GaRY's Blog

Beginning is always beautiful

LDE32的C语言版本

2007.7.11更新:
VX Heavens上找到的.备份一下.
0x4553lde

It based on ADE32 disassembler engine by z0mbie, modified and ported to AT&T asm.

table.h - contain table of opcodes from 0x00 to 0xFF, it define the type of each other.

There is the main function l_disasm(). It get one parameter from stack, which point to array with data. Return value reside in %eax - length of opcode.

Example:

 ...
mov data,%eax
add $123,%eax         # data[123]
push %eax
call l_disasm
...


LDE32v1.6_for_asm
LDE32_for_vc

LDE32 is a library which may be used to determine length of any x86 instructiion, i.e. to provide partial disassembling. LDE32 has only two subroutines.
void pascal disasm_init(void* tableptr);
This subroutine used to build internal data table of 2048 byte length.
int pascal disasm_main(void* opcodeptr, void* tableptr);
This subroutine used to disassemble one instruction. It returns length of instruction in bytes, or -1 if an error occured. Subroutines preserves all registers; code is offset-independent; no data used except 2k at *tableptr.


google真是个好东西.用找到的LDE32把前几天写的那个Ring3 Inline Hook Demo修改了一下,现在不用怕被hook函数前的opcode没有对齐咯: )
// LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE 
//C Language Edition
//Modified by Joerkky
//version 1.05 

DWORD LDE32(
void *ADDR) 
{
 DWORD t1[]
={0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x4000,0x4000,8,8,0x1008,0x0018,0x2000,0x6000,0x0100,0x4100,0,0,0,0,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x4100,0x6000,0x4100,0x4100,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0,0,0,0,0,0,0,0,0,0,0x2002,0,0,0,0,0,0x0020,0x0020,0x0020,0x0020,0,0,0,0,0x0100,0x2000,0,0,0,0,0,0,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x4100,0x4100,0x0200,0,0x4000,0x4000,0x4100,0x6000,0x0300,0,0x0200,0,0,0,0,0,0x4000,0x4000,0x4000,0x4000,0x0100,0x0100,0,0,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x2000,0x2000,0x2002,0x0100,0,0,0,0,8,0,8,8,0,0,0,0,0,0,0,0,0,0,0x4000,0x4000};
 DWORD t0[]
={0x4000,0x4000,0x4000,0x4000,-1,-1,0,-1,0,0,0,0,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0,0,0,0x4000,0x4100,0x4000,-1,-1,0,0,0,0x4000,0x4100,0x4000,-1,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,-1,-1,0x4100,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,-1,-1,-1,-1,-1,-1,0,0,0,0,0,0,0,0,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1};
 DWORD eax
=0,edx=0;
 unsigned 
char *ecx=(unsigned char *)ADDR,*dl=(unsigned char *)&edx,*al=(unsigned char *)&eax;
 
do {
  dl[
0]=dl[0]&0xf7;
  al[
0]=*ecx;
  ecx
++;
  edx
=edx|t1[eax];
 }
 while (dl[0]&0x8);
 
if ((al[0]==0xF6)||(al[0]==0xF7)) {
  dl[
1]=dl[1]|0x40;
  
if (!((*ecx)&0x0111000b)) dl[1]=dl[1]|0x80;
 }
 
 
else 
  
if (al[0]==0xCD{
   dl[
1]=dl[1]|1;
   
if (*ecx==0x20) dl[1]=dl[1]|4;
  }

  
else 
   
if (al[0]==0xF{
    al[
0]=*ecx;ecx++;edx=edx|t0[eax];
    
if (edx==-1return edx;
   }

 
if (dl[1]&0x80{
  dl[
1]=(dl[1])^0x20;
        
if (!(al[0]&0x00000001b)) dl[1]=dl[1]^0x11;
 }

 
if (dl[1]&0x40{
  al[
0]=*ecx;
  ecx
++;
  al[
1]=*al;
  eax
=eax&0xC007;
  
if(!(al[1]==0xC0))
   
if (dl[0]&0x10
    
if(((al[0]==6)&&(al[1]==0))||(al[1]==0x80))
     dl[
0]=dl[0]|2;
    
else 
     
if (al[1]==0x40) dl[0]=dl[0]|1;
   
else {
    
if (al[0]==4{
     al[
0]=*ecx;
     ecx
++;
     al[
0]=al[0]&7;
    }

    
if (al[1]==0x40
     dl[
0]=dl[0]|1;
    
else
     
if ((al[1]==0x80)||((al[0]==5)&&(al[1]==0)))
      dl[
0]=dl[0]|4;
   }

 }

 
if (dl[0]&0x20{
  dl[
0]=dl[0]^2;
  
if (!(dl[0]&0x10)) dl[0]=dl[0]^6;
 }

 
if (dl[1]&0x20{
  dl[
1]=dl[1]^2;
  
if (!(dl[1]&0x10)) dl[1]=dl[1]^6;
 }

 eax
=(DWORD)ecx-(DWORD)ADDR;
 edx
=edx&0x707;
 al[
0]=al[0]+dl[0]+dl[1];
 
return eax;
}

posted on 2007-05-30 20:10 wofeiwo 阅读(1501) 评论(1)  编辑 收藏 引用 网摘 所属分类: Programing

评论

# re: LDE32的C语言版本 2007-06-05 15:09 wofeiwo

这个LDE有点问题.
今天重新调了下hook,发现这个lde返回了错误的结果
sigh,以后hook还是要慢慢手工对比字节码保险  回复  更多评论   


只有注册用户登录后才能发表评论。
网站导航:

导航

<2024年3月>
252627282912
3456789
10111213141516
17181920212223
24252627282930
31123456

统计

留言簿(10)

随笔分类(90)

随笔档案(61)

搜索

最新随笔

最新评论