flat assembler
Message board for the users of flat assembler.

Index > Projects and Ideas > Writing a disassembler?

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
FlierMate11



Joined: 13 Oct 2022
Posts: 94
FlierMate11 12 Mar 2023, 11:09
And also I found that, even though I code in
Code:
mov edx, [0x00403000+esi]
    


When referring to the table, it is still [esi+displacement], regardless the order I put in Assembly as [displacement + esi].

Code:
8b 96 00 30 40 00       mov    edx,DWORD PTR [esi+0x403000]
    
Post 12 Mar 2023, 11:09
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20459
Location: In your JS exploiting you and your system
revolution 12 Mar 2023, 11:19
Addition is commutative.

Same for multiplication.
Code:
mov eax,[ebx*4] == mov eax,[4*ebx]    
But not the same for this.
Code:
mov eax,[ebx] != mov [ebx],eax    
Post 12 Mar 2023, 11:19
View user's profile Send private message Visit poster's website Reply with quote
FlierMate11



Joined: 13 Oct 2022
Posts: 94
FlierMate11 12 Mar 2023, 11:28
revolution wrote:
Addition is commutative.

Same for multiplication.
Code:
mov eax,[ebx*4] == mov eax,[4*ebx]    
But not the same for this.
Code:
mov eax,[ebx] != mov [ebx],eax    


Noted with thanks! Smile

@revolution, can you help to answer the last question on first page in this thread? Actually I posted it also just now.
Post 12 Mar 2023, 11:28
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20459
Location: In your JS exploiting you and your system
revolution 12 Mar 2023, 12:23
FlierMate11 wrote:
So when to decide 01 or 03 opcode?
It doesn't matter which you choose. But for a disassembler you don't get to choose, it only comes up for an assembler.

You can use these types of alternate encoding choices to place a signature in the binary output. Some assembler authors have deliberately used this to place watermarks into the outputs.
Post 12 Mar 2023, 12:23
View user's profile Send private message Visit poster's website Reply with quote
FlierMate11



Joined: 13 Oct 2022
Posts: 94
FlierMate11 12 Mar 2023, 12:35
revolution wrote:
FlierMate11 wrote:
So when to decide 01 or 03 opcode?
It doesn't matter which you choose. But for a disassembler you don't get to choose, it only comes up for an assembler.

You can use these types of alternate encoding choices to place a signature in the binary output. Some assembler authors have deliberately used this to place watermarks into the outputs.


It is nice to know this, thanks.
Post 12 Mar 2023, 12:35
View user's profile Send private message Visit poster's website Reply with quote
FlierMate11



Joined: 13 Oct 2022
Posts: 94
FlierMate11 12 Mar 2023, 20:48
(I typed a long text but suddenly all gone after a keypress)

Long story short, I have prepared the template for my future disassembler.

This exedump will hexdump code section in PE file.

Please help test. I test examples compiled by FASMW okay, but when try to read Windows Notepad.exe, my program says "Code section not found", weird.

Maybe offset to section table is wrong for 64-bit PE, should have check the magic 0x20b, hmm..

Never mind, I fixed it in v0.02 new version.


Description: Bug fix - v0.02
Download
Filename: exedump.ASM
Filesize: 11.06 KB
Downloaded: 278 Time(s)

Post 12 Mar 2023, 20:48
View user's profile Send private message Visit poster's website Reply with quote
FlierMate2



Joined: 21 Mar 2023
Posts: 39
FlierMate2 23 Mar 2023, 19:39
.......


Last edited by FlierMate2 on 15 May 2023, 21:24; edited 1 time in total
Post 23 Mar 2023, 19:39
View user's profile Send private message Reply with quote
FlierMate2



Joined: 21 Mar 2023
Posts: 39
FlierMate2 01 Apr 2023, 14:47
Recently not much progress in disassembler project, below is one of my study note:

Code:
0:  6a 05                   push   0x5
2:  68 05 00 00 00          push   0x5    


Can use long immediate value as argument for short immediate value, I think this also can be signature for assembler?


Description: 0x68 for PUSH lz, 0x6A for PUSH lb
Filesize: 5.81 KB
Viewed: 7025 Time(s)

Screenshot 2023-04-01 224428.png


Post 01 Apr 2023, 14:47
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20459
Location: In your JS exploiting you and your system
revolution 01 Apr 2023, 14:56
FlierMate2 wrote:
Can use long immediate value as argument for short immediate value, I think this also can be signature for assembler?
It is usually a sign of a bad assembler not optimising things and wasting precious cache.

But it can also be the programmer forcing the size with an override.
Post 01 Apr 2023, 14:56
View user's profile Send private message Visit poster's website Reply with quote
FlierMate2



Joined: 21 Mar 2023
Posts: 39
FlierMate2 01 Apr 2023, 15:05
revolution wrote:
It is usually a sign of a bad assembler not optimising things and wasting precious cache.

But it can also be the programmer forcing the size with an override.


Good info, learned valuable info from you again.
Post 01 Apr 2023, 15:05
View user's profile Send private message Reply with quote
FlierMate2



Joined: 21 Mar 2023
Posts: 39
FlierMate2 01 May 2023, 08:08
I give up studying decoding of CPU opcode, instead, I rely on Zydis engine (x86 Zydis.dll) to do simple disassembly.

The EXE parser is based on my exedump.asm.

No surprise here.

No code flow analysis, anything in code section will be disassembled regardless of data or code. Sad


Description: A simple disassembler for x86 / x64 EXE & DLL
Download
Filename: disasm.zip
Filesize: 225.08 KB
Downloaded: 258 Time(s)

Post 01 May 2023, 08:08
View user's profile Send private message Reply with quote
FlierMate2



Joined: 21 Mar 2023
Posts: 39
FlierMate2 23 May 2023, 17:06
For anyone who has downloaded my disasm.asm above, there is a bug in runtime address for jump instruction, where the endianness is wrong.

Actually the runtime address is QWORD, but my disasm.asm only read DWORD image base in 64-bit PE.

Thank you for helping to fix it yourself.


Description: Change code from red to green, as shown
Filesize: 10.39 KB
Viewed: 6249 Time(s)

Screenshot 2023-05-23 184039.png


Post 23 May 2023, 17:06
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 23 Jun 2023, 19:06
FlierMate2 wrote:
I give up studying decoding of CPU opcode, instead, I rely on Zydis engine (x86 Zydis.dll) to do simple disassembly.

The EXE parser is based on my exedump.asm.

No surprise here.

No code flow analysis, anything in code section will be disassembled regardless of data or code. Sad


I am posting the updated Zydis.dll (x86 and x64) for anyone who is interested, especially for CandyMan.
Very Happy


Description: Contains x86 and x64 version, Version 4.0
Download
Filename: Zydis.zip
Filesize: 994.99 KB
Downloaded: 253 Time(s)

Post 23 Jun 2023, 19:06
View user's profile Send private message Reply with quote
CandyMan



Joined: 04 Sep 2009
Posts: 414
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan 10 Jul 2023, 16:05
Could you post the pre-compiled Win32/64 binaries as dynamic libraries of Capstone disassembler version 5.0?

_________________
smaller is better
Post 10 Jul 2023, 16:05
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 10 Jul 2023, 18:52
CandyMan wrote:
Could you post the pre-compiled Win32/64 binaries as dynamic libraries of Capstone disassembler version 5.0?


It is my pleasure to compile it.
The capstone msvc project file is dated back to VS 2010, but it is been upgraded to VS 2022.

I attach them separately because single file would be too large to upload here.

I check the function names, is it correct? Unlike Zydis, capstone functions are so simple.
(The export.cmd is macomics's https://board.flatassembler.net/topic.php?t=21964 )

Code:
; fasm1 autogenerated include
; builder script: "export.cmd"
; library capstone.dll, "C:\FASMW\capstone.dll"

import capstone.dll,\
                cs_close, "cs_close",\
                cs_disasm, "cs_disasm",\
                cs_disasm_iter, "cs_disasm_iter",\
                cs_errno, "cs_errno",\
                cs_free, "cs_free",\
                cs_group_name, "cs_group_name",\
                cs_insn_group, "cs_insn_group",\
                cs_insn_name, "cs_insn_name",\
                cs_malloc, "cs_malloc",\
                cs_op_count, "cs_op_count",\
                cs_op_index, "cs_op_index",\
                cs_open, "cs_open",\
                cs_option, "cs_option",\
                cs_reg_name, "cs_reg_name",\
                cs_reg_read, "cs_reg_read",\
                cs_reg_write, "cs_reg_write",\
                cs_regs_access, "cs_regs_access",\
                cs_strerror, "cs_strerror",\
                cs_support, "cs_support",\
                cs_version, "cs_version"    


Please let me know if you need further help.

----

Thank you FASM message board for making it possible to host these files, zydis.dll and capstone.dll.


Description: Latest capstone.dll (as of today), x64
Download
Filename: capstone_x64.zip
Filesize: 1.02 MB
Downloaded: 232 Time(s)

Description: Latest capstone.dll (as of today), Win32
Download
Filename: capstone_Win32.zip
Filesize: 1015.86 KB
Downloaded: 222 Time(s)

Post 10 Jul 2023, 18:52
View user's profile Send private message Reply with quote
CandyMan



Joined: 04 Sep 2009
Posts: 414
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan 11 Jul 2023, 22:04
Thanks.

_________________
smaller is better
Post 11 Jul 2023, 22:04
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 12 Jul 2023, 10:05
CandyMan wrote:
Thanks.


Don't mention it.
Post 12 Jul 2023, 10:05
View user's profile Send private message Reply with quote
CandyMan



Joined: 04 Sep 2009
Posts: 414
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan 12 Jul 2023, 17:26
Has anyone used the 32 bit version 5.0 of Capstone disassembler? My program crashes on the second call to cs_disasm_iter() for the x86_64 architecture. Version 5.0 64-bit as well as the previous version 4.0.2 32-bit works fine.

_________________
smaller is better
Post 12 Jul 2023, 17:26
View user's profile Send private message Reply with quote
CandyMan



Joined: 04 Sep 2009
Posts: 414
Location: film "CandyMan" directed through Bernard Rose OR Candy Shop
CandyMan 15 Jul 2023, 07:56
Flier-Mate could you please recompile Capstone this time using an older compiler?

The 32-bit version does not work due to a bug in the new MSVC (see: https://github.com/capstone-engine/capstone/issues/2064).

Thank you in advance.

_________________
smaller is better
Post 15 Jul 2023, 07:56
View user's profile Send private message Reply with quote
Flier-Mate



Joined: 26 May 2023
Posts: 88
Flier-Mate 15 Jul 2023, 09:06
CandyMan wrote:
Flier-Mate could you please recompile Capstone this time using an older compiler?

The 32-bit version does not work due to a bug in the new MSVC (see: https://github.com/capstone-engine/capstone/issues/2064).

Thank you in advance.

I will compile using a newer version of Visual Studio, and see if it fixes the bug, since only Professional or Enterprise customer can go back to previous release. (I am using Community edition of VS 2022)
Post 15 Jul 2023, 09:06
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.