MalwareSourceCode/Libs/Win32/Disassembler/VirTool.Win32.Disassembler.4553_LDE.txt

902 lines
13 KiB
Plaintext
Raw Permalink Normal View History

2020-10-16 20:28:58 +00:00
/*
*
* ____| | | _) ___| |
* __| | _ \ __| __| __| _ \ __ \ | __|\___ \ _ \ | | | __|
* | | __/ ( | | ( | | | | ( | ( | | | |\__ \
* _____|_|\___|\___|\__|_| \___/ _| _|_|\___|_____/ \___/ \____|_|____/
*
* Presents
*
* [ 0x4553_LDE - 16/32-bit Length Disassembler Engine ]
*
* (c) Ares, 2003
*
*[-----------------------------------------------------------------------------------]
* Description:
* It based on ADE32 disassembler engine by z0mbie, modified and ported to AT&T asm.
*
* table.h - contain table of opcodes from 0x00 to 0xFF,
* it define the type of each other.
*
* Usage:
* There is the main function l_disasm(). It get one parameter from stack,
* which point to array with data. Return value reside in %eax - length of opcode.
*
* Example:
* ...
* mov data,%eax
* add $123,%eax # data[123]
* push %eax
* call l_disasm
* ...
*
* Section Headers:
* [Nr] Name Type Addr Off Size ES Flg Lk Inf Al
* [ 0] NULL 00000000 000000 000000 00 0 0 0
* [ 1] .text PROGBITS 08048074 000074 0002c2 00 AX 0 0 4
* [ 2] .data PROGBITS 08049380 000380 000800 00 WA 0 0 4
* ...
* = AA5(hex) = 2725(dec)
*
*[-----------------------------------------------------------------------------------]
*
* version: 1.0BETA
*
*/
.include "table.h"
.text
# little defines
diza = 12
buffer = -4
flag1 = -52
flag2 = -51
opcode = -53
t = -60
mod = -61
rm = -62
a = -68
b = -72
counter = -76
.globl l_disasm
l_disasm:
pushl %ebp
movl %esp,%ebp
movl 8(%ebp),%eax
movl %eax,buffer(%ebp) # buf
leal -48(%ebp),%eax # temp diza structure
movl %eax,diza(%ebp) # diza
movb $4,1(%eax) # filling structure
movb $4,(%eax)
movl $0,flag1(%ebp) # flag1 = 0
loop:
movl buffer(%ebp),%eax
movb (%eax),%dl
movb %dl,opcode(%ebp) # opcode
incl buffer(%ebp) # buf++;
movzbl opcode(%ebp),%eax
leal 0(,%eax,4),%edx
movl $op_tab,%eax
movl (%edx,%eax),%edx
movl %edx,t(%ebp) # t = op_tab[opcode]
movb t(%ebp),%al
andb $0xF8,%al
testb %al,%al
je check_opcode
movl flag1(%ebp),%eax
andl t(%ebp),%eax
testl %eax,%eax
jne return
movl t(%ebp),%edx
orl %edx,flag1(%ebp)
# prefix/mod/rm/flags/opcodes...checking
# no reason to comment all this stuff...
check_prefix:
movb t(%ebp),%al
test %esi,%esi
jne chp1
andb $0x10,%al
testb %al,%al
je chp1
jmp chpn
chp1:
movb t(%ebp),%al
incl %esi
andb $0x20,%al
testb %al,%al
je cp_sub2
chpn:
movl diza(%ebp),%eax
movl diza(%ebp),%edx
movb 1(%edx),%cl
xorb $6,%cl
movb %cl,1(%eax)
jmp loop
cp_sub2:
movb t(%ebp),%al
andb $0x80,%al
testb %al,%al
je cp_sub3
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,21(%eax)
jmp loop
cp_sub3:
movb t(%ebp),%al
andb $0x40,%al
testb %al,%al
je loop
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,20(%eax)
check_opcode:
movl t(%ebp),%eax
orl %eax,flag1(%ebp)
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,22(%eax)
cmpb $15,opcode(%ebp)
jne co_sub1
movl buffer(%ebp),%ebx
movb (%ebx),%al
movb %al,opcode(%ebp)
incl buffer(%ebp)
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,23(%eax)
movzbl opcode(%ebp),%eax
leal 256(%eax),%edx
leal 0(,%edx,4),%eax
movl $op_tab,%edx
movl (%eax,%edx),%ecx
orl %ecx,flag1(%ebp)
cmpl $-1,flag1(%ebp)
jne check_mod
jmp return
co_sub1:
cmpb $0xF7,opcode(%ebp)
jne co_sub2
movl buffer(%ebp),%eax
movb (%eax),%dl
andb $0x38,%dl
testb %dl,%dl
jne check_mod
orb $0x20,flag2(%ebp)
jmp check_mod
co_sub2:
cmpb $0xF6,opcode(%ebp)
jne check_mod
movl buffer(%ebp),%eax
movb (%eax),%dl
andb $0x38,%dl
testb %dl,%dl
jne check_mod
orb $1,flag2(%ebp)
check_mod:
movl flag1(%ebp),%eax
andl $0x4000,%eax
testl %eax,%eax
je checks_complete
movl buffer(%ebp),%edi
movb (%edi),%al
movb %al,opcode(%ebp)
incl buffer(%ebp)
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,24(%eax)
movb opcode(%ebp),%al
andb $0x38,%al
cmpb $0x20,%al
jne cm_sub1
movl diza(%ebp),%eax
cmpb $0xFF,22(%eax)
jne cm_sub1
orb $4,-50(%ebp) # flag
cm_sub1:
movb opcode(%ebp),%al
andb $0xC0,%al
movb %al,mod(%ebp)
movb opcode(%ebp),%dl
andb $7,%dl
movb %dl,rm(%ebp)
cmpb $0xC0,mod(%ebp)
je checks_complete
movl diza(%ebp),%eax
cmpb $4,(%eax)
jne cm_sub5
cmpb $4,rm(%ebp)
jne cm_sub2
orb $8,flag2(%ebp)
movl buffer(%ebp),%edi
movb (%edi),%al
movb %al,opcode(%ebp)
incl buffer(%ebp)
movl diza(%ebp),%eax
movb opcode(%ebp),%dl
movb %dl,25(%eax)
movb opcode(%ebp),%cl
andb $7,%cl
movb %cl,rm(%ebp)
cm_sub2:
cmpb $0x40,mod(%ebp)
jne cm_sub3
orb $1,flag1(%ebp)
jmp checks_complete
cm_sub3:
cmpb $0x80,mod(%ebp)
jne cm_sub4
orb $4,flag1(%ebp)
jmp checks_complete
cm_sub4:
cmpb $5,rm(%ebp)
jne checks_complete
orb $4,flag1(%ebp)
jmp checks_complete
cm_sub5:
cmpb $0x40,mod(%ebp)
jne cm_sub6
orb $1,flag1(%ebp)
jmp checks_complete
cm_sub6:
cmpb $0x80,mod(%ebp)
jne cm_sub7
orb $2,flag1(%ebp)
jmp checks_complete
cm_sub7:
cmpb $6,rm(%ebp)
jne checks_complete
orb $2,flag1(%ebp)
checks_complete:
movl diza(%ebp),%eax
movl flag1(%ebp),%edx
movl %edx,8(%eax)
movl flag1(%ebp),%eax
andl $7,%eax
movl %eax,a(%ebp)
movl flag1(%ebp),%edx
andl $0x700,%edx
shrl $8,%edx
movl %edx,b(%ebp)
movl flag1(%ebp),%eax
andl $0x1000,%eax
testl %eax,%eax
je cc_sub1
movl diza(%ebp),%eax
movzbl (%eax),%edx
addl %edx,a(%ebp)
cc_sub1:
movl flag1(%ebp),%eax
andl $0x2000,%eax
testl %eax,%eax
je cc_sub2
movl diza(%ebp),%eax
movzbl 1(%eax),%edx
addl %edx,b(%ebp)
cc_sub2:
movl diza(%ebp),%eax
movl a(%ebp),%edx
movl %edx,diza(%eax)
movl diza(%ebp),%eax
movl b(%ebp),%edx
movl %edx,16(%eax)
movl $0,counter(%ebp)
cc_sub3:
movl counter(%ebp),%eax
cmpl a(%ebp),%eax
jnb cc_sub4
movl diza(%ebp),%edx
leal 28(%edx),%eax
movl counter(%ebp),%edx
movl buffer(%ebp),%ecx
movl %ecx,(%edx,%eax)
incl buffer(%ebp)
incl counter(%ebp)
jmp cc_sub3
cc_sub4:
movl $0,counter(%ebp)
cc_sub5:
movl counter(%ebp),%eax
cmpl b(%ebp),%eax
jnb cc_sub6
movl diza(%ebp),%edx
leal 36(%edx),%eax
movl counter(%ebp),%edx
movl buffer(%ebp),%ecx
movl %ecx,(%edx,%eax)
incl buffer(%ebp)
incl counter(%ebp)
jmp cc_sub5
cc_sub6:
movl buffer(%ebp),%eax
subl 8(%ebp),%eax
return:
leave
ret
/****************************************************
.include "0x4553_LDE.s"
.globl main
main:
push %ebp
mov %esp,%ebp
push $2
push $file
call open
mov %eax,fd
push $424
call malloc
mov %eax,data
push $424
push data
push fd
call read
mov data,%eax
add $0x74,%eax # entry point, first instruction - xor %eax,%eax
push %eax
call l_disasm
push %eax
push $l
call printf
call exit
l:.string"Lenght of instruction: %d\n"
file: .string "test"
.comm fd,4,4
.comm data,424,4
*****************************************************/
/****************************************************
table.h
.globl op_tab
.data
op_tab:
.long 16384 # 0x00
.long 16384 # 0x01
.long 16384 # 0x02
.long 16384 # ...
.long 256
.long 8192
.long 32768
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 256
.long 8192
.long 32768
.long 65536
.long 49152
.long 16384
.long 49152
.long 16384
.long 33024
.long 40960
.long 32768
.long 32768
.long 49152
.long 16384
.long 16384
.long 16384
.long 33024
.long 40960
.long 32768
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 256
.long 8192
.long 32896
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 256
.long 8192
.long 32896
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 256
.long 8192
.long 32896
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 256
.long 8192
.long 32896
.long 32768
.long 0
.long 0
.long 0
.long 0
.long 32768
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 32768
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 0
.long 32768
.long 0
.long 0
.long 0
.long 32768
.long 32768
.long 49152
.long 49152
.long 128
.long 32896
.long 32
.long 16
.long 8192
.long 24576
.long 256
.long 16640
.long 32768
.long 32768
.long 32768
.long 32768
.long 164096
.long 164096
.long 131328
.long 131328
.long 131328
.long 131328
.long 131328
.long 131328
.long 131328
.long 131328
.long 164096
.long 164096
.long 131328
.long 131328
.long 131328
.long 131328
.long 16640
.long 24576
.long 49408
.long 16640
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 49152
.long 16384
.long 49152
.long 16384
.long 0
.long 0
.long 0
.long 32768
.long 32768
.long 32768
.long 32768
.long 32768
.long 32768
.long 0
.long 41472
.long 0
.long 32768
.long 32768
.long 32768
.long 32768
.long 4096
.long 4096
.long 4096
.long 4096
.long 0
.long 0
.long 0
.long 0
.long 256
.long 8192
.long 0
.long 0
.long 0
.long 32768
.long 0
.long 32768
.long 256
.long 256
.long 256
.long 256
.long 256
.long 256
.long 33024
.long 33024
.long 8192
.long 8192
.long 8192
.long 8192
.long 40960
.long 8192
.long 8192
.long 8192
.long 16640
.long 16640
.long 262656
.long 262144
.long 49152
.long 49152
.long 16640
.long 24576
.long 768
.long 0
.long 295424
.long 294912
.long 32768
.long 256
.long 32768
.long 294912
.long 16384
.long 16384
.long 16384
.long 16384
.long 33024
.long 33024
.long 32768
.long 32768
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 164096
.long 164096
.long 131328
.long 131328
.long 33024
.long 33024
.long 33024
.long 33024
.long 139264
.long 401408
.long 41472
.long 393472
.long 32768
.long 32768
.long 32768
.long 32768
.long 32776
.long 32768
.long 64
.long 64
.long 32768
.long 32768
.long 16384
.long 16384
.long 0
.long 0
.long 32768
.long 32768
.long 0
.long 0
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long -1
.long -1
.long 0
.long -1
.long 0
.long 0
.long 0
.long 0
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 139264
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 0
.long 0
.long 0
.long 16384
.long 16640
.long 16384
.long -1
.long -1
.long 0
.long 0
.long 0
.long 16384
.long 16640
.long 16384
.long -1
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long -1
.long -1
.long 16640
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long 16384
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long 0
.long 0
.long 0
.long 0
.long 0
.long 256
.long 0
.long 0
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1
.long -1 # 0xff
*****************************************************/