News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

The fool encoder

Started by Grincheux, January 13, 2016, 03:13:01 PM

Previous topic - Next topic

Grincheux

Quote0040102B: 67 81 06 11 01 78 56 34 12 add         dword ptr ds:[0000h],12345678h

I don't understand this form of coding, I change bytes 3 and 4, I always get the same result!

It lloks like this form

Quote00401001 81 05 00 00 00 00 78 56 34 12 add         dword ptr ds:[0],12345678h 
0040100B 81 05 FE CA 00 00 78 56 34 12 add         dword ptr ds:[0CAFEh],12345678h

Look at : Here
Kenavo (Bye)
----------------------
Help me if you can, I'm feeling down...

dedndave

perhaps you've found a bug in either the assembler or disassembler

Quote0040102B: 67 81 06 11 01 78 56 34 12 add         dword ptr ds:[0000h],12345678h

i believe that the 67h is a size override operator - which is out of place
as though you are assembling 32-bit code in a 16-bit segment

if we throw that away, i get

81 06 11 01 78 56 add dword ptr ds:[esi],56780111h ;(DS segment override implied)
34 12             xor     al,12h

guga

Exactly.

It have only 1 way to it be a valid instruction (packuswb) when used after 0F (or with other escape prefix 066)
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Grincheux

http://www.phrio.biz/mediawiki/Strange_Codings

I list here all the codes that seem strange

That could be a way for a terrorist to pass a message
That could serve to install a protection...
Kenavo (Bye)
----------------------
Help me if you can, I'm feeling down...

Grincheux

Kenavo (Bye)
----------------------
Help me if you can, I'm feeling down...

Grincheux

    I made three disassembly :

    • Visual Studio 2015
    • Borg
    • dumppe (Masm)

    With Borg and DumpPe the strange codes :eusa_clap: are not only with Visual Studio.
    I ask to myself Why? :dazzled: MS does know its disassembly is bad! :eusa_naughty:
Kenavo (Bye)
----------------------
Help me if you can, I'm feeling down...

guga

VS and dumppe are far from being a usable disassemblers. At most you can use them for having some basic notions of some small parts of chunk but it is not to be used as a regular daily basis.

Borg is extremelly old. The last time i used it was more then 15 years ago :greensml: But, why are you using such tools ? There are much much better ones for you to start.

2 of them are free and opensource (RosAsm and Olly - the disasm engine, i mean). other is commercial and extremelly expensive (IdaPro - but...you can find it ;) )

If you want to write your own disassembler, i strongly suggest you to read Rosasm source code. It is way more easier then it seems  :icon_mrgreen:
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Grincheux

I don't know how to use the RosAsm Disassembler :eusa_snooty:
Kenavo (Bye)
----------------------
Help me if you can, I'm feeling down...

sinsi


guga

Use the disassembler or it´s source ???

To use all you have to do is open a PE file on it...It will disassemble it automatically.

About the source code., you need to study the syntax, but it is not hard to follow. Look at small examples 1st (Iczelion´s, Test Department etc)
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Grincheux

First use the disassembler
Kenavo (Bye)
----------------------
Help me if you can, I'm feeling down...

Grincheux

Quote[Data04265CC: D$ 01000000, 03000200, 0400, 0BBCCDD05, 0600AA, 080007, 0A0009
                 0C000B, 0CCDD0D00, 0E00AABB, 010000F00, 012001100, 014001300
                 0DD150000, 0AABBCC, 0170016, 0190018, 01B001A, 01D00001C
                 0AABBCCDD, 01F001E00]
Code0426620: A0:
    push esi
    push ebx
    fxsave X$Virtual0463020
    xchg eax ebx
    xor edx edx
    cmp ebx 0B | jne C8>  ; Code042663C
    dec ebx
   
Code0426632: B8:
    call Code042664B
    dec ebx | jns B8<  ; Code0426632
jmp D3>  ; Code042664

RosAsm DisAssembly!
Kenavo (Bye)
----------------------
Help me if you can, I'm feeling down...

guga

 :t

To see how accurate it was, I would need to look at the file to see the rest of the code but...

[Data04265CC: D$ 01000000, 03000200, 0400, 0BBCCDD05, 0600AA, 080007, 0A0009
                 0C000B, 0CCDD0D00, 0E00AABB, 010000F00, 012001100, 014001300
                 0DD150000, 0AABBCC, 0170016, 0190018, 01B001A, 01D00001C
                 0AABBCCDD, 01F001E00]



This is decoded as Data. Everything in between brackets "[" "]" remains to the data section. They are data. On this case, the data chain is formed by a array of DWORDS (D$)



Code0426620: A0:
    push esi
    push ebx
    fxsave X$Virtual0463020
    xchg eax ebx
    xor edx edx
    cmp ebx 0B | jne C8>  ; Code042663C
    dec ebx
   
Code0426632: B8:
    call Code042664B
    dec ebx | jns B8<  ; Code0426632
jmp D3>  ; Code042664


"X$ data type. This can be with any size. Since the target is a memory location and the opcode allow storing in bigger sizes (512-byte ) on this case, the data type used is "X$" meaning that it uses a size not "conventional". Conventional i mean: dword, qword, word etc

jne C8>  ... It is performing a jmp below that line. In case, C8 is a address labeled on a short form. The token ">"  means the direction of the jmp. In case it is below that line of code (Go down). If it was jumping before it the sign would be "<" . Same as forward/backward (or up/down)

Virtual0463020 A address in the virtual data section of the PE.


Code0426632: B8:  The disassembler uses readable labels. So, "Code" means that the address belongs to the code section and it is, in fact, code and not data. The number after it, is the address.  And the label "Data" (Like in Data04265CC) means that the address is, in fact, data and belongs to the data section. "Virtual": the same concept, but is a virtual address. The goal of any disassembler is basically distinguish what is code and what is data so...they are labeled accord to what they are.

The next token "B8" is just the short form of that address. Useful for jumps to that location. (More readable then we have in a source tons of "je CodeXXXX" "jne "CodeYYYYY" all over the place. (Nevertheless, we make a reference to the a dress in comments on the same line as in "jns B8<  ; Code0426632" . (It will jmp to Code0426632 that is also labeled as "B8") - That address is written as "Code0426632: B8:".

The ":" sign means the address is a label. (In case, a code label)

Basically, all the values in the disassembly data are in hexadecimal form (0 in front of the value as in  01F001E00) (There are few cases when it disassembles as decimal, but in RosAsm the syntax of the data is trivial. 0 in front for hex (0A, 0B, 0FFFF etc etc) and without zero for decimal (9, 1, 125256, 777 etc). For binary are double zeroes after a "_" sign "00_" (00__0001, 00__0000_0001__0000_0000 etc)

Also, for hex the "h" char at the end is acceptable (but, needs 0 at the 1st). 0FFFFFEFFh for example.

call Code042664B a call to a function labeled as "Code042664B" meaning that at that address 042664B there is a function.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com

Grincheux

Here is all the project with RosAsm source file
Use 7zip to decompress

http://www.7-zip.org/download.html
Kenavo (Bye)
----------------------
Help me if you can, I'm feeling down...

guga

Like i said..it is data correctly interpreted as such:

Rosasm listing:

Main:
Code0426580: A0:
    push ebp
    mov ebp esp
    sub esp 08
    push 00
    push 080
    push 02
    push 00
    push 00
    push 040000000
    push Data0462260
    call 'kernel32.CreateFileA'
    mov D$ebp-04 eax
    push 00
    lea eax D$ebp-08
    push eax
    push 036260
    push Data042C000
    push D$ebp-04
    call 'kernel32.WriteFile'
    push D$ebp-04
    call 'kernel32.CloseHandle'
    push 00
    call 'kernel32.ExitProcess'

[Data04265CC: D$ 01000000, 03000200, 0400, 0BBCCDD05, 0600AA, 080007, 0A0009
                 0C000B, 0CCDD0D00, 0E00AABB, 010000F00, 012001100, 014001300
                 0DD150000, 0AABBCC, 0170016, 0190018, 01B001A, 01D00001C
                 0AABBCCDD, 01F001E00]

Code0426620: A0:
    push esi
    push ebx
    fxsave X$Virtual0463020
    xchg eax ebx
    xor edx edx
    cmp ebx 0B | jne C8>  ; Code042663C
    dec ebx
   
Code0426632: B8:
    call Code042664B
    dec ebx | jns B8<  ; Code0426632
jmp D3>  ; Code0426641
   
Code042663C: C8:
    call Code042664B
   
Code0426641: D3:
    fxrstor X$Virtual0463020
    pop ebx
    pop esi
    ret


IdaPro listing



; =============== S U B R O U T I N E =======================================

; Attributes: noreturn bp-based frame

public start
start proc near

NumberOfBytesWritten= dword ptr -8
hFile = dword ptr -4

push ebp
mov ebp, esp
sub esp, 8
push 0 ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push 0 ; lpSecurityAttributes
push 0 ; dwShareMode
push 40000000h ; dwDesiredAccess
push offset asc_462260 ; "C:\\Users\\Grincheux\\Documents\\PrjJwA"...
call CreateFileA
mov [ebp+hFile], eax
push 0 ; lpOverlapped
lea eax, [ebp+NumberOfBytesWritten]
push eax ; lpNumberOfBytesWritten
push 36260h ; nNumberOfBytesToWrite
push offset unk_42C000 ; lpBuffer
push [ebp+hFile] ; hFile
call WriteFile
push [ebp+hFile] ; hObject
call CloseHandle
push 0 ; uExitCode
call ExitProcess
start endp

; ---------------------------------------------------------------------------
dd 1000000h, 3000200h, 400h, 0BBCCDD05h, 600AAh, 80007h
dd 0A0009h, 0C000Bh, 0CCDD0D00h, 0E00AABBh, 10000F00h
dd 12001100h, 14001300h, 0DD150000h, 0AABBCCh, 170016h
dd 190018h, 1B001Ah, 1D00001Ch, 0AABBCCDDh, 1F001E00h

; =============== S U B R O U T I N E =======================================


sub_426620 proc near ; CODE XREF: sub_426DC8+9AFp
; sub_427EB7+18Bp ...
push esi
push ebx
fxsave ds:dword_463020
xchg eax, ebx
xor edx, edx
cmp ebx, 0Bh
jnz short loc_42663C
dec ebx

loc_426632: ; CODE XREF: sub_426620+18j
call sub_42664B
dec ebx
jns short loc_426632
jmp short loc_426641
; ---------------------------------------------------------------------------

loc_42663C: ; CODE XREF: sub_426620+Fj
call sub_42664B

loc_426641: ; CODE XREF: sub_426620+1Aj
fxrstor ds:dword_463020
pop ebx
pop esi
retn
sub_426620 endp



The only difference is that i didn´t implemented yet the macro and api recognition, the DIS system (Digital DNA - similar as flair). But the raw interpretation of what is code/data is exactly the same.
Coding in Assembly requires a mix of:
80% of brain, passion, intuition, creativity
10% of programming skills
10% of alcoholic levels in your blood.

My Code Sites:
http://rosasm.freeforums.org
http://winasm.tripod.com