daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 15:29:23 +00:00
Code Issues Projects Releases Wiki Activity
Files
a5fc35f16588f0a9c6bdd78a11c5ee99b1525e36
MalwareSourceCode/libs/VirTool.Win32.Disassembler.Lito.asm
T
vxunderground a5fc35f165 Add files via upload
2020-10-09 21:56:39 -05:00

399 lines
19 KiB
NASM
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; ;
; ### ;
; ### ;
; ### #################################################### ;
; ### #################################################### ;
; ### ### ### ;
; ### ### ### ######### ### ;
; ### ### ### ########### ;
; ### ### ## ## ;
; ### ### ### ## ## ;
; ### ### ### ## ## ;
; ### ### ### ### ## ## ;
; ### ### ### ### ## ## ;
; ############ ### ### ########### ;
; ################################################################ ;
; ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; Advanced Length dIsassembler moTOr:) ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; ‚¥àá¨ï 2.1 ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;äã­ªæ¨ï _LiTo_ ;
;¤¨§ áᥬ¡«¨à®¢ ­¨¥ ¬ è¨­­®© ª®¬ ­¤ë ;
;®¯à¥¤¥«¥­¨¥ ¤«¨­ë ¬ è¨­­®© ª®¬ ­¤ë ;
;‚室: ;
;esi -  ¤à¥á à §¡¨à ¥¬®© ¬ è¨­­®© ª®¬ ­¤ë ;
;edi - 㪠§ â¥«ì ­  ¢ë室­ãî áâàãªâãàã (¨«¨ ¡ãä¥à) (­ §®¢¥¬ ¥¥ INSTR:) ;
;‚ë室: ;
;¢ eax - ¤«¨­  ¬ è¨­­®© ª®¬ ­¤ë. ;
;‡ ¬¥âª¨: ;
;(x) ‚ë室­ ï áâàãªâãà  (¨«¨ ¡ãä¥à) § ¯®«­ï¥âáï ¢ ¯à®æ¥áᥠ¤¨§ áᥬ¡«¨à®¢ ­¨ï ;
;¨­áâàãªæ¨¨ ¨ ¤®«¦­  ¯à¥¤áâ ¢«ïâì ᮡ®© á«¥¤ãî饥: ;
; ;
; INSTR1 struct ;
; (+ 00) len_com db 00h ; - ¤«¨­  ª®¬ ­¤ë; ;
; (+ 01) flags dd 00h ; - ¢ëáâ ¢«¥­­ë¥ ä« £¨ ;
; (+ 05) seg db 00h ; - ᥣ¬¥­â (¥á«¨ ¥áâì); ;
; (+ 06) repx db 00h ; - ¯à¥ä¨ªá (0F2h/0F3h) (¥á«¨ ¥áâì); ;
; (+ 07) len_offset db 00h ; - à §¬¥à ᬥ饭¨ï; ;
; (+ 08) len_operand db 00h ; - à §¬¥à ®¯¥à ­¤ ; ;
; (+ 09) opcode db 00h ; - ®¯ª®¤ (¥á«¨ ®¯ª®¤=0Fh, ⮣¤  ;
; ; á á®åà ­ï¥âáï 2-®© ®¯ª®¤, ¨ ;
; ; ãáâ ­ ¢«¨¢ ¥âáï ä« £ B_OPCODE2); ;
; (+ 10) modrm db 00h ; - ¡ ©â MODRM (â ª¦¥, ¥á«¨ ¥áâì) ;
; (+ 11) sib db 00h ; - ¡ ©â SIB ;
; (+ 12) offset db 8 dup (00h); - ᬥ饭¨¥ ¨­áâàãªæ¨¨ ;
; (+ 20) operand db 8 dup (00h); - ®¯¥à ­¤ ¨­áâàãªæ¨¨ ;
; INSTR1 ends ;
; ;
;(å) ¯®­¨¬ îâáï (¯®ª ) ⮫쪮 general purpose & fpu instructions ;
; (®áâ «ì­ë¥ - ¢ ⮯ªã:)! ;
;(å) ­¥â ¯à®¢¥àª¨ ­  ¬ ªá¨¬ «ì­ãî ¤«¨­ã ¨­áâàãªæ¨¨ (15 ¡ ©â) (­ å७) ;
;(å) Š ª ¯®áâ஥­ë í⨠⠡«¨çª¨: ;
; Ž—…œ Ž‘’Ž: â ª ª ª ¢ í⮬ ¤¨§ á¬¥ ¨á¯®«ì§ãîâáï ä« £¨ á ç¨á«®¢ë¬ ;
; ®¡®§­ ç¥­¨¥¬ <=8, â® ¤«ï ®¤­®£® ä« £  ¤®áâ â®ç­® ¬¥áâ  ¢ ¯®«®¢¨­ã ¡ ©â  ;
; (¬ ªá¨¬ «ì­®¥ ç¨á«® =8 (B_PREFIX6X) - ¢ ¤¢®¨ç­®¬ ¯à¥¤áâ ¢«¥­¨¨ =1000b). ;
; ‡­ ï íâ®, ¯à®áâ® â㯮 ¢ ®¤¨­ ¡ ©â § ¯¨å¨¢ ¥¬ 2 ä« £  - ¢®â ¨ ¢á¥. ’ ª¨¬ ;
; ®¡à §®¬, ª ¦¤ ï â ¡«¨çª  ¢ 256 ¡ ©â ã१ ¥âáï ¤® 128. ;
;(å) „«ï 32-¡¨â­®£® ¨á¯®«­ï¥¬®£® ª®¤ . ;
;(å) Šâ® å®ç¥â, ¯ãáâì ­ ä¨£ á ¬ ¨ ¤®¡ ¢«ï¥â ®áâ «ì­ë¥ ª®¬ ­¤ë ¨ ¢á直¥ â ¬ ;
; ¯à®¢¥àª¨. ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;
;
;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ”ˆ—ˆ: ;
;(+) ¡ §®­¥§ ¢¨á¨¬®áâì ;
;(+) 㯠ª®¢ ­­ë¥ â ¡«¨çª¨ ;
; ;
;(-) ¬ãâ®à­® ¤®¡ ¢«ïâì ­®¢ë¥ ¨­áâàãªæ¨¨ ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;
;
;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ˆ‘Ž‹œ‡Ž‚€ˆ…: ;
;1)®¤ª«î祭¨¥: ;
; lito.asm ;
;2)‚맮¢:(¯à¨¬¥à) ;
; lea esi,XXXXXXXXh ; ¤à¥á ª®¬ ­¤ë, çìî ¤«¨­ã ­ ¤® 㧭 âì ;
; lea edi,XXXXXXXXh ;lea edi,INSTR1 ;
; call LiTo ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;m1x
;pr0mix@mail.ru
_LiTo_:
pushad
call _delta_lito_
;===================================================================================
;áâப  ¯à¥ä¨ªá®¢
pfx:
db 2Eh,36h,3Eh,26h,64h,65h,0F2h,0F3h,0F0h,66h,67h
SizePfx equ $-pfx ;¤«¨­  pfx
;===================================================================================
;â ¡«¨æ  ä« £®¢ ¤«ï ®¤­®¡ ©â­ëå ®¯ª®¤®¢
TableFlags1:
; 01 23 45 67 89 AB CD EF
db 11h,11h,28h,00h,11h,11h,28h,00h ;00
db 11h,11h,28h,00h,11h,11h,28h,00h ;01
db 11h,11h,28h,00h,11h,11h,28h,00h ;02
db 11h,11h,28h,00h,11h,11h,28h,00h ;03
db 00h,00h,00h,00h,00h,00h,00h,00h ;04
db 00h,00h,00h,00h,00h,00h,00h,00h ;05
db 00h,11h,00h,00h,89h,23h,00h,00h ;06
db 22h,22h,22h,22h,22h,22h,22h,22h ;07
db 39h,33h,11h,11h,11h,11h,11h,11h ;08
db 00h,00h,00h,00h,00h,0C0h,00h,00h ;09
db 88h,88h,00h,00h,28h,00h,00h,00h ;0A
db 22h,22h,22h,22h,88h,88h,88h,88h ;0B
db 33h,40h,11h,39h,60h,40h,02h,00h ;0C
db 11h,11h,22h,00h,11h,11h,11h,11h ;0D
db 22h,22h,22h,22h,88h,0C2h,00h,00h ;0E
db 00h,00h,00h,11h,00h,00h,00h,11h ;0F
;===================================================================================
;â ¡«¨æ  ä« £®¢ ¤«ï ¤¢ãå¡ ©â­ëå ®¯ª®¤®¢
TableFlags2:
; 01 23 45 67 89 AB CD EF
db 11h,11h,00h,00h,00h,00h,01h,00h ;00
db 00h,00h,00h,00h,00h,00h,00h,01h ;01
db 11h,11h,00h,00h,00h,00h,00h,00h ;02
db 00h,00h,00h,00h,00h,00h,00h,00h ;03
db 11h,11h,11h,11h,11h,11h,11h,11h ;04
db 00h,00h,00h,00h,00h,00h,00h,00h ;05
db 00h,00h,00h,00h,00h,00h,00h,00h ;06
db 00h,00h,00h,00h,00h,00h,00h,00h ;07
db 88h,88h,88h,88h,88h,88h,88h,88h ;08
db 11h,11h,11h,11h,11h,11h,11h,11h ;09
db 00h,01h,31h,00h,00h,01h,31h,01h ;0A
db 11h,11h,11h,11h,00h,31h,11h,11h ;0B
db 11h,00h,00h,01h,00h,00h,00h,00h ;0C
db 00h,00h,00h,00h,00h,00h,00h,00h ;0D
db 00h,00h,00h,00h,00h,00h,00h,00h ;0E
db 00h,00h,00h,00h,00h,00h,00h,00h ;0F
;===================================================================================
SizeTbl equ $-pfx
;===================================================================================
;ä« £¨
;-----------------------------------------------------------------------------------
B_NONE equ 00h ;xex
B_MODRM equ 01h ;present byte MODRM
B_DATA8 equ 02h ;present imm8,rel8, etc
B_DATA16 equ 04h ;present imm16,rel16, etc
B_PREFIX6X equ 08h ;present imm16/imm32 (¢ § ¢¨á¨¬®á⨠®â ­ «¨ç¨ï ¯à¥ä¨ªá  0x66 (0x67 ¤«ï ®¯ª®¤®¢ 0xA0-0xA3))
B_SEG equ 10h ;present segment (¯à¨¬¥à: 0x2e,0x3E, etc)
B_PFX66 equ 20h ;present byte 0x66
B_PFX67 equ 40h ;present byte 0x67
B_LOCK equ 80h ;present byte LOCK (0xF0)
B_REP equ 100h ;present byte rep[e/ne]
B_OPCODE2 equ 200h ;present second opcode (first opcode=0x0F)
B_SIB equ 400h ;present byte SIB
B_RELX equ 800h ;present jxx/jmp/call (rel8,rel16,rel32)
;===================================================================================
_delta_lito_:
pop ebp
cld
xor eax,eax
xor ebx,ebx
cdq ;¢ edx: dl(0/1) - ­¥â/¥áâì ¯à¥ä¨ªá 0x66
; dh(0/1) - ­¥â/¥áâì ¯à¥ä¨ªá 0x67
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ¯®¨áª ¯à¥ä¨ªá®¢xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_nextpfx_:
lodsb ;¯®«ãç ¥¬ ®ç¥à¥¤­®© ¡ ©â ª®¬ ­¤ë
push edi
lea edi,[ebp+(pfx-_delta_lito_+SizeTbl)] ;¢ edi -  ¤à¥á áâப¨ ¯à¥ä¨ªá®¢
db 6Ah,SizePfx
pop ecx
repne scasb ;¥áâì «¨ ¢ à §¡¨à ¥¬®© ª®¬ ­¤¥ ¯à¥ä¨ªáë?
pop edi
jne _endpfx_ ;­¥â? - ­  ¢ë室
cmp ecx,5
jl _lock_
or bl,B_SEG
mov byte ptr [edi+05h],al ;seg
_lock_:
cmp al,0F0h
jne _rep_
or bl,B_LOCK
_rep_:
mov ch,al
and ch,0FEh
cmp ch,0F2h
jne _66_
or bx,B_REP
mov byte ptr [edi+06h],al ;rep
_66_:
cmp al,66h ;¨­ ç¥ ᬮâਬ, íâ® 0x66?
jne _67_
mov dl,1
or bl,B_PFX66
_67_:
cmp al,67h ;¨­ ç¥, íâ® 0x67?
jnz _nextpfx_ ;¥á«¨ ­¥â, â® ¨é¥¬ ¤à㣨¥ ¯à¥ä¨ªáë
mov dh,1
or bl,B_PFX67
jmp _nextpfx_ ;¯à®¤®«¦ ¥¬ ¯®¨áª
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ¯®¨áª ¯à¥ä¨ªá®¢xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endpfx_:
_search_jxx_call_jmp_:
mov ch,al
and ch,0FEh
cmp ch,0E8h
je _jxxok_
mov ch,al
and ch,11110000b
cmp ch,70h
je _jxxok_
cmp al,0EBh
je _jxxok_
cmp al,0Fh ;®¯ª®¤ á®á⮨⠨§ 2-å ¡ ©â?
jne _opcode_
lodsb ;¥á«¨ ¤ , â® ¡¥à¥¬ 2-®© ¡ ©â ®¯ª®¤ 
mov cl,80h ;¨ 㢥«¨ç¨¢ ¥¬ cl=80h
or bx,B_OPCODE2
mov ch,al
and ch,11110000b
cmp ch,80h
jne _opcode_
_jxxok_:
or bx,B_RELX
;-----------------------------------------------------------------------------------
_opcode_:
xor ch,ch
mov byte ptr [edi+09h],al ;save first opcode
lea ebp,[ebp+ecx+(TableFlags1-_delta_lito_+SizeTbl)];¢ edi -  ¤à¥á ­ã¦­®© â ¡«¨æë ä« £®¢(å à-ª)
cmp al,0A0h ;¥á«¨ ®¯ª®¤>=0xA0 ¨ ®¯ª®¤<=A3,
jl _01_;jb ;
cmp al,0A3h
jg _01_
test cl,cl
jne _01_;je ;â® dl=dh
mov dl,dh ;mov dl,dh
;-----------------------------------------------------------------------------------
_01_:
push eax
shr eax,1
mov cl,byte ptr [ebp+eax] ;¢ cl - ä« £¨ ª®¬ ­¤ë
jc _noCF_
shr cl,4
_noCF_:
and cl,0Fh
xor ebp,ebp ;¢ ebp - ¡ã¤¥â åà ­¨âìáï ¤«¨­  ᬥ饭¨ï(offset)
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG à §¡®à MODRMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
or ecx,ebx
pop ebx ;bl=opcode
test cl,B_MODRM ;¯à¨áãâáâ¢ã¥â «¨ ¡ ©â modrm?
je _endmodrm_ ;­¥â? ­  ¢ë室
lodsb ;al=modrm
mov byte ptr [edi+10],al ;MODRM
mov ah,al
;-----------------------------------------------------------------------------------
shr ah,6 ;ah=mod
;-----------------------------------------------------------------------------------
test al,38h ;¤ «¥¥ ᬮâਬ, à ¢­® «¨ ¯®«¥ reg==0?
jne _03_
sub bl,0F6h ;¥á«¨ ¤ , ⮠ᬮâਬ ­  ®¯ª®¤:
jne _02_ ;à ¢¥­ «¨ ®­ 0xF6 ¨«¨ 0xF7(test)?
or cl,B_DATA8 ;¥á«¨ ¤ , â® ãáâ ­ ¢«¨¢ ¥¬ ­ã¦­ë© ä« £
_02_:
dec ebx
jne _03_
or cl,B_PREFIX6X
;-----------------------------------------------------------------------------------
_03_:
and al,07h
xor ebx,ebx ;bl ®â¢¥ç ¥â §  ¯à¨áãâá⢨¥ ¡ ©â  sib
mov bh,ah ;bh=mod
cmp dh,1 ;¥áâì «¨ ¢ à §¡¨à ¥¬®© ª®¬ ­¤¥ ¯à¥ä¨ªá 0x67?
je _mod00_ ;¥á«¨ ¤ , â® ¯¥à¥áª ª¨¢ ¥¬
cmp al,4 ;¨­ ç¥ ¯à®¢¥à塞,à ¢­® «¨ ¯®«¥ rm==4?
jne _mod00_
inc ebx ;¥á«¨ ¤ , â® ¢®§¬®¦­® ¥áâì sib
;-----------------------------------------------------------------------------------
_mod00_:
test ah,ah ;¯®«¥ mod==0?
jne _mod01_
dec dh ;ᮤ¥à¦¨â «¨ ª®¬ ­¤  0x67?
jne _nop67_ ;­¥â? ¯¥à¥áª ª¨¢ ¥¬
cmp al,6 ;¥á«¨ ¤ , â® rm==6?
jne _sib_
inc ebp ;¥á«¨ ¤ , â® ¤«¨­  ᬥ饭¨ï=2(16 bit)
inc ebp
_nop67_:
cmp al,5 ;¨­ ç¥, rm==5?
jne _sib_
add ebp,4 ;¥á«¨ ¤ , â® ¤«¨­  ®ääá¥â =4 (32 bit)
jmp _sib_ ;¨¤¥¬ ¤ «ìè¥
;-----------------------------------------------------------------------------------
_mod01_: ;mod==1?
dec ah
jne _mod02_
inc ebp ;¤ ? ⮣¤  ebp=1
jmp _sib_
;-----------------------------------------------------------------------------------
_mod02_: ;mod==2?
dec ah
jne _mod03_
inc ebp ;ebp=2
inc ebp
dec dh ;¥á«¨ ¥áâì ¯à¥ä¨ªá  0x67, ¯¥à¥áª ª¨¢ ¥¬ ¤ «ìè¥
je _sib_
inc ebp ;â® ebp+=2
inc ebp
inc ebx
;-----------------------------------------------------------------------------------
_mod03_: ;mod==3?
dec bl ;¥á«¨ ¤ , ⮣¤  sib'  â®ç­® ­¥â!
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND à §¡®à MODRMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ¯®«ã祭¨¥ SIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_sib_:
dec bl ;¥áâì «¨ ¡ ©â sib?
jne _endmodrm_
or cx,B_SIB
lodsb ;¥á«¨ ¤ , â® ¢ al ⥯¥àì «¥¦¨â sib(al=sib)
mov byte ptr [edi+11],al ;SIB
and al,7 ;¤ «¥¥,
cmp al,5 ;al==5?
jne _endmodrm_
test bh,bh ;¥á«¨ ¤ , ⮠ᬮâਬ, ¯®«¥ mod==0?
jne _endmodrm_
push 4 ;¥á«¨ ¤ , â® ¥áâì 4-¡ ©â®¢®¥ ᬥ饭¨¥
pop ebp
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ¯®«ã祭¨¥ SIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ä« £¨xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endmodrm_:
xor ebx,ebx
test cl,B_DATA8 ;¥áâì «¨ ®¤­®¡ ©â®¢®¥ ᬥ饭¨¥?
je _nf1_
inc ebx
_nf1_:
test cl,B_DATA16 ;¥áâì «¨ ¤¢ãå¡ ©â®¢®¥ ᬥ饭¨¥?
je _nf2_
inc ebx
inc ebx
_nf2_:
test cl,B_PREFIX6X ;¥áâì «¨ ¢ ª®¬ ­¤¥ ­¥¯®á।á⢥­­®¥ §­ ç¥­¨¥?
je _endflag_
dec dl ;¥áâì «¨ 0x66(0x67 ¤«ï [0xA0,0xA3]) ¢ à §¡¨à ¥¬®© ª®¬ ­¤¥?
je _okp66_
inc ebx
inc ebx
_okp66_:
inc ebx
inc ebx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ä« £¨xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endflag_:
push ecx
push edi
mov ecx,ebp
add edi,12
rep movsb
sub edi,ebp
add edi,8
mov ecx,ebx
rep movsb
pop edi
pop dword ptr [edi+1]
sub esi,dword ptr [esp+4];eax
xchg esi,eax
mov byte ptr [edi+0],al
mov dword ptr [esp+7*4],eax ;á®å࠭塞 à §¬¥à ¢ ¥ å
xchg ebp,eax
mov byte ptr [edi+7],al
mov byte ptr [edi+8],bl
popad
ret ;¢ë室¨¬:)
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;Š®­¥æ ä㭪樨 _LiTo_ ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SizeOfLiTo equ $-_LiTo_ ;à §¬¥à ä㭪樨 _LiTo_
Reference in New Issue View Git Blame Copy Permalink