MalwareSourceCode/Libs/Win32/Disassembler/VirTool.Win32.Disassembler.Lito.asm

399 lines
19 KiB
NASM
Raw Permalink Normal View History

2020-10-16 20:28:58 +00:00
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; ;
; ### ;
; ### ;
; ### #################################################### ;
; ### #################################################### ;
; ### ### ### ;
; ### ### ### ######### ### ;
; ### ### ### ########### ;
; ### ### ## ## ;
; ### ### ### ## ## ;
; ### ### ### ## ## ;
; ### ### ### ### ## ## ;
; ### ### ### ### ## ## ;
; ############ ### ### ########### ;
; ################################################################ ;
; ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; Advanced Length dIsassembler moTOr:) ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; ;
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 2.1 ;
; ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;<3B><EFBFBD><E3ADAA><EFBFBD> _LiTo_ ;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E1A5AC><EFBFBD><EFBFBD><E0AEA2><EFBFBD><EFBFBD> <20><><EFBFBD><E8A8AD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ;
;<3B><><EFBFBD><E0A5A4><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><E8A8AD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ;
;<3B>室: ;
;esi - <20><><EFBFBD><EFBFBD><EFBFBD><><E0A0A7><EFBFBD><E0A0A5><EFBFBD> <20><><EFBFBD><E8A8AD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ;
;edi - 㪠<><E3AAA0><EFBFBD> <20><> <20><><EFBFBD><E5AEA4><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>) (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> INSTR:) ;
;<3B><>室: ;
;<3B> eax - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><E8A8AD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. ;
;<3B><><EFBFBD><EFBFBD>⪨: ;
;(x) <20><><EFBFBD><E5AEA4><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E1A5AC><EFBFBD><EFBFBD><E0AEA2><EFBFBD><EFBFBD> ;
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><EFBFBD><EFBFBD><E2A0A2><EFBFBD><EFBFBD><><E1AEA1><><E1ABA5><EFBFBD>饥: ;
; ;
; INSTR1 struct ;
; (+ 00) len_com db 00h ; - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>; ;
; (+ 01) flags dd 00h ; - <20><><EFBFBD><EFBFBD><E2A0A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><><E4ABA0> ;
; (+ 05) seg db 00h ; - ᥣ<><E1A5A3><EFBFBD><EFBFBD> (<28><20><><EFBFBD><EFBFBD>); ;
; (+ 06) repx db 00h ; - <20><><EFBFBD><EFBFBD> (0F2h/0F3h) (<28><20><><EFBFBD><EFBFBD>); ;
; (+ 07) len_offset db 00h ; - ࠧ<><E0A0A7><EFBFBD> ᬥ饭<E1ACA5><E9A5AD>; ;
; (+ 08) len_operand db 00h ; - ࠧ<><E0A0A7><EFBFBD> <20><><EFBFBD><EFBFBD><E0A0AD>; ;
; (+ 09) opcode db 00h ; - <20><><EFBFBD><EFBFBD><EFBFBD> (<28><20><><EFBFBD><EFBFBD><EFBFBD>=0Fh, ⮣<><E2AEA3> ;
; ; <20><20><><EFBFBD><EFBFBD><E0A0AD><EFBFBD><EFBFBD><EFBFBD> 2-<2D><> <20><><EFBFBD><EFBFBD><EFBFBD>, <20> ;
; ; <20><><EFBFBD><E2A0AD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><> B_OPCODE2); ;
; (+ 10) modrm db 00h ; - <20><><EFBFBD><EFBFBD> MODRM (⠪<><E2A0AA>, <20><20><><EFBFBD><EFBFBD>) ;
; (+ 11) sib db 00h ; - <20><><EFBFBD><EFBFBD> SIB ;
; (+ 12) offset db 8 dup (00h); - ᬥ饭<E1ACA5><E9A5AD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>樨 ;
; (+ 20) operand db 8 dup (00h); - <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>樨 ;
; INSTR1 ends ;
; ;
;(<28>) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD>) ⮫쪮 general purpose & fpu instructions ;
; (<28><><EFBFBD><E2A0AB><EFBFBD><EFBFBD> - <20><><E2AEAF>:)! ;
;(<28>) <20><><EFBFBD> <20><EFBFBD><20><> <20><><EFBFBD><EFBFBD><E1A8AC><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>樨 (15 <20><><EFBFBD><EFBFBD>) (<28><><EFBFBD>७) ;
;(<28>) <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><E0AEA5> <20><><EFBFBD><><E2A0A1>窨: ;
; <09><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: ⠪ <20><><EFBFBD> <20> <20><20><><EFBFBD><EFBFBD><20><EFBFBD><E1AFAE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><><E4ABA0> <20> <20><><EFBFBD><E1ABAE><EFBFBD> ;
; <09><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E7A5AD><EFBFBD> <=8, <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><><E4ABA0> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> ;
; (<28><><EFBFBD><EFBFBD><E1A8AC><EFBFBD> <20><>᫮ =8 (B_PREFIX6X) - <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><EFBFBD><EFBFBD><E2A0A2><EFBFBD><EFBFBD><EFBFBD> =1000b). ;
; <09><><EFBFBD><EFBFBD> <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><E5A8A2><EFBFBD> 2 䫠<><E4ABA0> - <20><><EFBFBD> <20> <20><><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD> ;
; <09><><EFBFBD><E0A0A7>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><><E2A0A1><20> 256 <20><><EFBFBD><EFBFBD> <20><EFBFBD><E0A5A7><EFBFBD><EFBFBD><EFBFBD> <20><> 128. ;
;(<28>) <20><><EFBFBD> 32-<2D><><EFBFBD><E2ADAE> <20><EFBFBD><E1AFAE><EFBFBD><EFA5AC><EFBFBD> <20><><EFBFBD><EFBFBD>. ;
;(<28>) <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><>䨣 ᠬ <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><E2A0AB><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> ⠬ ;
; <20><EFBFBD>ન. ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;
;
;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; <09><><EFBFBD><EFBFBD>: ;
;(+) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E1A8AC><EFBFBD><EFBFBD> ;
;(+) 㯠<><E3AFA0><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><><E2A0A1>窨 ;
; ;
;(-) <20><><EFBFBD><EFBFBD><20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>樨 ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;
;
;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
; <09><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: ;
;1)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E7A5AD>: ;
; lito.asm ;
;2)<29><EFBFBD>:(<28><EFBFBD><E0A8AC>) ;
; lea esi,XXXXXXXXh ;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><><E3A7AD><EFBFBD> ;
; lea edi,XXXXXXXXh ;lea edi,INSTR1 ;
; call LiTo ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
;m1x
;pr0mix@mail.ru
_LiTo_:
pushad
call _delta_lito_
;===================================================================================
;<3B><><EFBFBD> <20><><EFBFBD>䨪ᮢ
pfx:
db 2Eh,36h,3Eh,26h,64h,65h,0F2h,0F3h,0F0h,66h,67h
SizePfx equ $-pfx ;<3B><><EFBFBD><EFBFBD><EFBFBD> pfx
;===================================================================================
;⠡<><E2A0A1><EFBFBD><EFBFBD><><E4ABA0><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
TableFlags1:
; 01 23 45 67 89 AB CD EF
db 11h,11h,28h,00h,11h,11h,28h,00h ;00
db 11h,11h,28h,00h,11h,11h,28h,00h ;01
db 11h,11h,28h,00h,11h,11h,28h,00h ;02
db 11h,11h,28h,00h,11h,11h,28h,00h ;03
db 00h,00h,00h,00h,00h,00h,00h,00h ;04
db 00h,00h,00h,00h,00h,00h,00h,00h ;05
db 00h,11h,00h,00h,89h,23h,00h,00h ;06
db 22h,22h,22h,22h,22h,22h,22h,22h ;07
db 39h,33h,11h,11h,11h,11h,11h,11h ;08
db 00h,00h,00h,00h,00h,0C0h,00h,00h ;09
db 88h,88h,00h,00h,28h,00h,00h,00h ;0A
db 22h,22h,22h,22h,88h,88h,88h,88h ;0B
db 33h,40h,11h,39h,60h,40h,02h,00h ;0C
db 11h,11h,22h,00h,11h,11h,11h,11h ;0D
db 22h,22h,22h,22h,88h,0C2h,00h,00h ;0E
db 00h,00h,00h,11h,00h,00h,00h,11h ;0F
;===================================================================================
;⠡<><E2A0A1><EFBFBD><EFBFBD><><E4ABA0><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><E5A1A0><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
TableFlags2:
; 01 23 45 67 89 AB CD EF
db 11h,11h,00h,00h,00h,00h,01h,00h ;00
db 00h,00h,00h,00h,00h,00h,00h,01h ;01
db 11h,11h,00h,00h,00h,00h,00h,00h ;02
db 00h,00h,00h,00h,00h,00h,00h,00h ;03
db 11h,11h,11h,11h,11h,11h,11h,11h ;04
db 00h,00h,00h,00h,00h,00h,00h,00h ;05
db 00h,00h,00h,00h,00h,00h,00h,00h ;06
db 00h,00h,00h,00h,00h,00h,00h,00h ;07
db 88h,88h,88h,88h,88h,88h,88h,88h ;08
db 11h,11h,11h,11h,11h,11h,11h,11h ;09
db 00h,01h,31h,00h,00h,01h,31h,01h ;0A
db 11h,11h,11h,11h,00h,31h,11h,11h ;0B
db 11h,00h,00h,01h,00h,00h,00h,00h ;0C
db 00h,00h,00h,00h,00h,00h,00h,00h ;0D
db 00h,00h,00h,00h,00h,00h,00h,00h ;0E
db 00h,00h,00h,00h,00h,00h,00h,00h ;0F
;===================================================================================
SizeTbl equ $-pfx
;===================================================================================
;䫠<><E4ABA0>
;-----------------------------------------------------------------------------------
B_NONE equ 00h ;xex
B_MODRM equ 01h ;present byte MODRM
B_DATA8 equ 02h ;present imm8,rel8, etc
B_DATA16 equ 04h ;present imm16,rel16, etc
B_PREFIX6X equ 08h ;present imm16/imm32 (<28> <20><><EFBFBD><EFBFBD><EFBFBD><E1A8AC><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><E4A8AA> 0x66 (0x67 <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 0xA0-0xA3))
B_SEG equ 10h ;present segment (<28><EFBFBD><E0A8AC>: 0x2e,0x3E, etc)
B_PFX66 equ 20h ;present byte 0x66
B_PFX67 equ 40h ;present byte 0x67
B_LOCK equ 80h ;present byte LOCK (0xF0)
B_REP equ 100h ;present byte rep[e/ne]
B_OPCODE2 equ 200h ;present second opcode (first opcode=0x0F)
B_SIB equ 400h ;present byte SIB
B_RELX equ 800h ;present jxx/jmp/call (rel8,rel16,rel32)
;===================================================================================
_delta_lito_:
pop ebp
cld
xor eax,eax
xor ebx,ebx
cdq ;<3B> edx: dl(0/1) - <20><><EFBFBD>/<2F><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> 0x66
; dh(0/1) - <20><><EFBFBD>/<2F><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> 0x67
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>䨪ᮢxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_nextpfx_:
lodsb ;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><E0A5A4><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
push edi
lea edi,[ebp+(pfx-_delta_lito_+SizeTbl)] ;<3B> edi - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>䨪ᮢ
db 6Ah,SizePfx
pop ecx
repne scasb ;<3B><><EFBFBD><EFBFBD> <20><> <20><><E0A0A7><EFBFBD><E0A0A5><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><E4A8AA>?
pop edi
jne _endpfx_ ;<3B><><EFBFBD>? - <20><> <20><>
cmp ecx,5
jl _lock_
or bl,B_SEG
mov byte ptr [edi+05h],al ;seg
_lock_:
cmp al,0F0h
jne _rep_
or bl,B_LOCK
_rep_:
mov ch,al
and ch,0FEh
cmp ch,0F2h
jne _66_
or bx,B_REP
mov byte ptr [edi+06h],al ;rep
_66_:
cmp al,66h ;<3B><><EFBFBD><EFBFBD><EFBFBD><>ਬ, <20><><EFBFBD> 0x66?
jne _67_
mov dl,1
or bl,B_PFX66
_67_:
cmp al,67h ;<3B><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> 0x67?
jnz _nextpfx_ ;<3B><20><><EFBFBD>, <20><> <20><20><><EFBFBD> <20><><EFBFBD><EFBFBD><E4A8AA>
mov dh,1
or bl,B_PFX67
jmp _nextpfx_ ;<3B><EFBFBD><E0AEA4><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>䨪ᮢxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endpfx_:
_search_jxx_call_jmp_:
mov ch,al
and ch,0FEh
cmp ch,0E8h
je _jxxok_
mov ch,al
and ch,11110000b
cmp ch,70h
je _jxxok_
cmp al,0EBh
je _jxxok_
cmp al,0Fh ;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> 2-<2D> <20><><EFBFBD><EFBFBD>?
jne _opcode_
lodsb ;<3B><20><>, <20><> <20><>६ 2-<2D><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
mov cl,80h ;<3B><><E3A2A5><EFBFBD><E7A8A2><EFBFBD> cl=80h
or bx,B_OPCODE2
mov ch,al
and ch,11110000b
cmp ch,80h
jne _opcode_
_jxxok_:
or bx,B_RELX
;-----------------------------------------------------------------------------------
_opcode_:
xor ch,ch
mov byte ptr [edi+09h],al ;save first opcode
lea ebp,[ebp+ecx+(TableFlags1-_delta_lito_+SizeTbl)];<3B> edi - <20><><EFBFBD><EFBFBD><EFBFBD> <20><EFBFBD><E3A6AD><><E2A0A1><EFBFBD><EFBFBD><><E4ABA0><EFBFBD>(<28><><EFBFBD>-<2D>)
cmp al,0A0h ;<3B><20><><EFBFBD><EFBFBD><EFBFBD>>=0xA0 <20> <20><><EFBFBD><EFBFBD><EFBFBD><=A3,
jl _01_;jb ;
cmp al,0A3h
jg _01_
test cl,cl
jne _01_;je ;<3B><> dl=dh
mov dl,dh ;mov dl,dh
;-----------------------------------------------------------------------------------
_01_:
push eax
shr eax,1
mov cl,byte ptr [ebp+eax] ;<3B> cl - 䫠<><E4ABA0> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
jc _noCF_
shr cl,4
_noCF_:
and cl,0Fh
xor ebp,ebp ;<3B> ebp - <20><EFBFBD> <20><EFBFBD><E0A0AD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> ᬥ饭<E1ACA5><E9A5AD>(offset)
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ࠧ<><E0A0A7><EFBFBD> MODRMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
or ecx,ebx
pop ebx ;bl=opcode
test cl,B_MODRM ;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> modrm?
je _endmodrm_ ;<3B><><EFBFBD>? <20><> <20><>
lodsb ;al=modrm
mov byte ptr [edi+10],al ;MODRM
mov ah,al
;-----------------------------------------------------------------------------------
shr ah,6 ;ah=mod
;-----------------------------------------------------------------------------------
test al,38h ;<3B><><EFBFBD><EFBFBD><EFBFBD><>ਬ, ࠢ<><E0A0A2> <20><> <20><><EFBFBD><EFBFBD> reg==0?
jne _03_
sub bl,0F6h ;<3B><20><>, <20><><><20><> <20><><EFBFBD><EFBFBD><EFBFBD>:
jne _02_ ;ࠢ<><E0A0A2> <20><> <20><> 0xF6 <20><><EFBFBD> 0xF7(test)?
or cl,B_DATA8 ;<3B><20><>, <20><> <20><><EFBFBD><E2A0AD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><EFBFBD><E3A6AD><>
_02_:
dec ebx
jne _03_
or cl,B_PREFIX6X
;-----------------------------------------------------------------------------------
_03_:
and al,07h
xor ebx,ebx ;bl <20>⢥砥<E2A2A5> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> sib
mov bh,ah ;bh=mod
cmp dh,1 ;<3B><><EFBFBD><EFBFBD> <20><> <20><><E0A0A7><EFBFBD><E0A0A5><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> 0x67?
je _mod00_ ;<3B><20><>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><E1AAA0><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
cmp al,4 ;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><EFBFBD><E0AEA2>塞,ࠢ<><E0A0A2> <20><> <20><><EFBFBD><EFBFBD> rm==4?
jne _mod00_
inc ebx ;<3B><20><>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> sib
;-----------------------------------------------------------------------------------
_mod00_:
test ah,ah ;<3B><><EFBFBD><EFBFBD> mod==0?
jne _mod01_
dec dh ;ᮤ<><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 0x67?
jne _nop67_ ;<3B><><EFBFBD>? <20><><EFBFBD><EFBFBD><EFBFBD><E1AAA0><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
cmp al,6 ;<3B><20><>, <20><> rm==6?
jne _sib_
inc ebp ;<3B><20><>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> ᬥ饭<E1ACA5><E9A5AD>=2(16 bit)
inc ebp
_nop67_:
cmp al,5 ;<3B><><EFBFBD><EFBFBD><EFBFBD>, rm==5?
jne _sib_
add ebp,4 ;<3B><20><>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>=4 (32 bit)
jmp _sib_ ;<3B><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
;-----------------------------------------------------------------------------------
_mod01_: ;mod==1?
dec ah
jne _mod02_
inc ebp ;<3B><>? ⮣<><E2AEA3> ebp=1
jmp _sib_
;-----------------------------------------------------------------------------------
_mod02_: ;mod==2?
dec ah
jne _mod03_
inc ebp ;ebp=2
inc ebp
dec dh ;<3B><20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><E4A8AA> 0x67, <20><><EFBFBD><EFBFBD><EFBFBD><E1AAA0><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
je _sib_
inc ebp ;<3B><> ebp+=2
inc ebp
inc ebx
;-----------------------------------------------------------------------------------
_mod03_: ;mod==3?
dec bl ;<3B><20><>, ⮣<><E2AEA3> sib'<27> <20><><20><><EFBFBD>!
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ࠧ<><E0A0A7><EFBFBD> MODRMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG <20><><EFBFBD><EFBFBD><EFBFBD><E7A5AD> SIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_sib_:
dec bl ;<3B><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> sib?
jne _endmodrm_
or cx,B_SIB
lodsb ;<3B><20><>, <20><> <20> al ⥯<><E2A5AF><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> sib(al=sib)
mov byte ptr [edi+11],al ;SIB
and al,7 ;<3B><><EFBFBD><EFBFBD><EFBFBD>,
cmp al,5 ;al==5?
jne _endmodrm_
test bh,bh ;<3B><20><>, <20><><>ਬ, <20><><EFBFBD><EFBFBD> mod==0?
jne _endmodrm_
push 4 ;<3B><20><>, <20><> <20><><EFBFBD><EFBFBD> 4-<2D><><EFBFBD><EFBFBD><E2AEA2> ᬥ饭<E1ACA5><E9A5AD>
pop ebp
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND <20><><EFBFBD><EFBFBD><EFBFBD><E7A5AD> SIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG 䫠<><E4ABA0>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endmodrm_:
xor ebx,ebx
test cl,B_DATA8 ;<3B><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E2AEA2> ᬥ饭<E1ACA5><E9A5AD>?
je _nf1_
inc ebx
_nf1_:
test cl,B_DATA16 ;<3B><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><E2AEA2> ᬥ饭<E1ACA5><E9A5AD>?
je _nf2_
inc ebx
inc ebx
_nf2_:
test cl,B_PREFIX6X ;<3B><><EFBFBD><EFBFBD> <20><> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E2A2A5><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><E7A5AD>?
je _endflag_
dec dl ;<3B><><EFBFBD><EFBFBD> <20><> 0x66(0x67 <20><><EFBFBD> [0xA0,0xA3]) <20><><E0A0A7><EFBFBD><E0A0A5><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>?
je _okp66_
inc ebx
inc ebx
_okp66_:
inc ebx
inc ebx
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND 䫠<><E4ABA0>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_endflag_:
push ecx
push edi
mov ecx,ebp
add edi,12
rep movsb
sub edi,ebp
add edi,8
mov ecx,ebx
rep movsb
pop edi
pop dword ptr [edi+1]
sub esi,dword ptr [esp+4];eax
xchg esi,eax
mov byte ptr [edi+0],al
mov dword ptr [esp+7*4],eax ;<3B><><EFBFBD>࠭塞 ࠧ<><E0A0A7><EFBFBD> <20> <20><><EFBFBD>
xchg ebp,eax
mov byte ptr [edi+7],al
mov byte ptr [edi+8],bl
popad
ret ;<3B><><EFBFBD><E5AEA4>:)
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
;<3B><><EFBFBD><EFBFBD><EFBFBD> <20>㭪樨 _LiTo_ ;
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
SizeOfLiTo equ $-_LiTo_ ;ࠧ<><E0A0A7><EFBFBD> <20>㭪樨 _LiTo_