mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 05:15:28 +00:00
399 lines
19 KiB
NASM
399 lines
19 KiB
NASM
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
|
||
; ;
|
||
; ;
|
||
; ### ;
|
||
; ### ;
|
||
; ### #################################################### ;
|
||
; ### #################################################### ;
|
||
; ### ### ### ;
|
||
; ### ### ### ######### ### ;
|
||
; ### ### ### ########### ;
|
||
; ### ### ## ## ;
|
||
; ### ### ### ## ## ;
|
||
; ### ### ### ## ## ;
|
||
; ### ### ### ### ## ## ;
|
||
; ### ### ### ### ## ## ;
|
||
; ############ ### ### ########### ;
|
||
; ################################################################ ;
|
||
; ;
|
||
; ;
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
|
||
; ;
|
||
; Advanced Length dIsassembler moTOr:) ;
|
||
; ;
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
|
||
; ;
|
||
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 2.1 ;
|
||
; ;
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
|
||
;<3B>㭪<EFBFBD><E3ADAA><EFBFBD> _LiTo_ ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD>ᥬ<EFBFBD><E1A5AC><EFBFBD><EFBFBD><E0AEA2><EFBFBD><EFBFBD> <20><>設<EFBFBD><E8A8AD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ;
|
||
;<3B><>।<EFBFBD><E0A5A4><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><>設<EFBFBD><E8A8AD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ;
|
||
;<3B>室: ;
|
||
;esi - <20><><EFBFBD><EFBFBD><EFBFBD> ࠧ<><E0A0A7>ࠥ<EFBFBD><E0A0A5><EFBFBD> <20><>設<EFBFBD><E8A8AD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ;
|
||
;edi - 㪠<><E3AAA0>⥫<EFBFBD> <20><> <20><>室<EFBFBD><E5AEA4><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>) (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> INSTR:) ;
|
||
;<3B><>室: ;
|
||
;<3B> eax - <20><><EFBFBD><EFBFBD><EFBFBD> <20><>設<EFBFBD><E8A8AD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. ;
|
||
;<3B><><EFBFBD><EFBFBD>⪨: ;
|
||
;(x) <20><>室<EFBFBD><E5AEA4><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>ᥬ<EFBFBD><E1A5AC><EFBFBD><EFBFBD><E0AEA2><EFBFBD><EFBFBD> ;
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>樨 <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>।<EFBFBD>⠢<EFBFBD><E2A0A2><EFBFBD><EFBFBD> ᮡ<><E1AEA1> <><E1ABA5><EFBFBD>饥: ;
|
||
; ;
|
||
; INSTR1 struct ;
|
||
; (+ 00) len_com db 00h ; - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>; ;
|
||
; (+ 01) flags dd 00h ; - <20><><EFBFBD>⠢<EFBFBD><E2A0A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 䫠<><E4ABA0> ;
|
||
; (+ 05) seg db 00h ; - ᥣ<><E1A5A3><EFBFBD><EFBFBD> (<28> <20><><EFBFBD><EFBFBD>); ;
|
||
; (+ 06) repx db 00h ; - <20><><EFBFBD>䨪<EFBFBD> (0F2h/0F3h) (<28> <20><><EFBFBD><EFBFBD>); ;
|
||
; (+ 07) len_offset db 00h ; - ࠧ<><E0A0A7><EFBFBD> ᬥ饭<E1ACA5><E9A5AD>; ;
|
||
; (+ 08) len_operand db 00h ; - ࠧ<><E0A0A7><EFBFBD> <20><><EFBFBD>࠭<EFBFBD><E0A0AD>; ;
|
||
; (+ 09) opcode db 00h ; - <20><><EFBFBD><EFBFBD><EFBFBD> (<28> <20><><EFBFBD><EFBFBD><EFBFBD>=0Fh, ⮣<><E2AEA3> ;
|
||
; ; <20> <20><><EFBFBD>࠭<EFBFBD><E0A0AD><EFBFBD><EFBFBD><EFBFBD> 2-<2D><> <20><><EFBFBD><EFBFBD><EFBFBD>, <20> ;
|
||
; ; <20><>⠭<EFBFBD><E2A0AD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 䫠<> B_OPCODE2); ;
|
||
; (+ 10) modrm db 00h ; - <20><><EFBFBD><EFBFBD> MODRM (⠪<><E2A0AA>, <20> <20><><EFBFBD><EFBFBD>) ;
|
||
; (+ 11) sib db 00h ; - <20><><EFBFBD><EFBFBD> SIB ;
|
||
; (+ 12) offset db 8 dup (00h); - ᬥ饭<E1ACA5><E9A5AD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>樨 ;
|
||
; (+ 20) operand db 8 dup (00h); - <20><><EFBFBD>࠭<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>樨 ;
|
||
; INSTR1 ends ;
|
||
; ;
|
||
;(<28>) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD>) ⮫쪮 general purpose & fpu instructions ;
|
||
; (<28><>⠫<EFBFBD><E2A0AB><EFBFBD><EFBFBD> - <20> ⮯<><E2AEAF>:)! ;
|
||
;(<28>) <20><><EFBFBD> <20><EFBFBD>ન <20><> <20><><EFBFBD>ᨬ<EFBFBD><E1A8AC><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>樨 (15 <20><><EFBFBD><EFBFBD>) (<28><><EFBFBD>७) ;
|
||
;(<28>) <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><E0AEA5> <20><><EFBFBD> ⠡<><E2A0A1>窨: ;
|
||
; <09><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: ⠪ <20><><EFBFBD> <20> <20>⮬ <20><><EFBFBD><EFBFBD>ᬥ <20>ᯮ<EFBFBD><E1AFAE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 䫠<><E4ABA0> <20> <20><><EFBFBD><E1ABAE><EFBFBD> ;
|
||
; <09><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>祭<EFBFBD><E7A5AD><EFBFBD> <=8, <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 䫠<><E4ABA0> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>筮 <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> ;
|
||
; (<28><><EFBFBD>ᨬ<EFBFBD><E1A8AC>쭮<EFBFBD> <20><> =8 (B_PREFIX6X) - <20> <20><><EFBFBD><EFBFBD>筮<EFBFBD> <20>।<EFBFBD>⠢<EFBFBD><E2A0A2><EFBFBD><EFBFBD><EFBFBD> =1000b). ;
|
||
; <09><><EFBFBD><EFBFBD> <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>㯮 <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>娢<EFBFBD><E5A8A2><EFBFBD> 2 䫠<><E4ABA0> - <20><><EFBFBD> <20> <20><><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD> ;
|
||
; <09><>ࠧ<EFBFBD><E0A0A7>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ⠡<><E2A0A1>窠 <20> 256 <20><><EFBFBD><EFBFBD> <20>१<EFBFBD><E0A5A7><EFBFBD><EFBFBD><EFBFBD> <20><> 128. ;
|
||
;(<28>) <20><><EFBFBD> 32-<2D><>⭮<EFBFBD><E2ADAE> <20>ᯮ<EFBFBD><E1AFAE>塞<EFBFBD><EFA5AC><EFBFBD> <20><><EFBFBD><EFBFBD>. ;
|
||
;(<28>) <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><>䨣 ᠬ <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>⠫<EFBFBD><E2A0AB><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><>直<EFBFBD> ⠬ ;
|
||
; <20><EFBFBD>ન. ;
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
|
||
;
|
||
;
|
||
;
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
|
||
; <09><><EFBFBD><EFBFBD>: ;
|
||
;(+) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ᨬ<EFBFBD><E1A8AC><EFBFBD><EFBFBD> ;
|
||
;(+) 㯠<><E3AFA0><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ⠡<><E2A0A1>窨 ;
|
||
; ;
|
||
;(-) <20><><EFBFBD><EFBFBD>୮ <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>樨 ;
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
|
||
;
|
||
;
|
||
;
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
|
||
; <09><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: ;
|
||
;1)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>祭<EFBFBD><E7A5AD>: ;
|
||
; lito.asm ;
|
||
;2)<29>맮<EFBFBD>:(<28>ਬ<EFBFBD><E0A8AC>) ;
|
||
; lea esi,XXXXXXXXh ;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> 㧭<><E3A7AD><EFBFBD> ;
|
||
; lea edi,XXXXXXXXh ;lea edi,INSTR1 ;
|
||
; call LiTo ;
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;
|
||
|
||
|
||
;m1x
|
||
;pr0mix@mail.ru
|
||
|
||
_LiTo_:
|
||
pushad
|
||
call _delta_lito_
|
||
;===================================================================================
|
||
|
||
;<3B><>ப<EFBFBD> <20><><EFBFBD>䨪ᮢ
|
||
pfx:
|
||
db 2Eh,36h,3Eh,26h,64h,65h,0F2h,0F3h,0F0h,66h,67h
|
||
|
||
SizePfx equ $-pfx ;<3B><><EFBFBD><EFBFBD><EFBFBD> pfx
|
||
|
||
;===================================================================================
|
||
|
||
;⠡<><E2A0A1><EFBFBD><EFBFBD> 䫠<><E4ABA0><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
TableFlags1:
|
||
|
||
; 01 23 45 67 89 AB CD EF
|
||
db 11h,11h,28h,00h,11h,11h,28h,00h ;00
|
||
db 11h,11h,28h,00h,11h,11h,28h,00h ;01
|
||
db 11h,11h,28h,00h,11h,11h,28h,00h ;02
|
||
db 11h,11h,28h,00h,11h,11h,28h,00h ;03
|
||
db 00h,00h,00h,00h,00h,00h,00h,00h ;04
|
||
db 00h,00h,00h,00h,00h,00h,00h,00h ;05
|
||
db 00h,11h,00h,00h,89h,23h,00h,00h ;06
|
||
db 22h,22h,22h,22h,22h,22h,22h,22h ;07
|
||
db 39h,33h,11h,11h,11h,11h,11h,11h ;08
|
||
db 00h,00h,00h,00h,00h,0C0h,00h,00h ;09
|
||
db 88h,88h,00h,00h,28h,00h,00h,00h ;0A
|
||
db 22h,22h,22h,22h,88h,88h,88h,88h ;0B
|
||
db 33h,40h,11h,39h,60h,40h,02h,00h ;0C
|
||
db 11h,11h,22h,00h,11h,11h,11h,11h ;0D
|
||
db 22h,22h,22h,22h,88h,0C2h,00h,00h ;0E
|
||
db 00h,00h,00h,11h,00h,00h,00h,11h ;0F
|
||
|
||
|
||
;===================================================================================
|
||
|
||
;⠡<><E2A0A1><EFBFBD><EFBFBD> 䫠<><E4ABA0><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>塠<EFBFBD><E5A1A0><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
TableFlags2:
|
||
|
||
; 01 23 45 67 89 AB CD EF
|
||
db 11h,11h,00h,00h,00h,00h,01h,00h ;00
|
||
db 00h,00h,00h,00h,00h,00h,00h,01h ;01
|
||
db 11h,11h,00h,00h,00h,00h,00h,00h ;02
|
||
db 00h,00h,00h,00h,00h,00h,00h,00h ;03
|
||
db 11h,11h,11h,11h,11h,11h,11h,11h ;04
|
||
db 00h,00h,00h,00h,00h,00h,00h,00h ;05
|
||
db 00h,00h,00h,00h,00h,00h,00h,00h ;06
|
||
db 00h,00h,00h,00h,00h,00h,00h,00h ;07
|
||
db 88h,88h,88h,88h,88h,88h,88h,88h ;08
|
||
db 11h,11h,11h,11h,11h,11h,11h,11h ;09
|
||
db 00h,01h,31h,00h,00h,01h,31h,01h ;0A
|
||
db 11h,11h,11h,11h,00h,31h,11h,11h ;0B
|
||
db 11h,00h,00h,01h,00h,00h,00h,00h ;0C
|
||
db 00h,00h,00h,00h,00h,00h,00h,00h ;0D
|
||
db 00h,00h,00h,00h,00h,00h,00h,00h ;0E
|
||
db 00h,00h,00h,00h,00h,00h,00h,00h ;0F
|
||
;===================================================================================
|
||
|
||
SizeTbl equ $-pfx
|
||
;===================================================================================
|
||
;䫠<><E4ABA0>
|
||
;-----------------------------------------------------------------------------------
|
||
B_NONE equ 00h ;xex
|
||
B_MODRM equ 01h ;present byte MODRM
|
||
B_DATA8 equ 02h ;present imm8,rel8, etc
|
||
B_DATA16 equ 04h ;present imm16,rel16, etc
|
||
B_PREFIX6X equ 08h ;present imm16/imm32 (<28> <20><><EFBFBD><EFBFBD>ᨬ<EFBFBD><E1A8AC><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>䨪<EFBFBD><E4A8AA> 0x66 (0x67 <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 0xA0-0xA3))
|
||
B_SEG equ 10h ;present segment (<28>ਬ<EFBFBD><E0A8AC>: 0x2e,0x3E, etc)
|
||
B_PFX66 equ 20h ;present byte 0x66
|
||
B_PFX67 equ 40h ;present byte 0x67
|
||
B_LOCK equ 80h ;present byte LOCK (0xF0)
|
||
B_REP equ 100h ;present byte rep[e/ne]
|
||
B_OPCODE2 equ 200h ;present second opcode (first opcode=0x0F)
|
||
B_SIB equ 400h ;present byte SIB
|
||
B_RELX equ 800h ;present jxx/jmp/call (rel8,rel16,rel32)
|
||
;===================================================================================
|
||
|
||
_delta_lito_:
|
||
pop ebp
|
||
cld
|
||
xor eax,eax
|
||
xor ebx,ebx
|
||
cdq ;<3B> edx: dl(0/1) - <20><><EFBFBD>/<2F><><EFBFBD><EFBFBD> <20><><EFBFBD>䨪<EFBFBD> 0x66
|
||
; dh(0/1) - <20><><EFBFBD>/<2F><><EFBFBD><EFBFBD> <20><><EFBFBD>䨪<EFBFBD> 0x67
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>䨪ᮢxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
_nextpfx_:
|
||
lodsb ;<3B><><EFBFBD><EFBFBD>砥<EFBFBD> <20><><EFBFBD>।<EFBFBD><E0A5A4><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
push edi
|
||
lea edi,[ebp+(pfx-_delta_lito_+SizeTbl)] ;<3B> edi - <20><><EFBFBD><EFBFBD><EFBFBD> <20><>ப<EFBFBD> <20><><EFBFBD>䨪ᮢ
|
||
db 6Ah,SizePfx
|
||
pop ecx
|
||
repne scasb ;<3B><><EFBFBD><EFBFBD> <20><> <20> ࠧ<><E0A0A7>ࠥ<EFBFBD><E0A0A5><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>䨪<EFBFBD><E4A8AA>?
|
||
pop edi
|
||
jne _endpfx_ ;<3B><><EFBFBD>? - <20><> <20><>室
|
||
cmp ecx,5
|
||
jl _lock_
|
||
or bl,B_SEG
|
||
mov byte ptr [edi+05h],al ;seg
|
||
_lock_:
|
||
cmp al,0F0h
|
||
jne _rep_
|
||
or bl,B_LOCK
|
||
_rep_:
|
||
mov ch,al
|
||
and ch,0FEh
|
||
cmp ch,0F2h
|
||
jne _66_
|
||
or bx,B_REP
|
||
mov byte ptr [edi+06h],al ;rep
|
||
_66_:
|
||
cmp al,66h ;<3B><><EFBFBD><EFBFBD><EFBFBD> ᬮ<>ਬ, <20><><EFBFBD> 0x66?
|
||
jne _67_
|
||
mov dl,1
|
||
or bl,B_PFX66
|
||
_67_:
|
||
cmp al,67h ;<3B><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> 0x67?
|
||
jnz _nextpfx_ ;<3B> <20><><EFBFBD>, <20><> <20>饬 <20><>㣨<EFBFBD> <20><><EFBFBD>䨪<EFBFBD><E4A8AA>
|
||
mov dh,1
|
||
or bl,B_PFX67
|
||
jmp _nextpfx_ ;<3B>த<EFBFBD><E0AEA4><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>䨪ᮢxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
_endpfx_:
|
||
_search_jxx_call_jmp_:
|
||
mov ch,al
|
||
and ch,0FEh
|
||
cmp ch,0E8h
|
||
je _jxxok_
|
||
mov ch,al
|
||
and ch,11110000b
|
||
cmp ch,70h
|
||
je _jxxok_
|
||
cmp al,0EBh
|
||
je _jxxok_
|
||
cmp al,0Fh ;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>⮨<EFBFBD> <20><> 2-<2D> <20><><EFBFBD><EFBFBD>?
|
||
jne _opcode_
|
||
lodsb ;<3B> <20><>, <20><> <20><>६ 2-<2D><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
mov cl,80h ;<3B> 㢥<><E3A2A5>稢<EFBFBD><E7A8A2><EFBFBD> cl=80h
|
||
or bx,B_OPCODE2
|
||
mov ch,al
|
||
and ch,11110000b
|
||
cmp ch,80h
|
||
jne _opcode_
|
||
_jxxok_:
|
||
or bx,B_RELX
|
||
|
||
;-----------------------------------------------------------------------------------
|
||
_opcode_:
|
||
xor ch,ch
|
||
mov byte ptr [edi+09h],al ;save first opcode
|
||
lea ebp,[ebp+ecx+(TableFlags1-_delta_lito_+SizeTbl)];<3B> edi - <20><><EFBFBD><EFBFBD><EFBFBD> <20>㦭<EFBFBD><E3A6AD> ⠡<><E2A0A1><EFBFBD><EFBFBD> 䫠<><E4ABA0><EFBFBD>(<28><><EFBFBD>-<2D>)
|
||
cmp al,0A0h ;<3B> <20><><EFBFBD><EFBFBD><EFBFBD>>=0xA0 <20> <20><><EFBFBD><EFBFBD><EFBFBD><=A3,
|
||
jl _01_;jb ;
|
||
cmp al,0A3h
|
||
jg _01_
|
||
test cl,cl
|
||
jne _01_;je ;<3B><> dl=dh
|
||
mov dl,dh ;mov dl,dh
|
||
;-----------------------------------------------------------------------------------
|
||
_01_:
|
||
push eax
|
||
shr eax,1
|
||
mov cl,byte ptr [ebp+eax] ;<3B> cl - 䫠<><E4ABA0> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
jc _noCF_
|
||
shr cl,4
|
||
_noCF_:
|
||
and cl,0Fh
|
||
xor ebp,ebp ;<3B> ebp - <20>㤥<EFBFBD> <20>࠭<EFBFBD><E0A0AD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> ᬥ饭<E1ACA5><E9A5AD>(offset)
|
||
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG ࠧ<><E0A0A7><EFBFBD> MODRMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
|
||
or ecx,ebx
|
||
pop ebx ;bl=opcode
|
||
test cl,B_MODRM ;<3B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> modrm?
|
||
je _endmodrm_ ;<3B><><EFBFBD>? <20><> <20><>室
|
||
lodsb ;al=modrm
|
||
mov byte ptr [edi+10],al ;MODRM
|
||
mov ah,al
|
||
;-----------------------------------------------------------------------------------
|
||
shr ah,6 ;ah=mod
|
||
;-----------------------------------------------------------------------------------
|
||
test al,38h ;<3B><><EFBFBD><EFBFBD><EFBFBD> ᬮ<>ਬ, ࠢ<><E0A0A2> <20><> <20><><EFBFBD><EFBFBD> reg==0?
|
||
jne _03_
|
||
sub bl,0F6h ;<3B> <20><>, <20><> ᬮ<>ਬ <20><> <20><><EFBFBD><EFBFBD><EFBFBD>:
|
||
jne _02_ ;ࠢ<><E0A0A2> <20><> <20><> 0xF6 <20><><EFBFBD> 0xF7(test)?
|
||
or cl,B_DATA8 ;<3B> <20><>, <20><> <20><>⠭<EFBFBD><E2A0AD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>㦭<EFBFBD><E3A6AD> 䫠<>
|
||
_02_:
|
||
dec ebx
|
||
jne _03_
|
||
or cl,B_PREFIX6X
|
||
;-----------------------------------------------------------------------------------
|
||
_03_:
|
||
and al,07h
|
||
xor ebx,ebx ;bl <20>⢥砥<E2A2A5> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>⢨<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> sib
|
||
mov bh,ah ;bh=mod
|
||
cmp dh,1 ;<3B><><EFBFBD><EFBFBD> <20><> <20> ࠧ<><E0A0A7>ࠥ<EFBFBD><E0A0A5><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>䨪<EFBFBD> 0x67?
|
||
je _mod00_ ;<3B> <20><>, <20><> <20><><EFBFBD><EFBFBD>᪠<EFBFBD><E1AAA0><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
cmp al,4 ;<3B><><EFBFBD><EFBFBD><EFBFBD> <20><EFBFBD><E0AEA2>塞,ࠢ<><E0A0A2> <20><> <20><><EFBFBD><EFBFBD> rm==4?
|
||
jne _mod00_
|
||
inc ebx ;<3B> <20><>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> sib
|
||
;-----------------------------------------------------------------------------------
|
||
_mod00_:
|
||
test ah,ah ;<3B><><EFBFBD><EFBFBD> mod==0?
|
||
jne _mod01_
|
||
dec dh ;ᮤ<>ন<EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 0x67?
|
||
jne _nop67_ ;<3B><><EFBFBD>? <20><><EFBFBD><EFBFBD>᪠<EFBFBD><E1AAA0><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
cmp al,6 ;<3B> <20><>, <20><> rm==6?
|
||
jne _sib_
|
||
inc ebp ;<3B> <20><>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> ᬥ饭<E1ACA5><E9A5AD>=2(16 bit)
|
||
inc ebp
|
||
_nop67_:
|
||
cmp al,5 ;<3B><><EFBFBD><EFBFBD><EFBFBD>, rm==5?
|
||
jne _sib_
|
||
add ebp,4 ;<3B> <20><>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>=4 (32 bit)
|
||
jmp _sib_ ;<3B><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
;-----------------------------------------------------------------------------------
|
||
_mod01_: ;mod==1?
|
||
dec ah
|
||
jne _mod02_
|
||
inc ebp ;<3B><>? ⮣<><E2AEA3> ebp=1
|
||
jmp _sib_
|
||
;-----------------------------------------------------------------------------------
|
||
_mod02_: ;mod==2?
|
||
dec ah
|
||
jne _mod03_
|
||
inc ebp ;ebp=2
|
||
inc ebp
|
||
dec dh ;<3B> <20><><EFBFBD><EFBFBD> <20><><EFBFBD>䨪<EFBFBD><E4A8AA> 0x67, <20><><EFBFBD><EFBFBD>᪠<EFBFBD><E1AAA0><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
je _sib_
|
||
inc ebp ;<3B><> ebp+=2
|
||
inc ebp
|
||
inc ebx
|
||
;-----------------------------------------------------------------------------------
|
||
_mod03_: ;mod==3?
|
||
dec bl ;<3B> <20><>, ⮣<><E2AEA3> sib'<27> <20><>筮 <20><><EFBFBD>!
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND ࠧ<><E0A0A7><EFBFBD> MODRMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG <20><><EFBFBD><EFBFBD>祭<EFBFBD><E7A5AD> SIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
_sib_:
|
||
dec bl ;<3B><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> sib?
|
||
jne _endmodrm_
|
||
or cx,B_SIB
|
||
lodsb ;<3B> <20><>, <20><> <20> al ⥯<><E2A5AF><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> sib(al=sib)
|
||
mov byte ptr [edi+11],al ;SIB
|
||
and al,7 ;<3B><><EFBFBD><EFBFBD><EFBFBD>,
|
||
cmp al,5 ;al==5?
|
||
jne _endmodrm_
|
||
test bh,bh ;<3B> <20><>, <20><> ᬮ<>ਬ, <20><><EFBFBD><EFBFBD> mod==0?
|
||
jne _endmodrm_
|
||
push 4 ;<3B> <20><>, <20><> <20><><EFBFBD><EFBFBD> 4-<2D><><EFBFBD>⮢<EFBFBD><E2AEA2> ᬥ饭<E1ACA5><E9A5AD>
|
||
pop ebp
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND <20><><EFBFBD><EFBFBD>祭<EFBFBD><E7A5AD> SIBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxBEG 䫠<><E4ABA0>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
_endmodrm_:
|
||
xor ebx,ebx
|
||
test cl,B_DATA8 ;<3B><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>⮢<EFBFBD><E2AEA2> ᬥ饭<E1ACA5><E9A5AD>?
|
||
je _nf1_
|
||
inc ebx
|
||
_nf1_:
|
||
test cl,B_DATA16 ;<3B><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD>塠<EFBFBD>⮢<EFBFBD><E2AEA2> ᬥ饭<E1ACA5><E9A5AD>?
|
||
je _nf2_
|
||
inc ebx
|
||
inc ebx
|
||
_nf2_:
|
||
test cl,B_PREFIX6X ;<3B><><EFBFBD><EFBFBD> <20><> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>।<EFBFBD>⢥<EFBFBD><E2A2A5><EFBFBD><EFBFBD> <20><><EFBFBD>祭<EFBFBD><E7A5AD>?
|
||
je _endflag_
|
||
dec dl ;<3B><><EFBFBD><EFBFBD> <20><> 0x66(0x67 <20><><EFBFBD> [0xA0,0xA3]) <20> ࠧ<><E0A0A7>ࠥ<EFBFBD><E0A0A5><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>?
|
||
je _okp66_
|
||
inc ebx
|
||
inc ebx
|
||
_okp66_:
|
||
inc ebx
|
||
inc ebx
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND 䫠<><E4ABA0>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
_endflag_:
|
||
push ecx
|
||
push edi
|
||
mov ecx,ebp
|
||
add edi,12
|
||
rep movsb
|
||
sub edi,ebp
|
||
add edi,8
|
||
mov ecx,ebx
|
||
rep movsb
|
||
pop edi
|
||
pop dword ptr [edi+1]
|
||
sub esi,dword ptr [esp+4];eax
|
||
xchg esi,eax
|
||
mov byte ptr [edi+0],al
|
||
mov dword ptr [esp+7*4],eax ;<3B><><EFBFBD>࠭塞 ࠧ<><E0A0A7><EFBFBD> <20> <20><><EFBFBD>
|
||
xchg ebp,eax
|
||
mov byte ptr [edi+7],al
|
||
mov byte ptr [edi+8],bl
|
||
popad
|
||
ret ;<3B><>室<EFBFBD><E5AEA4>:)
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
;<3B><><EFBFBD><EFBFBD><EFBFBD> <20>㭪樨 _LiTo_ ;
|
||
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
||
|
||
|
||
SizeOfLiTo equ $-_LiTo_ ;ࠧ<><E0A0A7><EFBFBD> <20>㭪樨 _LiTo_
|