|
Instruction Size
What is simplest way to determine the size of instruction ? Basically, I have a memory location of instruction and I like to know the next instruction address.
Any existing source code ? Visu |
Complex question.
It depends on the sort of protection are you working on. 1. Common software. I would suggest a disassembler source engine (you can find few on the net, as I remember also on OllyDbg page). This will deal with all offsets. 2. Crypted software. I would suggest EIP logger since some protections use polymorphic and/or metamorphic engines, thus you will fail with disassembler engine. 3. Crypted software with virtual machine. This is the worst assumption. In this case I would suggest to write own disassembler (for decompiling opcodes and in some fancy protections even operation types) and tracer (code flow execution control). Hard thing but the most effective. Regards. |
Hi visu
I assume that your program is running in debug mode.Run for a single step event then decrease values of EIP from CONTEXT(using GetThreadContext).This will be size. If your proram is not running(like disassembler) you should use the cpu reference for instruction structure because the indtruction lengths are various(1-14 byte for intel) sincerely yours |
how will a polymorphic engine fail the disassembler?
the code will be different but doesnt it still consist of x86 instructions? |
You should read the "Intel Architecture Software Developer's Manual, Volume 2: Instruction Set Reference".
(I personally think its written like crap but try it yourself) For a length-disassembler this should help you: http://vx.netlux.org/lib/vzo16.html Greetz, Cobi |
"how will a polymorphic engine fail the disassembler?"
A polymorphic engine, used in software protection, (polymorphism, in the meaning of object oriented languages, is a completely different thing) usually features code obfuscation. A "brainless" software disassembler will take the first companionate set of bytes as the instruction and miss many places in the log (you can try it in any debugger... take PeLock, as example, and perform single step tracing of decryption code - you will understand what I mean). "the code will be different but doesnt it still consist of x86 instructions?" This time it is not only about different code but obfuscation used in polymorph engines. These tricks will fool usual software disassembler. |
a simple LDE (length-disassembler engine) isn't hard to write, take a few days to digest the intel instruction encoding, and then just follow the chart. everything is pretty straight forward.
you'll be needing 2 tables, 256 byte each, one for normal instructions, and one for 'extended' (0x0f) ones. In those tables, store flags for relevent information, such as the instruction takes its param from modrm bytes, or it's naturally a 1-byte opcode, or maybe it accepts imm32 (such as B8 'mov', etc...) when you load the opcode, simply match that value with the table, and from there, follow the encoding rules to determine the length. some stuff *may* be somewhat tricky though. my suggestion would be to read up on: http://www.pdos.lcs.mit.edu/6.828/2004/readings/i386/s17_02.htm it's a lot simplier IMO than the intel books, cleaner, and as for table, look for Sang Cho's disassembly/assembly table, avaliable on google. if you're completely not familiar with the instruction encoding, i suggest you read The Svin's opcode tutorials, avaliable at win32asm boards (boards.win32asmcommunity.com) hope it helps -drocon |
Quote:
hxxp://www.anticracking.sk/elicz/export/X86IL.zip |
There is a ton of those on the net.
Bengaly (PVDasm) offers one, there's one on the ollydbg website, z0mbie wrote a few (google for ADE32, LDE - his website seems down). If all you need is the length of the instruction, then the simplest solution is probably ADE32 or as, taipan wrote, ELiCZ's X86IL. It's a good exercise to write one yourself; you'll master the instruction format afterwards. |
Just to add one more that I have found (and actually used). It's written in C++
it's called InstLenDisasm, you can find it here. http://www.security.org.sg/code/antihookexec.html <-- interesting article too btw look inside the antihookexec zip file. also, since z0mbie's website seem to be gone, you can get ADE32, LDE, and XDE here http://www.madchat.org/vxdevl/engines/ or here http://vx.netlux.org/vx.php?id=eidx&page=0 :) |
| All times are GMT +8. The time now is 23:01. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX