|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] DISIT - OPEN SOURCE DISASSEMBLER ENGINE
From: Matt Conover (mconover
gmail.com)
Date: Thu Feb 02 2006 - 03:15:20 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On the topic, here is an x64 disassembler:
http://www.cybertech.net/~sh0ksh0k/libdisx64.zip
If you want a command-line disassembler instead of using it as an API, you
can use:
http://www.cybertech.net/~sh0ksh0k/tdisasm.zip
Specifically this disassembler is useful if:
1. You also need support for 16-bit and x86/AMD64 disassembly or
SSE2/SSE3/MMX/3DNow
2. You're more interested in heavy analysis than disassembly. E.g., side
effects like implicit operands, how the instruction effects the stack or
flags, etc.
If you don't met one of the above conditions, there are better faster
disassemblers. This was more meant to be used for automated analysis than
human disassembly (hence why the output is not very readable). The best way
to see what kind of instruction decoding is available is to run with
DISASM_VERBOSE. Here is what the disassembly of XOR decoder looks like from
the jpeg-of-death connectback shellcode:
[0x00000000] [ D9 E1 ] fabs <st(0)>
Instruction type = ITYPE_FPU
Instruction categories = FPU
Operand 1 (length 10) = [ FLOAT SRC DST REG ]
Flags changed = [ FPU_ALL ]
[0x00000002] [ D9 34 24 ] fstenv 28_byte ptr ss:[esp]
Instruction type = ITYPE_FSTORE
Instruction categories = FPU
Operand 1 (length 28) = [ DST REG ADDR ]
[0x00000009] [ 80 E8 E7 ] sub al, 0xE7=231
Instruction type = ITYPE_SUB
Instruction categories = ARITH
Operand 1 (length 1) = [ DST REG ]
Operand 2 (length 1) = [ IMM SRC ]
Flags changed = [ FLAGS_ALL ]
[0x0000000C] [ 31 C9 ] xor ecx, ecx
Instruction type = ITYPE_XOR
Instruction categories = LOGIC
Operand 1 (length 4) = [ DST REG ]
Operand 2 (length 4) = [ SRC REG ]
Flags cleared = [ CF=Carry OF=Overflow ]
Flags changed = [ FLAGS_ALL ]
[0x0000000E] [ 66 81 E9 AC FE ] sub cx, 0xFEAC=65196
Instruction type = ITYPE_SUB
Instruction categories = ARITH
Operand 1 (length 2) = [ DST REG ]
Operand 2 (length 2) = [ IMM SRC ]
Prefix bytes = [ 66 = OperandSize ]
Flags changed = [ FLAGS_ALL ]
[0x00000013] [ 80 30 92 ] xor byte ptr ds:[eax], 0x92=146
Instruction type = ITYPE_XOR
Instruction categories = LOGIC
Operand 1 (length 1) = [ DST REG ADDR ]
Operand 2 (length 1) = [ IMM SRC ]
Flags cleared = [ CF=Carry OF=Overflow ]
Flags changed = [ FLAGS_ALL ]
[0x00000016] [ 40 ] inc <eax>
Instruction type = ITYPE_INC
Instruction categories = ARITH
Operand 1 (length 4) = [ SRC DST REG ]
Flags changed = [ FLAGS_ALL ]
[0x00000017] [ E2 FA ] loop [eip+ilen-(0x06=6)]=0x00000013
Instruction type = ITYPE_LOOPCC
Instruction categories = EXEC
Operand 1 (length 1) = [ OFF SIGNED COND_R IP_REL EXEC SRC REG ADDR ] =
0x13
Preconditions = [ ECX!=0 ]
ResultsIfTrue = [ ->OP1 ECX-- ]
ResultsIfFalse = [ ]
Determined conditional jump:
BranchIfTrue -> 0x13
BranchIfFalse -> 0x19
[0x00000017] End of code block reached
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]