daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 15:29:23 +00:00
Code Issues Projects Releases Wiki Activity

Folder structure change, added README

Browse Source
This commit is contained in:
TheDuchy
2020-10-16 22:28:58 +02:00
parent 2114d4f5e7
commit d44d9b59a7
174 changed files with 14378 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Libs/Win32/Disassembler/VirTool.Win32.Disassembler.4553_LDE.txt
+901
View File
@@ -0,0 +1,901 @@
/*
*
* ____| | | _) ___| |
* __| | _ \ __| __| __| _ \ __ \ | __|\___ \ _ \ | | | __|
* | | __/ ( | | ( | | | | ( | ( | | | |\__ \
* _____|_|\___|\___|\__|_| \___/ _| _|_|\___|_____/ \___/ \____|_|____/
*
* Presents
*
* [ 0x4553_LDE - 16/32-bit Length Disassembler Engine ]
*
* (c) Ares, 2003
*
*[-----------------------------------------------------------------------------------]
* Description:
* It based on ADE32 disassembler engine by z0mbie, modified and ported to AT&T asm.
*
* table.h - contain table of opcodes from 0x00 to 0xFF,
* it define the type of each other.
*
* Usage:
* There is the main function l_disasm(). It get one parameter from stack,
* which point to array with data. Return value reside in %eax - length of opcode.
*
* Example:
* ...
* mov data,%eax
* add $123,%eax # data[123]
* push %eax
* call l_disasm
* ...
*
* Section Headers:
* [Nr] Name Type Addr Off Size ES Flg Lk Inf Al
* [ 0] NULL 00000000 000000 000000 00 0 0 0
* [ 1] .text PROGBITS 08048074 000074 0002c2 00 AX 0 0 4
* [ 2] .data PROGBITS 08049380 000380 000800 00 WA 0 0 4
* ...
* = AA5(hex) = 2725(dec)
*
*[-----------------------------------------------------------------------------------]
*
* version: 1.0BETA
*
*/
.include "table.h"
.text
# little defines
diza = 12
buffer = -4
flag1 = -52
flag2 = -51
opcode = -53
t = -60
mod = -61
rm = -62
a = -68
b = -72
counter = -76
.globl l_disasm
l_disasm:
pushl %ebp
movl %esp,%ebp
movl 8(%ebp),%eax
movl %eax,buffer(%ebp) # buf
leal -48(%ebp),%eax # temp diza structure
movl %eax,diza(%ebp) # diza
movb $4,1(%eax) # filling structure
movb $4,(%eax)
movl $0,flag1(%ebp) # flag1 = 0
loop:
movl buffer(%ebp),%eax
movb (%eax),%dl
movb %dl,opcode(%ebp) # opcode
incl buffer(%ebp) # buf++;
movzbl opcode(%ebp),%eax
leal 0(,%eax,4),%edx
movl $op_tab,%eax
movl (%edx,%eax),%edx
movl %edx,t(%ebp) # t = op_tab[opcode]
movb t(%ebp),%al
andb $0xF8,%al
testb %al,%al
je check_opcode
movl flag1(%ebp),%eax
andl t(%ebp),%eax
testl %eax,%eax
jne return
movl t(%ebp),%edx
orl %edx,flag1(%ebp)
# prefix/mod/rm/flags/opcodes...checking
# no reason to comment all this stuff...
check_prefix:
movb t(%ebp),%al
test %esi,%esi
jne chp1
andb $0x10,%al
testb %al,%al
je chp1
jmp chpn
chp1:
movb t(%ebp),%al
incl %esi
andb $0x20,%al
testb %al,%al
je cp_sub2
chpn:
movl diza(%ebp),%eax
movl diza(%ebp),%edx
movb 1(%edx),%cl
xorb $6,%cl
movb %cl,1(%eax)
jmp loop
cp_sub2:
movb t(%ebp),%al
andb $0x80,%al
testb %al,%al
je cp_sub3
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,21(%eax)
jmp loop
cp_sub3:
movb t(%ebp),%al
andb $0x40,%al
testb %al,%al
je loop
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,20(%eax)
check_opcode:
movl t(%ebp),%eax
orl %eax,flag1(%ebp)
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,22(%eax)
cmpb $15,opcode(%ebp)
jne co_sub1
movl buffer(%ebp),%ebx
movb (%ebx),%al
movb %al,opcode(%ebp)
incl buffer(%ebp)
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,23(%eax)
movzbl opcode(%ebp),%eax
leal 256(%eax),%edx
leal 0(,%edx,4),%eax
movl $op_tab,%edx
movl (%eax,%edx),%ecx
orl %ecx,flag1(%ebp)
cmpl $-1,flag1(%ebp)
jne check_mod
jmp return
co_sub1:
cmpb $0xF7,opcode(%ebp)
jne co_sub2
movl buffer(%ebp),%eax
movb (%eax),%dl
andb $0x38,%dl
testb %dl,%dl
jne check_mod
orb $0x20,flag2(%ebp)
jmp check_mod
co_sub2:
cmpb $0xF6,opcode(%ebp)
jne check_mod
movl buffer(%ebp),%eax
movb (%eax),%dl
andb $0x38,%dl
testb %dl,%dl
jne check_mod
orb $1,flag2(%ebp)
check_mod:
movl flag1(%ebp),%eax
andl $0x4000,%eax
testl %eax,%eax
je checks_complete
movl buffer(%ebp),%edi
movb (%edi),%al
movb %al,opcode(%ebp)
incl buffer(%ebp)
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,24(%eax)
movb opcode(%ebp),%al
andb $0x38,%al
cmpb $0x20,%al
jne cm_sub1
movl diza(%ebp),%eax
cmpb $0xFF,22(%eax)
jne cm_sub1
orb $4,-50(%ebp) # flag
cm_sub1:
movb opcode(%ebp),%al
andb $0xC0,%al
movb %al,mod(%ebp)
movb opcode(%ebp),%dl
andb $7,%dl
movb %dl,rm(%ebp)
cmpb $0xC0,mod(%ebp)
je checks_complete
movl diza(%ebp),%eax
cmpb $4,(%eax)
jne cm_sub5
cmpb $4,rm(%ebp)
jne cm_sub2
orb $8,flag2(%ebp)
movl buffer(%ebp),%edi
movb (%edi),%al
movb %al,opcode(%ebp)
incl buffer(%ebp)
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,25(%eax)
movb opcode(%ebp),%cl
andb $7,%cl
movb %cl,rm(%ebp)
cm_sub2:
cmpb $0x40,mod(%ebp)
jne cm_sub3
orb $1,flag1(%ebp)
jmp checks_complete
cm_sub3:
cmpb $0x80,mod(%ebp)
jne cm_sub4
orb $4,flag1(%ebp)
jmp checks_complete
cm_sub4:
cmpb $5,rm(%ebp)
jne checks_complete
orb $4,flag1(%ebp)
jmp checks_complete
cm_sub5:
cmpb $0x40,mod(%ebp)
jne cm_sub6
orb $1,flag1(%ebp)
jmp checks_complete
cm_sub6:
cmpb $0x80,mod(%ebp)
jne cm_sub7
orb $2,flag1(%ebp)
jmp checks_complete
cm_sub7:
cmpb $6,rm(%ebp)
jne checks_complete
orb $2,flag1(%ebp)
checks_complete:
movl diza(%ebp),%eax
movl flag1(%ebp),%edx
movl %edx,8(%eax)
movl flag1(%ebp),%eax
andl $7,%eax
movl %eax,a(%ebp)
movl flag1(%ebp),%edx
andl $0x700,%edx
shrl $8,%edx
movl %edx,b(%ebp)
movl flag1(%ebp),%eax
andl $0x1000,%eax
testl %eax,%eax
je cc_sub1
movl diza(%ebp),%eax
movzbl (%eax),%edx
addl %edx,a(%ebp)
cc_sub1:
movl flag1(%ebp),%eax
andl $0x2000,%eax
testl %eax,%eax
je cc_sub2
movl diza(%ebp),%eax
movzbl 1(%eax),%edx
addl %edx,b(%ebp)
cc_sub2:
movl diza(%ebp),%eax
movl a(%ebp),%edx
movl %edx,diza(%eax)
movl diza(%ebp),%eax
movl b(%ebp),%edx
movl %edx,16(%eax)
movl $0,counter(%ebp)
cc_sub3:
movl counter(%ebp),%eax
cmpl a(%ebp),%eax
jnb cc_sub4
movl diza(%ebp),%edx
leal 28(%edx),%eax
movl counter(%ebp),%edx
movl buffer(%ebp),%ecx
movl %ecx,(%edx,%eax)
incl buffer(%ebp)
incl counter(%ebp)
jmp cc_sub3
cc_sub4:
movl $0,counter(%ebp)
cc_sub5:
movl counter(%ebp),%eax
cmpl b(%ebp),%eax
jnb cc_sub6
movl diza(%ebp),%edx
leal 36(%edx),%eax
movl counter(%ebp),%edx
movl buffer(%ebp),%ecx
movl %ecx,(%edx,%eax)
incl buffer(%ebp)
incl counter(%ebp)
jmp cc_sub5
cc_sub6:
movl buffer(%ebp),%eax
subl 8(%ebp),%eax
return:
leave
ret
/****************************************************
.include "0x4553_LDE.s"
.globl main
main:
push %ebp
mov %esp,%ebp
push $2
push $file
call open
mov %eax,fd
push $424
call malloc
mov %eax,data
push $424
push data
push fd
call read
mov data,%eax
add $0x74,%eax # entry point, first instruction - xor %eax,%eax
push %eax
call l_disasm
push %eax
push $l
call printf
call exit
l:.string"Lenght of instruction: %d\n"
file: .string "test"
.comm fd,4,4
.comm data,424,4
*****************************************************/
/****************************************************
table.h
.globl op_tab
.data
op_tab:
.long 16384 # 0x00
.long 16384 # 0x01
.long 16384 # 0x02
.long 16384 # ...
.long 256
.long 8192
.long 32768
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 256
.long 8192
.long 32768
.long 65536
.long 49152
.long 16384
.long 49152
.long 16384
.long 33024
.long 40960
.long 32768
.long 32768
.long 49152
.long 16384
.long 16384
.long 16384
.long 33024
.long 40960
.long 32768
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 256
.long 8192
.long 32896
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 256
.long 8192
.long 32896
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 256
.long 8192
.long 32896
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 256
.long 8192
.long 32896
.long 32768
.long 0
.long 0
.long 0
.long 0
.long 32768
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 32768
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 32768
.long 0
.long 0
.long 0
.long 32768
.long 32768
.long 49152
.long 49152
.long 128
.long 32896
.long 32
.long 16
.long 8192
.long 24576
.long 256
.long 16640
.long 32768
.long 32768
.long 32768
.long 32768
.long 164096
.long 164096
.long 131328
.long 131328
.long 131328
.long 131328
.long 131328
.long 131328
.long 131328
.long 131328
.long 164096
.long 164096
.long 131328
.long 131328
.long 131328
.long 131328
.long 16640
.long 24576
.long 49408
.long 16640
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 49152
.long 16384
.long 49152
.long 16384
.long 0
.long 0
.long 0
.long 32768
.long 32768
.long 32768
.long 32768
.long 32768
.long 32768
.long 0
.long 41472
.long 0
.long 32768
.long 32768
.long 32768
.long 32768
.long 4096
.long 4096
.long 4096
.long 4096
.long 0
.long 0
.long 0
.long 0
.long 256
.long 8192
.long 0
.long 0
.long 0
.long 32768
.long 0
.long 32768
.long 256
.long 256
.long 256
.long 256
.long 256
.long 256
.long 33024
.long 33024
.long 8192
.long 8192
.long 8192
.long 8192
.long 40960
.long 8192
.long 8192
.long 8192
.long 16640
.long 16640
.long 262656
.long 262144
.long 49152
.long 49152
.long 16640
.long 24576
.long 768
.long 0
.long 295424
.long 294912
.long 32768
.long 256
.long 32768
.long 294912
.long 16384
.long 16384
.long 16384
.long 16384
.long 33024
.long 33024
.long 32768
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 164096
.long 164096
.long 131328
.long 131328
.long 33024
.long 33024
.long 33024
.long 33024
.long 139264
.long 401408
.long 41472
.long 393472
.long 32768
.long 32768
.long 32768
.long 32768
.long 32776
.long 32768
.long 64
.long 64
.long 32768
.long 32768
.long 16384
.long 16384
.long 0
.long 0
.long 32768
.long 32768
.long 0
.long 0
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long -1
.long -1
.long 0
.long -1
.long 0
.long 0
.long 0
.long 0
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 0
.long 0
.long 0
.long 16384
.long 16640
.long 16384
.long -1
.long -1
.long 0
.long 0
.long 0
.long 16384
.long 16640
.long 16384
.long -1
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long -1
.long -1
.long 16640
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long 0
.long 0
.long 0
.long 0
.long 0
.long 256
.long 0
.long 0
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1 # 0xff
*****************************************************/
Libs/Win32/Disassembler/VirTool.Win32.Disassembler.Ade.7z
BIN
View File
Binary file not shown.
Libs/Win32/Disassembler/VirTool.Win32.Disassembler.Ade86.7z
BIN
View File
Binary file not shown.
Libs/Win32/Disassembler/VirTool.Win32.Disassembler.Bpde.7z
BIN
View File
Binary file not shown.
Libs/Win32/Disassembler/VirTool.Win32.Disassembler.Catchy32.inc
+174
View File
@@ -0,0 +1,174 @@
; Catchy32 v1.6-2 - Length Disassembler Engine 32bit
; original source Catchy32.inc-orig (c) sars [HI-TECH] 2003
; this slightly opimized version - herm1t'2004
BITS 32
CPU 386
global catchy32
pref66h equ 1
pref67h equ 2
catchy32: pushad
mov esi, [esp + 36] ; pointer to opcode
sub esp, 256 ; allocate space for the table in stack
mov ebp, esp ; ebp <- opcode table
mov edi, esp
push esi
;; (1) unpack table
mov edx, esp ; save stack pointer
push 115
pop ecx
call .data
db 0x45,0x29,0x20,0x45,0x29,0x20,0x45,0x29
db 0x20,0x45,0x29,0x20,0x45,0x29,0x36,0x45
db 0x29,0x36,0x45,0x29,0x36,0x45,0x29,0x36
db 0xe0,0xe0,0x60,0x25,0x57,0x30,0x28,0x40
db 0xe7,0x27,0x2c,0x2b,0xc5,0xa0,0x31,0x40
db 0x4f,0x40,0x29,0x60,0x87,0x8f,0x2b,0x2d
db 0x25,0x2c,0x2e,0x2d,0x22,0x20,0x45,0x27
db 0x20,0x85,0x87,0x2f,0x32,0x40,0x36,0x37
db 0x20,0x25,0x60,0x65,0x33,0x40,0x35,0x34
db 0x23,0x85,0x26,0x75,0x45,0x46,0x85,0x60
db 0xb5,0xe5,0xe5,0xe5,0x65,0x4b,0x25,0x24
db 0x85,0xef,0x2f,0xe5,0x25,0x20,0x21,0x2a
db 0x25,0x20,0x21,0x2a,0xa5,0x35,0x2a,0x65
db 0x2a,0x2b,0x2a,0x80,0x34,0xe5,0xe5,0x25
db 0x34,0xc5,0x26
; xlat table
db 0x00,0x01,0x02,0x03,0x10,0x11,0x1e,0x22
db 0x23,0x28,0x31,0x33,0x39,0x40,0x60,0x88
db 0x89,0xc0,0xc2,0xe0,0xe1,0xee,0xf0,0xff
.data: pop esi
lea ebx, [esi + ecx]
xor eax, eax
.next: lodsb
push ecx
mov ecx, eax
shr ecx, 5
and al, 31
xlat
rep stosb
pop ecx
loop .next
mov esp, edx ; restore stack frame
;; /unpack
pop esi
push edi ; (2)
mov edi, esi ; (3)
cmp word [esi], 20cdh ; VXD call (6 bytes)
jne ExtFlags
inc esi
inc esi
lodsd
CalcLen: sub esi, edi ; (3)
cmp esi, 15
jbe OK
Error: xor esi, esi
dec esi
OK: pop esp ; (2)
mov [esp+4*7], esi
popad
ret
; ecx zero after loop
;==============================================================================
ExtFlags: xor eax, eax
xor ebx, ebx
cdq
lodsb ;al <- opcode
mov cl, al ;cl <- opcode
cmp al, 0fh ;Test on prefix 0Fh
jne NormTable
lodsb
inc ah ;EAX=al+100h (100h/2 - lenght first table)
NormTable: shr eax, 1 ;Elements tables on 4 bits
mov al, byte [ebp + eax]
jc IFC1
shr eax, 4 ;Get high 4-bits block if offset is odd, otherwise...
IFC1: and al, 0fh
xchg eax, ebx ;EAX will be needed for other purposes
CheckFlags: cmp bl, 0Eh ;Test on ErrorFlag
je Error
cmp bl, 0Fh ;Test on PrefixFlag
je Prefix
or ebx, ebx ;One byte command
jz CalcLen
btr ebx, 0 ;Command with ModRM byte
jc ModRM
btr ebx, 1 ;Test on imm8,rel8 etc flag
jc incr1
btr ebx, 2 ;Test on ptr16 etc flag
jc incr2
and bl, 11110111b ;Reset 16/32 sign
cmp cl, 0A0h ;Processing group 0A0h-0A3h
jb Check66h
cmp cl, 0A3h
ja Check66h
test ch, pref67h
jnz incr2
jmp incr4
Check66h: test ch, pref66h
jnz incr2
incr4: inc esi
inc esi
incr2: inc esi
incr1: inc esi
jmp_CheckFlags: jmp CheckFlags
;-----------------------------------------------
Prefix: cmp cl, 66h
je SetF66h
cmp cl, 67h
jne ExtFlags
SetF67h: or ch, pref67h
jmp ExtFlags
;-----------------------------------------------
SetF66h: or ch, pref66h
jmp ExtFlags
;-----------------------------------------------
ModRM: lodsb
cmp cl, 0F7h ;Check on 0F6h and 0F7h groups
je F6F7
cmp cl, 0F6h
jne ModXX
F6F7: test al, 00111000b ;Processing groups 0F6h and 0F7h
jnz ModXX
test cl, 00000001b
jz incbt1
test ch, 1
jnz incbt2
inc esi
inc esi
incbt2: inc esi
incbt1: inc esi
ModXX: mov edx, eax ;Processing MOD bits
and al, 00000111b ;al <- only R/M bits
test dl, 11000000b ;Check MOD bits
jz Mod00
jp CheckFlags ;Or c_Mod11
js Mod10
Mod01: test ch, pref67h
jnz incr1 ;16-bit addressing
cmp al, 4 ;Check SIB
je incr2
jmp incr1
;-----------------------------------------------
Mod00: test ch, pref67h
jz Mod00_32 ;32-bit addressing
cmp al, 6
je incr2
jmp jmp_CheckFlags
;-----------------------------------------------
Mod00_32: cmp al, 4 ;Check SIB
jne disp32
lodsb ;Processing SIB byte
and al, 00000111b
disp32: cmp al, 5
je incr4
jmp jmp_CheckFlags
;-----------------------------------------------
Mod10: test ch, pref67h
jnz incr2 ;16-bit addressing
cmp al, 4 ;Check SIB
jne incr4
inc esi
jmp incr4
Libs/Win32/Disassembler/VirTool.Win32.Disassembler.Dde.7z
BIN
View File
Binary file not shown.
Libs/Win32/Disassembler/VirTool.Win32.Disassembler.Lito.asm
+398
View File
@@ -0,0 +1,398 @@
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; ;
; ### ;
; ### ;
; ### #################################################### ;
; ### #################################################### ;
; ### ### ### ;
; ### ### ### ######### ### ;
; ### ### ### ########### ;
; ### ### ## ## ;
; ### ### ### ## ## ;
; ### ### ### ## ## ;
; ### ### ### ### ## ## ;
; ### ### ### ### ## ## ;
; ############ ### ### ########### ;
; ################################################################ ;
; ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; Advanced Length dIsassembler moTOr:) ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; ‚¥àá¨ï 2.1 ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;äã­ªæ¨ï _LiTo_ ;
;¤¨§ áᥬ¡«¨à®¢ ­¨¥ ¬ è¨­­®© ª®¬ ­¤ë ;
;®¯à¥¤¥«¥­¨¥ ¤«¨­ë ¬ è¨­­®© ª®¬ ­¤ë ;
;‚室: ;
;esi -  ¤à¥á à §¡¨à ¥¬®© ¬ è¨­­®© ª®¬ ­¤ë ;
;edi - 㪠§ â¥«ì ­  ¢ë室­ãî áâàãªâãàã (¨«¨ ¡ãä¥à) (­ §®¢¥¬ ¥¥ INSTR:) ;
;‚ë室: ;
;¢ eax - ¤«¨­  ¬ è¨­­®© ª®¬ ­¤ë. ;
;‡ ¬¥âª¨: ;
;(x) ‚ë室­ ï áâàãªâãà  (¨«¨ ¡ãä¥à) § ¯®«­ï¥âáï ¢ ¯à®æ¥áᥠ¤¨§ áᥬ¡«¨à®¢ ­¨ï ;
;¨­áâàãªæ¨¨ ¨ ¤®«¦­  ¯à¥¤áâ ¢«ïâì ᮡ®© á«¥¤ãî饥: ;
; ;
; INSTR1 struct ;
; (+ 00) len_com db 00h ; - ¤«¨­  ª®¬ ­¤ë; ;
; (+ 01) flags dd 00h ; - ¢ëáâ ¢«¥­­ë¥ ä« £¨ ;
; (+ 05) seg db 00h ; - ᥣ¬¥­â (¥á«¨ ¥áâì); ;
; (+ 06) repx db 00h ; - ¯à¥ä¨ªá (0F2h/0F3h) (¥á«¨ ¥áâì); ;
; (+ 07) len_offset db 00h ; - à §¬¥à ᬥ饭¨ï; ;
; (+ 08) len_operand db 00h ; - à §¬¥à ®¯¥à ­¤ ; ;
; (+ 09) opcode db 00h ; - ®¯ª®¤ (¥á«¨ ®¯ª®¤=0Fh, ⮣¤  ;
; ; á á®åà ­ï¥âáï 2-®© ®¯ª®¤, ¨ ;
; ; ãáâ ­ ¢«¨¢ ¥âáï ä« £ B_OPCODE2); ;
; (+ 10) modrm db 00h ; - ¡ ©â MODRM (â ª¦¥, ¥á«¨ ¥áâì) ;
; (+ 11) sib db 00h ; - ¡ ©â SIB ;
; (+ 12) offset db 8 dup (00h); - ᬥ饭¨¥ ¨­áâàãªæ¨¨ ;
; (+ 20) operand db 8 dup (00h); - ®¯¥à ­¤ ¨­áâàãªæ¨¨ ;
; INSTR1 ends ;
; ;
;(å) ¯®­¨¬ îâáï (¯®ª ) ⮫쪮 general purpose & fpu instructions ;
; (®áâ «ì­ë¥ - ¢ ⮯ªã:)! ;
;(å) ­¥â ¯à®¢¥àª¨ ­  ¬ ªá¨¬ «ì­ãî ¤«¨­ã ¨­áâàãªæ¨¨ (15 ¡ ©â) (­ å७) ;
;(å) Š ª ¯®áâ஥­ë í⨠⠡«¨çª¨: ;
; Ž—…œ Ž‘’Ž: â ª ª ª ¢ í⮬ ¤¨§ á¬¥ ¨á¯®«ì§ãîâáï ä« £¨ á ç¨á«®¢ë¬ ;
; ®¡®§­ ç¥­¨¥¬ <=8, â® ¤«ï ®¤­®£® ä« £  ¤®áâ â®ç­® ¬¥áâ  ¢ ¯®«®¢¨­ã ¡ ©â  ;
; (¬ ªá¨¬ «ì­®¥ ç¨á«® =8 (B_PREFIX6X) - ¢ ¤¢®¨ç­®¬ ¯à¥¤áâ ¢«¥­¨¨ =1000b). ;
; ‡­ ï íâ®, ¯à®áâ® â㯮 ¢ ®¤¨­ ¡ ©â § ¯¨å¨¢ ¥¬ 2 ä« £  - ¢®â ¨ ¢á¥. ’ ª¨¬ ;
; ®¡à §®¬, ª ¦¤ ï â ¡«¨çª  ¢ 256 ¡ ©â ã१ ¥âáï ¤® 128. ;
;(å) „«ï 32-¡¨â­®£® ¨á¯®«­ï¥¬®£® ª®¤ . ;
;(å) Šâ® å®ç¥â, ¯ãáâì ­ ä¨£ á ¬ ¨ ¤®¡ ¢«ï¥â ®áâ «ì­ë¥ ª®¬ ­¤ë ¨ ¢á直¥ â ¬ ;
; ¯à®¢¥àª¨. ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;
;
;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ”ˆ—ˆ: ;
;(+) ¡ §®­¥§ ¢¨á¨¬®áâì ;
;(+) 㯠ª®¢ ­­ë¥ â ¡«¨çª¨ ;
; ;
;(-) ¬ãâ®à­® ¤®¡ ¢«ïâì ­®¢ë¥ ¨­áâàãªæ¨¨ ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;
;
;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ˆ‘Ž‹œ‡Ž‚€ˆ…: ;
;1)®¤ª«î祭¨¥: ;
; lito.asm ;
;2)‚맮¢:(¯à¨¬¥à) ;
; lea esi,XXXXXXXXh ; ¤à¥á ª®¬ ­¤ë, çìî ¤«¨­ã ­ ¤® 㧭 âì ;
; lea edi,XXXXXXXXh ;lea edi,INSTR1 ;
; call LiTo ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;m1x
;pr0mix@mail.ru
_LiTo_:
pushad
call _delta_lito_
;===================================================================================
;áâப  ¯à¥ä¨ªá®¢
pfx:
db 2Eh,36h,3Eh,26h,64h,65h,0F2h,0F3h,0F0h,66h,67h
SizePfx equ $-pfx ;¤«¨­  pfx
;===================================================================================
;â ¡«¨æ  ä« £®¢ ¤«ï ®¤­®¡ ©â­ëå ®¯ª®¤®¢
TableFlags1:
; 01 23 45 67 89 AB CD EF
db 11h,11h,28h,00h,11h,11h,28h,00h ;00
db 11h,11h,28h,00h,11h,11h,28h,00h ;01
db 11h,11h,28h,00h,11h,11h,28h,00h ;02
db 11h,11h,28h,00h,11h,11h,28h,00h ;03
db 00h,00h,00h,00h,00h,00h,00h,00h ;04
db 00h,00h,00h,00h,00h,00h,00h,00h ;05
db 00h,11h,00h,00h,89h,23h,00h,00h ;06
db 22h,22h,22h,22h,22h,22h,22h,22h ;07
db 39h,33h,11h,11h,11h,11h,11h,11h ;08
db 00h,00h,00h,00h,00h,0C0h,00h,00h ;09
db 88h,88h,00h,00h,28h,00h,00h,00h ;0A
db 22h,22h,22h,22h,88h,88h,88h,88h ;0B
db 33h,40h,11h,39h,60h,40h,02h,00h ;0C
db 11h,11h,22h,00h,11h,11h,11h,11h ;0D
db 22h,22h,22h,22h,88h,0C2h,00h,00h ;0E
db 00h,00h,00h,11h,00h,00h,00h,11h ;0F
;===================================================================================
;â ¡«¨æ  ä« £®¢ ¤«ï ¤¢ãå¡ ©â­ëå ®¯ª®¤®¢
TableFlags2:
; 01 23 45 67 89 AB CD EF
db 11h,11h,00h,00h,00h,00h,01h,00h ;00
db 00h,00h,00h,00h,00h,00h,00h,01h ;01
db 11h,11h,00h,00h,00h,00h,00h,00h ;02
db 00h,00h,00h,00h,00h,00h,00h,00h ;03
db 11h,11h,11h,11h,11h,11h,11h,11h ;04
db 00h,00h,00h,00h,00h,00h,00h,00h ;05
db 00h,00h,00h,00h,00h,00h,00h,00h ;06
db 00h,00h,00h,00h,00h,00h,00h,00h ;07
db 88h,88h,88h,88h,88h,88h,88h,88h ;08
db 11h,11h,11h,11h,11h,11h,11h,11h ;09
db 00h,01h,31h,00h,00h,01h,31h,01h ;0A
db 11h,11h,11h,11h,00h,31h,11h,11h ;0B
db 11h,00h,00h,01h,00h,00h,00h,00h ;0C
db 00h,00h,00h,00h,00h,00h,00h,00h ;0D
db 00h,00h,00h,00h,00h,00h,00h,00h ;0E
db 00h,00h,00h,00h,00h,00h,00h,00h ;0F
;===================================================================================
SizeTbl equ $-pfx
;===================================================================================
;ä« £¨
;-----------------------------------------------------------------------------------
B_NONE equ 00h ;xex
B_MODRM equ 01h ;present byte MODRM
B_DATA8 equ 02h ;present imm8,rel8, etc
B_DATA16 equ 04h ;present imm16,rel16, etc
B_PREFIX6X equ 08h ;present imm16/imm32 (¢ § ¢¨á¨¬®á⨠®â ­ «¨ç¨ï ¯à¥ä¨ªá  0x66 (0x67 ¤«ï ®¯ª®¤®¢ 0xA0-0xA3))
B_SEG equ 10h ;present segment (¯à¨¬¥à: 0x2e,0x3E, etc)
B_PFX66 equ 20h ;present byte 0x66
B_PFX67 equ 40h ;present byte 0x67
B_LOCK equ 80h ;present byte LOCK (0xF0)
B_REP equ 100h ;present byte rep[e/ne]
B_OPCODE2 equ 200h ;present second opcode (first opcode=0x0F)
B_SIB equ 400h ;present byte SIB
B_RELX equ 800h ;present jxx/jmp/call (rel8,rel16,rel32)
;===================================================================================
_delta_lito_:
pop ebp
cld
xor eax,eax
xor ebx,ebx
cdq ;¢ edx: dl(0/1) - ­¥â/¥áâì ¯à¥ä¨ªá 0x66
; dh(0/1) - ­¥â/¥áâì ¯à¥ä¨ªá 0x67
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ¯®¨áª ¯à¥ä¨ªá®¢xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_nextpfx_:
lodsb ;¯®«ãç ¥¬ ®ç¥à¥¤­®© ¡ ©â ª®¬ ­¤ë
push edi
lea edi,[ebp+(pfx-_delta_lito_+SizeTbl)] ;¢ edi -  ¤à¥á áâப¨ ¯à¥ä¨ªá®¢
db 6Ah,SizePfx
pop ecx
repne scasb ;¥áâì «¨ ¢ à §¡¨à ¥¬®© ª®¬ ­¤¥ ¯à¥ä¨ªáë?
pop edi
jne _endpfx_ ;­¥â? - ­  ¢ë室
cmp ecx,5
jl _lock_
or bl,B_SEG
mov byte ptr [edi+05h],al ;seg
_lock_:
cmp al,0F0h
jne _rep_
or bl,B_LOCK
_rep_:
mov ch,al
and ch,0FEh
cmp ch,0F2h
jne _66_
or bx,B_REP
mov byte ptr [edi+06h],al ;rep
_66_:
cmp al,66h ;¨­ ç¥ ᬮâਬ, íâ® 0x66?
jne _67_
mov dl,1
or bl,B_PFX66
_67_:
cmp al,67h ;¨­ ç¥, íâ® 0x67?
jnz _nextpfx_ ;¥á«¨ ­¥â, â® ¨é¥¬ ¤à㣨¥ ¯à¥ä¨ªáë
mov dh,1
or bl,B_PFX67
jmp _nextpfx_ ;¯à®¤®«¦ ¥¬ ¯®¨áª
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ¯®¨áª ¯à¥ä¨ªá®¢xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endpfx_:
_search_jxx_call_jmp_:
mov ch,al
and ch,0FEh
cmp ch,0E8h
je _jxxok_
mov ch,al
and ch,11110000b
cmp ch,70h
je _jxxok_
cmp al,0EBh
je _jxxok_
cmp al,0Fh ;®¯ª®¤ á®á⮨⠨§ 2-å ¡ ©â?
jne _opcode_
lodsb ;¥á«¨ ¤ , â® ¡¥à¥¬ 2-®© ¡ ©â ®¯ª®¤ 
mov cl,80h ;¨ 㢥«¨ç¨¢ ¥¬ cl=80h
or bx,B_OPCODE2
mov ch,al
and ch,11110000b
cmp ch,80h
jne _opcode_
_jxxok_:
or bx,B_RELX
;-----------------------------------------------------------------------------------
_opcode_:
xor ch,ch
mov byte ptr [edi+09h],al ;save first opcode
lea ebp,[ebp+ecx+(TableFlags1-_delta_lito_+SizeTbl)];¢ edi -  ¤à¥á ­ã¦­®© â ¡«¨æë ä« £®¢(å à-ª)
cmp al,0A0h ;¥á«¨ ®¯ª®¤>=0xA0 ¨ ®¯ª®¤<=A3,
jl _01_;jb ;
cmp al,0A3h
jg _01_
test cl,cl
jne _01_;je ;â® dl=dh
mov dl,dh ;mov dl,dh
;-----------------------------------------------------------------------------------
_01_:
push eax
shr eax,1
mov cl,byte ptr [ebp+eax] ;¢ cl - ä« £¨ ª®¬ ­¤ë
jc _noCF_
shr cl,4
_noCF_:
and cl,0Fh
xor ebp,ebp ;¢ ebp - ¡ã¤¥â åà ­¨âìáï ¤«¨­  ᬥ饭¨ï(offset)
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG à §¡®à MODRMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
or ecx,ebx
pop ebx ;bl=opcode
test cl,B_MODRM ;¯à¨áãâáâ¢ã¥â «¨ ¡ ©â modrm?
je _endmodrm_ ;­¥â? ­  ¢ë室
lodsb ;al=modrm
mov byte ptr [edi+10],al ;MODRM
mov ah,al
;-----------------------------------------------------------------------------------
shr ah,6 ;ah=mod
;-----------------------------------------------------------------------------------
test al,38h ;¤ «¥¥ ᬮâਬ, à ¢­® «¨ ¯®«¥ reg==0?
jne _03_
sub bl,0F6h ;¥á«¨ ¤ , ⮠ᬮâਬ ­  ®¯ª®¤:
jne _02_ ;à ¢¥­ «¨ ®­ 0xF6 ¨«¨ 0xF7(test)?
or cl,B_DATA8 ;¥á«¨ ¤ , â® ãáâ ­ ¢«¨¢ ¥¬ ­ã¦­ë© ä« £
_02_:
dec ebx
jne _03_
or cl,B_PREFIX6X
;-----------------------------------------------------------------------------------
_03_:
and al,07h
xor ebx,ebx ;bl ®â¢¥ç ¥â §  ¯à¨áãâá⢨¥ ¡ ©â  sib
mov bh,ah ;bh=mod
cmp dh,1 ;¥áâì «¨ ¢ à §¡¨à ¥¬®© ª®¬ ­¤¥ ¯à¥ä¨ªá 0x67?
je _mod00_ ;¥á«¨ ¤ , â® ¯¥à¥áª ª¨¢ ¥¬
cmp al,4 ;¨­ ç¥ ¯à®¢¥à塞,à ¢­® «¨ ¯®«¥ rm==4?
jne _mod00_
inc ebx ;¥á«¨ ¤ , â® ¢®§¬®¦­® ¥áâì sib
;-----------------------------------------------------------------------------------
_mod00_:
test ah,ah ;¯®«¥ mod==0?
jne _mod01_
dec dh ;ᮤ¥à¦¨â «¨ ª®¬ ­¤  0x67?
jne _nop67_ ;­¥â? ¯¥à¥áª ª¨¢ ¥¬
cmp al,6 ;¥á«¨ ¤ , â® rm==6?
jne _sib_
inc ebp ;¥á«¨ ¤ , â® ¤«¨­  ᬥ饭¨ï=2(16 bit)
inc ebp
_nop67_:
cmp al,5 ;¨­ ç¥, rm==5?
jne _sib_
add ebp,4 ;¥á«¨ ¤ , â® ¤«¨­  ®ääá¥â =4 (32 bit)
jmp _sib_ ;¨¤¥¬ ¤ «ìè¥
;-----------------------------------------------------------------------------------
_mod01_: ;mod==1?
dec ah
jne _mod02_
inc ebp ;¤ ? ⮣¤  ebp=1
jmp _sib_
;-----------------------------------------------------------------------------------
_mod02_: ;mod==2?
dec ah
jne _mod03_
inc ebp ;ebp=2
inc ebp
dec dh ;¥á«¨ ¥áâì ¯à¥ä¨ªá  0x67, ¯¥à¥áª ª¨¢ ¥¬ ¤ «ìè¥
je _sib_
inc ebp ;â® ebp+=2
inc ebp
inc ebx
;-----------------------------------------------------------------------------------
_mod03_: ;mod==3?
dec bl ;¥á«¨ ¤ , ⮣¤  sib'  â®ç­® ­¥â!
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND à §¡®à MODRMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ¯®«ã祭¨¥ SIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_sib_:
dec bl ;¥áâì «¨ ¡ ©â sib?
jne _endmodrm_
or cx,B_SIB
lodsb ;¥á«¨ ¤ , â® ¢ al ⥯¥àì «¥¦¨â sib(al=sib)
mov byte ptr [edi+11],al ;SIB
and al,7 ;¤ «¥¥,
cmp al,5 ;al==5?
jne _endmodrm_
test bh,bh ;¥á«¨ ¤ , ⮠ᬮâਬ, ¯®«¥ mod==0?
jne _endmodrm_
push 4 ;¥á«¨ ¤ , â® ¥áâì 4-¡ ©â®¢®¥ ᬥ饭¨¥
pop ebp
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ¯®«ã祭¨¥ SIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ä« £¨xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endmodrm_:
xor ebx,ebx
test cl,B_DATA8 ;¥áâì «¨ ®¤­®¡ ©â®¢®¥ ᬥ饭¨¥?
je _nf1_
inc ebx
_nf1_:
test cl,B_DATA16 ;¥áâì «¨ ¤¢ãå¡ ©â®¢®¥ ᬥ饭¨¥?
je _nf2_
inc ebx
inc ebx
_nf2_:
test cl,B_PREFIX6X ;¥áâì «¨ ¢ ª®¬ ­¤¥ ­¥¯®á।á⢥­­®¥ §­ ç¥­¨¥?
je _endflag_
dec dl ;¥áâì «¨ 0x66(0x67 ¤«ï [0xA0,0xA3]) ¢ à §¡¨à ¥¬®© ª®¬ ­¤¥?
je _okp66_
inc ebx
inc ebx
_okp66_:
inc ebx
inc ebx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ä« £¨xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endflag_:
push ecx
push edi
mov ecx,ebp
add edi,12
rep movsb
sub edi,ebp
add edi,8
mov ecx,ebx
rep movsb
pop edi
pop dword ptr [edi+1]
sub esi,dword ptr [esp+4];eax
xchg esi,eax
mov byte ptr [edi+0],al
mov dword ptr [esp+7*4],eax ;á®å࠭塞 à §¬¥à ¢ ¥ å
xchg ebp,eax
mov byte ptr [edi+7],al
mov byte ptr [edi+8],bl
popad
ret ;¢ë室¨¬:)
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;Š®­¥æ ä㭪樨 _LiTo_ ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SizeOfLiTo equ $-_LiTo_ ;à §¬¥à ä㭪樨 _LiTo_
Libs/Win32/Disassembler/VirTool.Win32.Disassembler.SLDE.a
+90
View File
@@ -0,0 +1,90 @@
/* yaav */
/* SLDE 0.1v */
/* This is simple lengh disassembler engine for IA32 x86 instruction set.The code is
Operation System independent. For now it supports only the most used one byte
opcodes(without few rarely used opcodes)but i will expand it in future :)
Credits goes to Benny- and Napalm. Thanks guys :) */
#define Prefix 5
#define ModRMy 1
#define ModRMn 0
#define Imm08 8
#define Imm32 32 /*16/32 bit Imm*/
#define ModRM 3 /*Unknown Opcode*/
unsigned char Array[] = "\x67\x66\x81\x05\x11\x11\x00\x00\x11\x11";
unsigned char ModRMTable[] = {
ModRMy,ModRMy,ModRMy,ModRMy,ModRMn+Imm08,ModRMn+Imm32,ModRMn,ModRMn, /*00..07*/
ModRMy,ModRMy,ModRMy,ModRMy,ModRMn+Imm08,ModRMn+Imm32,ModRMn,ModRMn, /* 08..0F*/
ModRMy,ModRMy,ModRMy,ModRMy,ModRMn+Imm08,ModRMn+Imm32,ModRMn,ModRMn, /* 10..17 */
ModRMy,ModRMy,ModRMy,ModRMy,ModRMn+Imm08,ModRMn+Imm32,ModRMn,ModRMn, /* 18..1F */
ModRMy,ModRMy,ModRMy,ModRMy,ModRMn+Imm08,ModRMn+Imm32,Prefix,ModRMn, /* 20..27 */
ModRMy,ModRMy,ModRMy,ModRMy,ModRMn+Imm08,ModRMn+Imm32,Prefix,ModRMn, /* 28..2F */
ModRMy,ModRMy,ModRMy,ModRMy,ModRMn+Imm08,ModRMn+Imm32,Prefix,ModRMn, /* 30..37 */
ModRMy,ModRMy,ModRMy,ModRMy,ModRMn+Imm08,ModRMn+Imm32,Prefix,ModRMn, /* 38..3F */
ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn, /* 40..47 */
ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn, /* 48..4F */
ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn, /* 50..57 */
ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn, /* 58..5F */
ModRMn,ModRMn,ModRMy,ModRMy,Prefix,Prefix,Prefix,Prefix, /* 60..67 */
ModRMn+Imm32,ModRMy+Imm32,ModRMn+Imm08,ModRMy+Imm08,ModRMn,ModRMn,ModRMn,ModRMn, /* 68..6F */
ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08, /* 70..77 */
ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08, /* 78..7F */
ModRMy+Imm08,ModRMy+Imm32,ModRMy+Imm08,ModRMy+Imm08,ModRMy,ModRMy,ModRMy,ModRMy, /* 80..87 */
ModRMy,ModRMy,ModRMy,ModRMy,ModRMy,ModRMy,ModRMy,ModRMy, /* 88..8F */
ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn, /*90..97 */
ModRMn,ModRMn,ModRM/*9A Unknown */,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn, /* 98..9F */
ModRMn+Imm32,ModRMn+Imm32,ModRMn+Imm32,ModRMn+Imm32,ModRMn,ModRMn,ModRMn,ModRMn, /* A0..A7 */
ModRMn+Imm08,ModRMn+Imm32,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn, /* A8..AF */
ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08, /* B0..B7 */
ModRMn+Imm32,ModRMn+Imm32,ModRMn+Imm32,ModRMn+Imm32,ModRMn+Imm32,ModRMn+Imm32,ModRMn+Imm32,ModRMn+Imm32, /* B8..BF */
ModRMy+Imm08,ModRMy+Imm08,ModRM /* RET WORD */,ModRMn,ModRMy,ModRMy,ModRMy+Imm08,ModRMy+Imm32, /* C0..C7 */
ModRM /* C8 Unknown */,ModRMn,ModRM /* RET WORD */,ModRMn,ModRMn,ModRMn+Imm08,ModRMn,ModRMn, /* C8..CF */
ModRMy,ModRMy,ModRMy,ModRMy,ModRMn+Imm08,ModRMn+Imm08,ModRMn,ModRMn, /* D0..D7 */
ModRMy,ModRMy,ModRMy,ModRMy,ModRMy,ModRMy,ModRMy,ModRMy, /* D8..DF */
ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08,ModRMn+Imm08, /* E0..E7 */
ModRMn+Imm32,ModRMn+Imm32,ModRM /*EA Unknown */,ModRMn+Imm08,ModRMn,ModRMn,ModRMn,ModRMn, /* E8..EF */
Prefix,ModRMn,Prefix,Prefix,ModRMn,ModRMn,ModRMy+Imm08,ModRMy+Imm32, /* F0..F7 */
ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMn,ModRMy,ModRMy /* F8..FF */
};
int main()
{
unsigned char *ptr,Mod;
ptr = Array;
int OperandSize = 4,OpcodeSize = 0,Displacement = 4;
DecodePrefixes:
if(ModRMTable[*ptr] == Prefix) {
if (*ptr == 0x66) { OpcodeSize += 1; OperandSize -= 2; } else { OpcodeSize += 1; }
ptr++;
goto DecodePrefixes;
}
OpcodeSize += 1; /* because of the opcode */
if (ModRMTable[*ptr] == Imm08+ModRMy || ModRMTable[*ptr] == Imm08 ) { OpcodeSize += 1; } /*is there a 8 bit Imm */
if (ModRMTable[*ptr] == Imm32+ModRMy || ModRMTable[*ptr] == Imm32 ) { OpcodeSize += OperandSize; } /* is there a 16 or 32 bit imm */
if (ModRMTable[*ptr] == ModRMy || ModRMTable[*ptr] == ModRMy+Imm08 || ModRMTable[*ptr] == ModRMy+Imm32) { /* is there a ModR/M Byte */
OpcodeSize += 1; ptr++; /*read the ModR/M Byte */ goto DecodeMod; }
else { printf ("The Opcode Size Is: %d\n",OpcodeSize); return 0; }
/*Decode ModR/M Byte */
DecodeMod:
Mod = *ptr;
if((Mod >= 0x00 && Mod <= 0x3F) || (Mod >= 0xC0 && Mod <= 0xFF)) { Displacement -= 4; }
if(Mod >= 0x40 && Mod <= 0x7F) { Displacement -= 3; }
OpcodeSize += Displacement;
if((Mod%0x10 == 4) || (Mod%0x10 == 0x0C)) { OpcodeSize += 1;} /* does it have SIB ? */
if(Mod <= 0x3D) { if((Mod%0x10 == 0x05) || (Mod%0x10 == 0x0D)){ OpcodeSize += 4; } }/* is it direct addresation? */
printf ("The Opcode Size Is: %d\n",OpcodeSize);
return 0;
}
Libs/Win32/Disassembler/VirTool.Win32.Disassembler.Xde.7z
BIN
View File
Binary file not shown.