA (5) PUSH 0x4020A0 4033CF (5) CALL 0x0ACC 4033D4 (2) MOV AL,0x2B 4033D6 (1) STOSB 4033D7 (5) PUSH 0x4020A0 4033DC (5) CALL 0x0AB6 4033E1 (5) CALL 0x0A17 4033E6 (2) MOV AL,0x2B 4033E8 (1) STOSB 4033E9 (5) CALL 0x0A40 4033EE (5) CALL 0x0C04 4033F3 (2) MOV AL,0x5D 4033F5 (1) STOSB 4033F6 (5) MOV AL,BYTE[0x402A74] 4033FB (2) TEST AL,0x04 4033FD (2) JE 0x05 4033FF (5) JMP 0x09DE 403404 (2) TEST AL,0x02 403406 (2) JE 0x07 403408 (5) CALL 0x0A36 40340D (2) JMP 0x0B 40340F (2) TEST AL,0x01 403411 (2) JE 0x14 403413 (7) MOV BYTE[0x402A86],0x01 40341A (2) MOV AL,0x2C 40341C (1) STOSB 40341D (5) CALL 0x0BDB 403422 (5) JMP 0x09BB 403427 (2) MOV AL,0x2C 403429 (1) STOSB 40342A (5) PUSH 0x402040 40342F (5) CALL 0x0A75 403434 (5) JMP 0x09A9 403439 (1) NOP 40343A (1) NOP 40343B (1) NOP 40343C (5) CALL 0x0A29 403441 (5) PUSH 0x4023EC 403446 (5) CALL 0x09CE 40344B (7) MOV BYTE[0x402A74],0x04 403452 (5) PUSH 0x4020A0 403457 (5) CALL 0x0A4D 40345C (7) MOV BYTE[0x402A76],0x01 403463 (2) MOV AL,0x2C 403465 (1) STOSB 403466 (5) CALL 0x0AD5 40346B (2) CMP AL,0x09 40346D (6) JNE 0x029C 403473 (5) PUSH 0x402060 403478 (5) CALL 0x0A43 40347D (5) JMP 0x0960 403482 (5) PUSH 0x4023EC 403487 (5) CALL 0x098D 40348C (5) CALL 0x09D9 403491 (7) MOV BYTE[0x402A74],0x04 403498 (5) PUSH 0x4020A0 40349D (5) CALL 0x0A07 4034A2 (2) MOV AL,0x2C 4034A4 (1) STOSB 4034A5 (5) JMP 0xFFFFFE4F 4034AA (5) PUSH 0x403C58 4034AF (5) CALL 0x0A55 4034B4 (7) MOV BYTE[0x402A74],0x02 4034BB (5) JMP 0x0237 4034C0 (5) PUSH 0x403C38 4034C5 (5) CALL 0x0A3F 4034CA (7) MOV BYTE[0x402A74],0x02 4034D1 (5) JMP 0x0221 4034D6 (5) PUSH 0x403C38 4034DB (5) CALL 0x0A29 4034E0 (7) MOV BYTE[0x402A74],0x01 4034E7 (5) JMP 0x020B 4034EC (5) PUSH 0x403C7C 4034F1 (5) CALL 0x0A13 4034F6 (2) TEST DL,DL 4034F8 (2) JE 0x27 4034FA (7) MOV BYTE[0x402A74],0x04 403501 (5) JMP 0x01F1 403506 (5) CALL 0x095F 40350B (5) PUSH 0x402208 403510 (5) CALL 0x0904 403515 (2) JMP 0x0A 403517 (5) PUSH 0x403C58 40351C (5) CALL 0x09E8 403521 (7) MOV BYTE[0x402A74],0x20 403528 (7) TEST BYTE[0x402A76],0x01 40352F (6) JE 0x01C2 403535 (7) MOV BYTE[0x402A74],0x10 40353C (5) JMP 0x01B6 403541 (5) PUSH 0x402220 403546 (5) CALL 0x08CE 40354B (5) CALL 0x091A 403550 (2) JMP 0x0A 403552 (5) PUSH 0x403C1C 403557 (5) CALL 0x09AD 40355C (7) MOV BYTE[0x402A74],0x04 403563 (5) JMP 0x018F 403568 (5) PUSH 0x403C38 40356D (5) CALL 0x0997 403572 (7) MOV BYTE[0x402A74],0x40 403579 (5) JMP 0x0179 40357E (5) PUSH 0x40234D 403583 (2) JMP 0x1A 403585 (5) PUSH 0x4024B0 40358A (2) JMP 0x13 40358C (5) PUSH 0x402352 403591 (2) JMP 0x0C 403593 (5) PUSH 0x402208 403598 (2) JMP 0x05 40359A (5) PUSH 0x40233E 40359F (5) CALL 0x08C6 4035A4 (5) CALL 0x0870 4035A9 (5) JMP 0x0149 4035AE (5) PUSH 0x402208 4035B3 (5) CALL 0x0861 4035B8 (2) AND AL,0x07 4035BA (3) MOVZX EDX,AL 4035BD (5) MOV EAX,0x4020A0 4035C2 (7) TEST BYTE[0x402A76],0x01 4035C9 (2) JE 0x05 4035CB (5) MOV EAX,0x402060 4035D0 (1) PUSH EAX 4035D1 (1) PUSH EDX 4035D2 (5) CALL 0x0A85 4035D7 (5) JMP 0xA5 4035DC (5) PUSH 0x40221C 4035E1 (5) CALL 0x0833 4035E6 (5) CALL 0x0858 4035EB (5) CALL 0x0A0D 4035F0 (2) MOV AL,0x2C 4035F2 (1) STOSB 4035F3 (2) MOV AL,0x45 4035F5 (1) STOSB 4035F6 (4) MOV AX,0x5841 4035FA (2) STOSD 4035FC (5) JMP 0x07E1 403601 (5) PUSH 0x402208 403606 (5) CALL 0x080E 40360B (7) MOV BYTE[0x402A7B],0x00 403612 (2) JMP 0x1D 403614 (7) MOV BYTE[0x402A74],0x04 40361B (5) PUSH 0x402208 403620 (5) CALL 0x07F4 403625 (2) MOV AL,0x45 403627 (1) STOSB 403628 (4) MOV AX,0x5841 40362C (2) STOSD 40362E (2) MOV AL,0x2C 403630 (1) STOSB 403631 (2) MOV AL,0x02 403633 (5) JMP 0xD7 403638 (5) PUSH 0x403C58 40363D (5) CALL 0x08C1 403642 (2) JMP 0x2B 403644 (5) PUSH 0x402161 403649 (5) CALL 0x07CB 40364E (7) TEST BYTE[0x402A76],0x01 403655 (2) JNE 0x03 403657 (2) MOV AL,0x45 403659 (1) STOSB 40365A (4) MOV AX,0x5841 40365E (2) STOSD 403660 (5) JMP 0xFFFFFC57 403665 (5) PUSH 0x40233E 40366A (5) CALL 0x07AA 40366F (7) TEST BYTE[0x402A76],0x01 403676 (2) JNE 0x03 403678 (2) MOV AL,0x45 40367A (1) STOSB 40367B (4) MOV AX,0x5841 40367F (2) STOSD 403681 (7) MOV BYTE[0x402A74],0x20 403688 (7) TEST BYTE[0x402A76],0x01 40368F (6) JE 0x01E9 403695 (7) MOV BYTE[0x402A74],0x10 40369C (5) JMP 0x01DD 4036A1 (5) PUSH 0x4021FC 4036A6 (5) CALL 0x076E 4036AB (5) CALL 0x07BA 4036B0 (5) PUSH 0x4020A0 4036B5 (5) CALL 0x07EF 4036BA (2) MOV AL,0x2C 4036BC (1) STOSB 4036BD (7) MOV BYTE[0x402A74],0x04 4036C4 (2) JMP 0x31 4036C6 (5) PUSH 0x403C58 4036CB (5) CALL 0x084B 4036D0 (5) CALL 0x086B 4036D5 (1) PUSH EAX 4036D6 (5) PUSH 0x4020A0 4036DB (5) CALL 0x07C9 4036E0 (7) MOV BYTE[0x402A74],0x04 4036E7 (2) MOV AL,0x2C 4036E9 (1) STOSB 4036EA (1) POP EAX 4036EB (2) JMP 0x22 4036ED (5) PUSH 0x403C58 4036F2 (5) CALL 0x0824 4036F7 (5) CALL 0x0844 4036FC (2) CMP AL,0x09 4036FE (2) JNE 0x0F 403700 (5) PUSH 0x4020A0 403705 (5) CALL 0x07B6 40370A (5) JMP 0x016F 40370F (2) CMP AL,0x02 403711 (2) JNE 0x1D 403713 (5) CALL 0x0716 403718 (6) PUSH DWORD[0x402A76] 40371E (5) CALL 0x07B2 403723 (5) CALL 0x08CF 403728 (2) MOV AL,0x5D 40372A (1) STOSB 40372B (5) JMP 0x014E 403730 (2) CMP AL,0x01 403732 (2) JNE 0x1D 403734 (6) PUSH DWORD[0x402A76] 40373A (5) CALL 0x0796 40373F (5) PUSH 0x4020A0 403744 (5) CALL 0x0777 403749 (2) MOV AL,0x5D 40374B (1) STOSB 40374C (5) JMP 0x012D 403751 (2) CMP AL,0x04 403753 (2) JNE 0x2A 403755 (6) PUSH DWORD[0x402A76] 40375B (5) CALL 0x0775 403760 (5) PUSH 0x4020A0 403765 (5) CALL 0x0756 40376A (2) MOV AL,0x2B 40376C (1) STOSB 40376D (5) CALL 0x06BC 403772 (5) CALL 0x0880 403777 (2) MOV AL,0x5D 403779 (1) STOSB 40377A (5) JMP 0xFF 40377F (2) CMP AL,0x03 403781 (2) JNE 0x2A 403783 (6) PUSH DWORD[0x402A76] 403789 (5) CALL 0x0747 40378E (5) PUSH 0x4020A0 403793 (5) CALL 0x0728 403798 (2) MOV AL,0x2B 40379A (1) STOSB 40379B (5) CALL 0x0692 4037A0 (5) CALL 0x0852 4037A5 (2) MOV AL,0x5D 4037A7 (1) STOSB 4037A8 (5) JMP 0xD1 4037AD (2) CMP AL,0x05 4037AF (2) JNE 0x37 4037B1 (6) PUSH DWORD[0x402A76] 4037B7 (5) CALL 0x0719 4037BC (5) PUSH 0x4020A0 4037C1 (5) CALL 0x06DA 4037C6 (2) MOV AL,0x2B 4037C8 (1) STOSB 4037C9 (5) PUSH 0x4020A0 4037CE (5) CALL 0x06C4 4037D3 (2) MOV AL,0x2B 4037D5 (1) STOSB 4037D6 (5) CALL 0x0657 4037DB (5) CALL 0x0817 4037E0 (2) MOV AL,0x5D 4037E2 (1) STOSB 4037E3 (5) JMP 0x96 4037E8 (2) CMP AL,0x07 4037EA (2) JNE 0x2C 4037EC (6) PUSH DWORD[0x402A76] 4037F2 (5) CALL 0x06DE 4037F7 (5) PUSH 0x4020A0 4037FC (5) CALL 0x0696 403801 (5) CALL 0x05F7 403806 (2) MOV AL,0x2B 403808 (1) STOSB 403809 (5) CALL 0x0620 40380E (5) CALL 0x07E4 403813 (2) MOV AL,0x5D 403815 (1) STOSB 403816 (2) JMP 0x66 403818 (2) CMP AL,0x08 40381A (2) JNE 0x27 40381C (6) PUSH DWORD[0x402A76] 403822 (5) CALL 0x06AE 403827 (5) PUSH 0x4020A0 40382C (5) CALL 0x066F 403831 (2) MOV AL,0x2B 403833 (1) STOSB 403834 (5) PUSH 0x4020A0 403839 (5) CALL 0x0659 40383E (2) MOV AL,0x5D 403840 (1) STOSB 403841 (2) JMP 0x3B 403843 (2) CMP AL,0x06 403845 (2) JNE 0x45 403847 (6) PUSH DWORD[0x402A76] 40384D (5) CALL 0x0683 403852 (5) PUSH 0x4020A0 403857 (5) CALL 0x0644 40385C (2) MOV AL,0x2B 40385E (1) STOSB 40385F (5) PUSH 0x4020A0 403864 (5) CALL 0x062E 403869 (5) CALL 0x058F 40386E (2) MOV AL,0x2B 403870 (1) STOSB 403871 (5) CALL 0x05B8 403876 (5) CALL 0x077C 40387B (2) MOV AL,0x5D 40387D (1) STOSB 40387E (5) MOV AL,BYTE[0x402A74] 403883 (2) TEST AL,0x04 403885 (2) JE 0x05 403887 (5) JMP 0x0556 40388C (2) TEST AL,0x10 40388E (2) JE 0x12 403890 (5) CALL 0x05AA 403895 (2) MOV AL,0x2C 403897 (1) STOSB 403898 (5) CALL 0x0760 40389D (5) JMP 0x0540 4038A2 (2) TEST AL,0x20 4038A4 (2) JE 0x12 4038A6 (5) CALL 0x0590 4038AB (2) MOV AL,0x2C 4038AD (1) STOSB 4038AE (5) CALL 0x074A 4038B3 (5) JMP 0x052A 4038B8 (2) TEST AL,0x02 4038BA (2) JE 0x07 4038BC (5) CALL 0x0582 4038C1 (2) JMP 0x0B 4038C3 (2) TEST AL,0x01 4038C5 (2) JE 0x14 4038C7 (7) MOV BYTE[0x402A86],0x01 4038CE (2) MOV AL,0x2C 4038D0 (1) STOSB 4038D1 (5) CALL 0x0727 4038D6 (5) JMP 0x0507 4038DB (2) TEST AL,0x40 4038DD (2) JE 0x0E 4038DF (2) MOV AL,0x2C 4038E1 (1) STOSB 4038E2 (4) MOV AX,0x4C43 4038E6 (2) STOSD 4038E8 (5) JMP 0x04F5 4038ED (2) MOV AL,0x2C 4038EF (1) STOSB 4038F0 (5) PUSH 0x4020A0 4038F5 (5) CALL 0x05AF 4038FA (5) JMP 0x04E3 4038FF (7) TEST BYTE[0x402A76],0x01 403906 (2) JE 0x1B 403908 (7) MOV BYTE[0x402A74],0x10 40390F (5) CALL 0x0505 403914 (5) CALL 0x0526 403919 (5) CALL 0x06DF 40391E (5) JMP 0x04BF 403923 (7) MOV BYTE[0x402A74],0x20 40392A (5) CALL 0x04EA 40392F (5) CALL 0x0507 403934 (5) CALL 0x06C4 403939 (5) JMP 0x04A4 40393E (7) MOV BYTE[0x402A74],0x02 403945 (5) CALL 0x04CF 40394A (5) CALL 0x04F4 40394F (5) CALL 0x06A9 403954 (5) JMP 0x0489 403959 (5) PUSH 0x4021B0 40395E (2) JMP 0xDE 403960 (5) PUSH 0x4022DA 403965 (2) JMP 0xD7 403967 (5) PUSH 0x4021CC 40396C (2) JMP 0xD0 40396E (5) PUSH 0x4022BC 403973 (2) JMP 0xC9 403975 (5) PUSH 0x4022C1 40397A (2) JMP 0xC2 40397C (5) PUSH 0x4023CE 403981 (2) JMP 0xBB 403983 (5) PUSH 0x4024A9 403988 (2) JMP 0xB4 40398A (5) PUSH 0x4022DA 40398F (5) JMP 0xFFFFFF6B 403994 (5) PUSH 0x4021CC 403999 (5) JMP 0xFFFFFF61 40399E (5) PUSH 0x402271 4039A3 (5) JMP 0xFFFFFF57 4039A8 (5) PUSH 0x4022EE 4039AD (5) JMP 0xFFFFFF4D 4039B2 (5) PUSH 0x4022EE 4039B7 (5) JMP 0xFFFFFF43 4039BC (5) PUSH 0x4023A4 4039C1 (5) CALL 0x0453 4039C6 (5) CALL 0x0474 4039CB (5) CALL 0x062D 4039D0 (2) MOV AL,0x2C 4039D2 (1) STOSB 4039D3 (5) CALL 0x046B 4039D8 (5) CALL 0x0620 4039DD (5) JMP 0x0400 4039E2 (2) XOR EAX,EAX 4039E4 (1) RET 4039E5 (2) XOR EDX,EDX 4039E7 (5) MOV BYTE[0x402A77],AL 4039EC (2) MOV DL,AL 4039EE (3) SUB DL,0x40 4039F1 (3) SHR EDX,0x03 4039F4 (7) PUSH DWORD[EDX*04+0x403C0C] 4039FB (5) CALL 0x0419 403A00 (2) AND AL,0x07 403A02 (5) PUSH 0x4020A0 403A07 (1) PUSH EAX 403A08 (5) CALL 0x064F 403A0D (5) JMP 0x03D0 403A12 (5) PUSH 0x402155 403A17 (2) JMP 0x70 403A19 (5) PUSH 0x4021E8 403A1E (2) JMP 0x69 403A20 (5) PUSH 0x402146 403A25 (2) JMP 0x62 403A27 (5) PUSH 0x4021B4 403A2C (2) JMP 0x5B 403A2E (5) PUSH 0x40214C 403A33 (2) JMP 0x54 403A35 (5) PUSH 0x4021DC 403A3A (2) JMP 0x4D 403A3C (5) PUSH 0x4021B8 403A41 (2) JMP 0x46 403A43 (5) PUSH 0x402143 403A48 (2) JMP 0x3F 403A4A (5) PUSH 0x40215B 403A4F (2) JMP 0x38 403A51 (5) PUSH 0x4021F0 403A56 (2) JMP 0x31 403A58 (5) PUSH 0x402158 403A5D (2) JMP 0x2A 403A5F (5) PUSH 0x4021EC 403A64 (2) JMP 0x23 403A66 (5) PUSH 0x402152 403A6B (2) JMP 0x1C 403A6D (5) PUSH 0x4021BC 403A72 (2) JMP 0x15 403A74 (5) PUSH 0x4021C0 403A79 (2) JMP 0x0E 403A7B (5) PUSH 0x40214F 403A80 (2) JMP 0x07 403A82 (5) CALL 0x0392 403A87 (2) JMP 0x09 403A89 (5) CALL 0x038B 403A8E (2) TEST AL,0x80 403A90 (2) JNE 0x0C 403A92 (5) CALL 0x03AC 403A97 (5) CALL 0x0561 403A9C (2) JMP 0x0A 403A9E (5) CALL 0x0398 403AA3 (5) CALL 0x0555 403AA8 (5) JMP 0x0335 403AAD (2) XOR EAX,EAX 403AAF (1) RET 403AB0 (5) PUSH 0x40216C 403AB5 (2) JMP 0x2F 403AB7 (5) PUSH 0x402168 403ABC (2) JMP 0x28 403ABE (5) PUSH 0x402404 403AC3 (2) JMP 0x21 403AC5 (5) PUSH 0x4022DF 403ACA (2) JMP 0x1A 403ACC (5) PUSH 0x402170 403AD1 (2) JMP 0x13 403AD3 (5) PUSH 0x402164 403AD8 (2) JMP 0x0C 403ADA (5) PUSH 0x40219C 403ADF (2) JMP 0x05 403AE1 (5) PUSH 0x402198 403AE6 (2) JMP 0x7D 403AE8 (5) PUSH 0x402214 403AED (2) JMP 0x76 403AEF (5) PUSH 0x402184 403AF4 (2) JMP 0x6F 403AF6 (5) PUSH 0x40224C 403AFB (2) JMP 0x68 403AFD (5) PUSH 0x40218C 403B02 (2) JMP 0x61 403B04 (5) PUSH 0x402254 403B09 (2) JMP 0x5A 403B0B (5) PUSH 0x402188 403B10 (2) JMP 0x53 403B12 (5) PUSH 0x402250 403B17 (2) JMP 0x4C 403B19 (5) PUSH 0x4021A8 403B1E (2) JMP 0x45 403B20 (5) PUSH 0x402190 403B25 (2) JMP 0x3E 403B27 (5) PUSH 0x4023AA 403B2C (2) JMP 0x37 403B2E (5) PUSH 0x4022F3 403B33 (2) JMP 0x30 403B35 (5) PUSH 0x402357 403B3A (2) JMP 0x29 403B3C (5) PUSH 0x4023B0 403B41 (2) JMP 0x22 403B43 (5) PUSH 0x402299 403B48 (2) JMP 0x1B 403B4A (5) PUSH 0x402294 403B4F (5) CALL 0x02C5 403B54 (5) JMP 0x0289 403B59 (5) PUSH 0x4023B6 403B5E (2) JMP 0x05 403B60 (5) PUSH 0x4022E9 403B65 (2) JMP 0x75 403B67 (5) PUSH 0x402224 403B6C (2) JMP 0x6E 403B6E (5) PUSH 0x402458 403B73 (2) JMP 0x67 403B75 (5) PUSH 0x40245E 403B7A (2) JMP 0x60 403B7C (5) PUSH 0x4023BC 403B81 (2) JMP 0x59 403B83 (5) PUSH 0x4023C2 403B88 (2) JMP 0x52 403B8A (5) PUSH 0x402416 403B8F (2) JMP 0x4B 403B91 (5) PUSH 0x40241C 403B96 (2) JMP 0x44 403B98 (5) PUSH 0x402392 403B9D (2) JMP 0x3D 403B9F (5) PUSH 0x402398 403BA4 (2) JMP 0x36 403BA6 (5) PUSH 0x4023DA 403BAB (2) JMP 0x2F 403BAD (5) PUSH 0x4023E6 403BB2 (2) JMP 0x28 403BB4 (5) PUSH 0x4022F8 403BB9 (2) JMP 0x21 403BBB (5) PUSH 0x4022A3 403BC0 (2) JMP 0x1A 403BC2 (5) PUSH 0x4022E4 403BC7 (2) JMP 0x13 403BC9 (5) PUSH 0x40240A 403BCE (2) JMP 0x0C 403BD0 (5) PUSH 0x402276 403BD5 (2) JMP 0x05 403BD7 (5) PUSH 0x402180 403BDC (5) CALL 0x0238 403BE1 (5) JMP 0x01FC 403BE6 (5) PUSH 0x4020A0 403BEB (2) PUSH 0x00 403BED (5) MOV EBX,0x40405C 403BF2 (5) PUSH 0x402352 403BF7 (5) CALL 0x021D 403BFC (3) MOVZX EAX,AL 403BFF (2) AND AL,0x07 403C01 (5) PUSH 0x4020A0 403C06 (1) PUSH EAX 403C07 (2) CALL EBX 403C09 (2) JMP 0xD1 403C0B (1) NOP ; Correct disassembled code stops here. Here follow DD datas,whose ; analysis not yet implemented. ; 403C0C (1) LODSB ; 403C0D (3) AND DWORD[EAX+0x00],EAX ; 403C10 (5) MOV AL,BYTE[0xDA004021] ; 403C15 (3) AND AL,0x00 ; 403C18 (2) AND BYTE[EDX],AH ; 403C1A (1) INC EAX ; 403C1B (7) ADD BYTE[ECX+ESP*01+0x21A00040],CH ; 403C22 (1) INC EAX ; 403C23 (3) ADD EAX,0x22 ; 403C26 (1) INC EAX ; 403C27 (3) ADD EAX,0x22 ; 403C2A (1) INC EAX ; 403C2B (2) ADD AH,CL ; 403C2D (3) AND DWORD[EAX+0x00],EAX ; 403C30 (1) INT3 ; 403C31 (3) AND DWORD[EAX+0x00],EAX |
|||
07 Jul 2009, 09:39 |
|
MazeGen 07 Jul 2009, 10:27
Quote: to MazeGen Well, you have to analyze the code as much as possible to find data references (MOV EAX, [0x403000] suggests that there are DWORD data). You can't always make 100% code flow analysis automatically (to find all instructions and therefore to find all data references) because it can be often impossible to resolve all labels of indirect jumps like JMP EAX. That's why disassemblers like IDA are interactive - they need a human intervention in case the binary is impossible to analyse from the algorithmic point of view. As I wrote, you should try to ask these questions on places like http://openrce.org. |
|||
07 Jul 2009, 10:27 |
|
hopcode 08 Jul 2009, 08:50
MazeGen wrote: IDa... interactive..a human intervention... I see that concept very positiv. (lot of ideas i have about) Ok.Thanks for the precious tip/help. Here a general scenario and personal notes when disassembling di-fasm with align4 on that chunk of data embedded in code at 403C0C - PWDasm doesent understand almost the whole - IDA Disassembler (free) doesnt understand a little part of it - Borg Disassembler doesnt understand - PeBrowse Disassembler doesent understand - my baby 4kb di-fasm stops because while decoding that datas finds a DA opcode; in this case it must stop because i have told it to do so !! I have not yet implemented FIADD/FIMUL/etc..!! but the few bytes it speaks before stopping are almost the same of the above nn*100kb-sized-disassemblers' Company (excluded PWDasm,perhaps i have done the error to mark the code section as "writeable"). Running it in a debugger: - IDA free ok - PeBrowse ok - Borg -- - PWDasm -- - Syser doesnt understand it (ok,it will re-analyze that chunk when referenced!!) Olly, finally, or simply finOlly understand it at once when the process is started and, as expected, when the program will be debugged. Different approaches...ok These must show other people,
strictly required to disassemble it, in a program. in fact Olly understand it totally, without need to re-analyzing that chunk just before debugging/being referenced.
as relatively glad when using a wonderful tool like IDA. Regards, hopcode |
|||
08 Jul 2009, 08:50 |
|
hopcode 18 Jan 2010, 22:56
Preview version of my flde32 engine.
Code: ;--------------------------------------------- ; flde v0.1 Fasmlab Disassembler Engine 32 bit ; ---------- BSD License ---------------- ; Copyright (c) 2009, Marc Rainer Kranz ; All rights reserved ;--------------------------------------------- ;- code size 450 byte (to be optimized) ;- table size 284 byte 1/2/3 opcode AMD/MMX/3DNOW, then SSE->SSE5 (integrated, but not fully tested) SVN Repository at http://code.google.com/p/flde/ download package with test32 at http://flde.googlecode.com/files/flde32.7z Could you please run a couple of tests, and report whatever gigantic to correct, or simply your impressions ? I will appreciate that much (especially on complex instruction like SSE) Thanks, hopcode btw. if you want you could collaborate to the project. I will give you the google SVN access to it. |
|||
18 Jan 2010, 22:56 |
|
alorent 19 Jan 2010, 17:35
Great work hopcode! Keep it up!!
|
|||
19 Jan 2010, 17:35 |
|
LocoDelAssembly 21 Jan 2010, 17:39
Will you add support for JMP and CALL to be disassembled showing the target address rather than the plain rel value?
Anyway, good job, keep improving it. |
|||
21 Jan 2010, 17:39 |
|
LocoDelAssembly 21 Jan 2010, 17:59
mmmmhh, could you give us the steps to get the disassembly you shown above? All I get is something like this:
Code: >test_32.exe 40218Ch:01 | 55 40218Dh:01 | 53 40218Eh:01 | 57 40218Fh:01 | 56 402190h:02 | 31 C0 402192h:05 | BD 70 20 40 00 402197h:04 | 8B 74 24 14 40219Bh:02 | 31 DB 40219Dh:01 | 56 40219Eh:01 | AC . . . |
|||
21 Jan 2010, 17:59 |
|
Madis731 21 Jan 2010, 21:46
I think you can read from the source that there is not "literal" disassembly. It knows all the right instructions, but translating them to proper NOP, IMUL eax,edx,-3, PCMPISTRI xmm1,xmm2,3 strings would require another ~4KB or binary .. I think
|
|||
21 Jan 2010, 21:46 |
|
LocoDelAssembly 21 Jan 2010, 22:04
Yes Madis, before posting that I searched in the sources for things like 'call' and found no strings, but you see, he claimed to have the solution to decide whether imm8 is signed or not and pointed us in another thread to see here how he solved the problem. Then there was some PMs about that, and finally I see there is no handling of that at all and this whole thread is advertising something not really present in the provided code.
For the steps I'm obviously expecting to have a link to download this "di-fasm" since the link posted here is only for the LDE. |
|||
21 Jan 2010, 22:04 |
|
hopcode 22 Jan 2010, 00:54
Madis731 wrote: ...strings would require another ~4KB or binary... I am sorry, i have my responsibility into creating tons of misunderstanding. First of all, that is only the LDE and, as you can see, less than 700 bytes. Ok, LocoDelAssembly wrote: ...he claimed to have the solution to decide whether imm8 is signed or not and pointed us in another thread to see here how he solved the problem... There, i hoped too, before all other posts, about the usefulness of my post. But what a pity is... not having the phpbb like the SVN ! The reason is implicit, and i will explain it now again, to improve my dialectics. As you know, the engine parses only opcodes for their mere functionality. The meaning and coherence of this values should be treated in another higher stage. As for academic example, int -3 is not int 3 but both values could be manually compiled, generating different things. Related to the instruction ENTER imm16,imm8, imm8 is a byte for intel/fasm/flde, (and MOD 32 will be executed on imm8 always internally). In this case, one should not worry about the signedness of imm8 at that LDE "functional" level. I parse accordingly fasm rules and intel rules. Ok, after all I cannot claim nothing, but if the thing was so intended, i apologize here with all involved forumers: i am sorry! I hope it will be useful for all my flde and i hope in the future to pay more attention to all what happens on this forum. Thank you all hopcode (AKA Marc Rainer Kranz) . . . |
|||
22 Jan 2010, 00:54 |
|
hopcode 25 Jan 2010, 11:45
simple intel/amd 32 opcodes skemata
|
|||
25 Jan 2010, 11:45 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.