announce: my very first disassembler now available (GPL)
in [ASM]
|
From: Wolfgang Kern on 14 Aug 2008 05:52 Nathan wrote: >>> I think that Wolfgang's 'disass.com' might contain both 16- and 32-bit >>> code. Can we make crudasm (and maybe ndisasm) "switch gears" in the >>> middle of a disassembly? >> Why not ? >> a disassembler could be able to detect code flow and mode changes within >> the code under test also in a static analysis and insert 'use16/use32'. >> And that's just one point why I designed my 'DisAss core' this way. > What was the other reason? The final target is an automated, static code analyser/converter. A problem still is the huge amount of required memory when external references or selfmodified code join in. > Every "hillfolk" farmer wants 'DisAss' to be better than 'DatAss'. :) :) yep, also valid for the Red-Neck-Clans around 'fort worse' :). I acually named my data-base find/merge module 'DatAss'. > But, would it be a "waste of time" (except as a learning experience) > to perfect that feature? Combined 16/32-bit code is rare (not > counting the DOS-stub in PE files). Yes for most case, but if you ever had to do this manually you may eagerly ask for this feature. > Probably better to spend time teaching the disassembler how to > interpret PE and Elf headers so the user doesn't waste time > guessing the "magic parameters". Oh yes, I'd rank this before the 16/32 detection and it might be easier to implement, but I'd made header structures transparent (so editable lateron). __ wolfgang
From: Wolfgang Kern on 14 Aug 2008 06:49 Willow wrote: [about 0f a6 ...] > You can see that they removed the opcode from ndisasm in its latest > version. I hesitate to add an opcode that is invalid on modern CPUs. I have this listed as an invalid opcode and it produces exc06 also on my old 486. > I want to add cmpxchg486, but I need to know two things about it: what > is the size of the r/m argument, and is it a lockable instruction? The size of r/m fields ? aren't this almost always three bits ? (also in and for SIB) (long mode only: the forth bit may join in from REX-prefix) ie: 0F B1 mod/r/rm CMPXCHG rm,r ;(E)AX is quietly implied 0F B1 CA CMPXCHG edx,ecx ;no LOCK allowed 0f B1 0A CMPXCHG [edx],ecx ;Lockable Lock-rules should be common: if destination is a memory operand (regardless if a change occure). XADD is lockable too, even not required because it locks anyway. > Got to add some intelligence to the disassembler... Even hard, smart codeing is a good idea indeed :) but try to not bloat the whole story too much ... __ wolfgang
From: NathanCBaker on 14 Aug 2008 15:09 On Aug 14, 5:52 am, "Wolfgang Kern" <nowh...(a)never.at> wrote: > >> a disassembler could be able to detect code flow and mode changes within > >> the code under test also in a static analysis and insert 'use16/use32'.. > >> And that's just one point why I designed my 'DisAss core' this way. > > What was the other reason? > > The final target is an automated, static code analyser/converter. > A problem still is the huge amount of required memory when > external references or selfmodified code join in. You really enjoy the really challeging/complex asm projects, don't you? > > > Every "hillfolk" farmer wants 'DisAss' to be better than 'DatAss'. :) > > :) yep, also valid for the Red-Neck-Clans around 'fort worse' :). I'm guessing that 'fort worse' is European for what we call the "white trash" areas. But, the truth is, here in the USA, nothing is confined to "area" exactly. Doesn't matter if you look in the city or the country -- you will find an elaborate mansion right next door to a shack... and you won't be able to decide if that shack is intended to be a chicken-coop, an out-house, or if someone is actually living there. Rural regions that are distant from urban centers and lack some modern conveniences are termed BFE -- "Bum-Fucked Egypt" ... the really really difficult to reach places (needing 4-wheel drive or ATV) are affectionately called "God's Country" and are valued for their recreation use (and to tease naive-urbanites about how "scary", "backwards", etc. things are there :) > I acually named my data-base find/merge module 'DatAss'. Dang, I'm good! I can remotely write Makefiles _and_ I can predict your filenames. It is "official" now -- I am ESP gifted! :) > > > But, would it be a "waste of time" (except as a learning experience) > > to perfect that feature? Combined 16/32-bit code is rare (not > > counting the DOS-stub in PE files). > > Yes for most case, but if you ever had to do this manually you > may eagerly ask for this feature. > And many of newbies would probably appreciate the feature. I'm almost starting to get an itch to take up Chuck's postponed task on ndisasm. > > Probably better to spend time teaching the disassembler how to > > interpret PE and Elf headers so the user doesn't waste time > > guessing the "magic parameters". > > Oh yes, I'd rank this before the 16/32 detection and it might be > easier to implement, but I'd made header structures transparent > (so editable lateron). > Yes, this is the part I think would be interesting to tackle. I might just talk myself into this. Nathan.
From: Rod Pemberton on 14 Aug 2008 19:32 "Willow" <wrschlanger(a)gmail.com> wrote in message news:238433ba-ed92-404a-92ff-daa290bf29a7(a)m44g2000hsc.googlegroups.com... > I want to add cmpxchg486, but I need to know two things about it: what > is the size of the r/m argument, and is it a locakable instruction? Lockable? No idea. I'd think the r/m is just like the other instructions. "cmpxchg486" should still be in the AMD and Intel instruction manuals, yes? > Don't even think about trying 64-bit > instructions, I'll D/L it. I think the older NASM insns.dat doesn't have 64-bit instructions. I haven't tried any 32-bit disassembly w/Crudasm and don't have a .asm file setup for 32-bits. But, I'll try more of the 16-bit. > floating point instructions, MMX/SSE etc. instructions, > or exotic undocumented opcodes that are no longer valid on the latest > CPUs (like cmpxchg486 :-) Well, I'll have to see if I can exec 2.02... (I'm not sure if it runs on my OS.) I don't intend to create a new insns.data from 2.02's version, or try 32-bits disassembly, 64-bits, etc. But, hopefully, with a couple of directives or a few disassemblies, I can weed out many that 2.02 doesn't support. The remainder may find some errors. But, I may still end up sending you some wrong ones. BTW, my winzip and pkzip didn't like the ".zip" you posted. The file's header indicates it's .rar. I'm good. 7-zip likes .rar's. ;-) Rod Pemberton
From: Rod Pemberton on 15 Aug 2008 02:16
"Willow" <wrschlanger(a)gmail.com> wrote in message news:238433ba-ed92-404a-92ff-daa290bf29a7(a)m44g2000hsc.googlegroups.com... > Can you do more testing on > the latest version and let me know how it goes? ;Ndisasm is displaying ecx for certain loop instructions. Crudasm doesn't. I'm not sure what's correct. ;Crudasm .07 (or 1.07?) 16-bit decoding on the left, Ndisasm 2.03.01 on the right after the semicolon. Use a fixed width font, i.e., notepad. o32 iretd ;iretd lar eax,ebx ;lar eax,bx ret word 0x0000 ;ret ;These offsets should be the byte offset forms of mov... mov al,0x33 ;mov al,0x33 mov ax,0x0033 ;mov ax,0x33 mov eax,0x00000033 ;mov eax,0x33 mov bl,0x33 ;mov bl,0x33 mov bx,0x0033 ;mov bx,0x33 mov ebx,0x00000033 ;mov ebx,0x33 ;sldt ax OK, sldt eax NOT sldt ax ;sldt ax sldt ax ;sldt eax ;o32's, missing spaces, odd placement of size, ? o32 call far [0x33ff] ;call dword far [0x33ff] call far0x3344:word 0x3344 ;call word 0x3344:0x3344 call far0xaabb:word 0x3344 ;call word 0xaabb:0x3344 call far0x3344:word 0xaabb ;call word 0x3344:0xaabb o32 call far0xccdd:dword 0x00003344 ;call dword 0xccdd:0x3344 o32 call far0x3344:dword 0xaabbccdd ;call dword 0x3344:0xaabbccdd o32 jmp far [0xccdd] ;jmp dword far [0xccdd] o32 jmp far0xccdd:dword 0x00003344 ;jmp dword far [0xccdd] o32 jmp far0x3344:dword 0xaabbccdd ;jmp dword 0x3344:0xaabbccdd o32 jmp far [0xbbee] ;jmp dword far [0xbbee] ;Shift and rotate against fixed register cl... ;ror uses cl, but I'd check for correctness ;also sal is decoding as shl... rcl bl,dl ;rcl bl,cl rcl bx,dl ;rcl bx,cl rcl ebx,dl ;rcl ebx,cl rcr bl,bl ;rcr bl,cl rcr bx,bl ;rcr bx,cl rcr ebx,bl ;rcr ebx,cl rol bl,al ;rol bl,cl rol bx,al ;rol bx,cl rol ebx,al ;rol ebx,cl shl bl,ah ;shl bl,cl shl bx,ah ;shl bx,cl shl ebx,ah ;shl ebx,cl sar bl,bh ;sar bl,cl sar bx,bh ;sar bx,cl sar ebx,bh ;sar ebx,cl shr bl,ch ;shr bl,cl shr bx,ch ;shr bx,cl shr ebx,ch ;shr ebx,cl ;double shifts also against fixed register cl... shld [0xbbee],ax,al ;shld [0xbbee],ax,cl shld ax,bx,bl ;shld ax,bx,cl shld [0xbbee],eax,al ;shld [0xbbee],eax,cl shld eax,ebx,bl ;shld eax,ebx,cl shrd [0xbbee],ax,al ;shrd [0xbbee],ax,cl shrd ax,bx,bl ;shrd ax,bx,cl shrd [0xbbee],eax,al ;shrd [0xbbee],eax,cl shrd eax,ebx,bl ;shrd eax,ebx,cl ;xchg... xchg bx,??? ;xchg ax,bx xchg ebx,??? ;xchg eax,ebx xchg bx,??? ;xchg ax,bx xchg ebx,??? ;xchg eax,ebx xchg byte [0xbbee],al ;xchg al,[0xbbee] xchg bl,al ;xchg al,bl xchg [0xbbee],ax ;xchg ax,[0xbbee] xchg bx,??? ;xchg ax,bx xchg [0xbbee],eax ;xchg eax,[0xbbee] xchg ebx,??? ;xchg eax,ebx xchg byte [0xbbee],al ;xchg al,[0xbbee] xchg bl,al ;xchg al,bl xchg [0xbbee],ax ;xchg ax,[0xbbee] xchg bx,??? ;xchg ax,bx xchg [0xbbee],eax ;xchg eax,[0xbbee] xchg ebx,??? ;xchg eax,ebx ;unique decoding for string instructions cmps byte [si],byte [es:di] ;cmpsb cmps dword [si],dword [es:di] ;cmpsd cmps word [si],word [es:di] ;cmpsw ins byte [es:di],dx ;insb ins dword [es:di],dx ;insd ins word [es:di],dx ;insw lods byte [si] ;lodsb lods dword [si] ;lodsd lods word [si] ;lodsw movs byte [es:di],byte [si] ;movsb movs dword [es:di],dword [si] ;movsd movs word [es:di],word [si] ;movsw outs dx,byte [si] ;outsb outs dx,dword [si] ;outsd outs dx,word [si] ;outsw scas byte [es:di] ;scasb scas dword [es:di] ;scasd scas word [es:di] ;scasw stos byte [es:di] ;stosb stos dword [es:di] ;stosd stos word [es:di] ;stosw Good luck, Rod Pemberton |