Author Topic: disassembler  (Read 1813 times)

minor28

  • Member
  • **
  • Posts: 121
disassembler
« on: May 07, 2017, 09:45:43 PM »
I am writing a disassembler like dumpbin. At this point I can decode integer and FPU operations. SSE, VMX and SMX are next to work with.

My own programs are decoded correctly. But I have discovered some strange decodes in other programs that I wonder about. Dumpbins get the same results.

Code: [Select]
6E outs dx,byte ptr [esi]
67 ;no mnemonic. Prefix for 16 bit addressing
65 ;prefix for gs segment. 64 (next byte) is fs segment
64 00 4C 69 6E add byte ptr fs:[ecx+ebp*2+6Eh],cl
The combination 67 65 64 is strange for me. The first and the last lines are assembled correctly but all four are not.

 I wonder if anyone knows how these four lines should be coded in masm lang to give this result.

jj2007

  • Member
  • *****
  • Posts: 10543
  • Assembler is fun ;-)
    • MasmBasic
Re: disassembler
« Reply #1 on: May 07, 2017, 10:02:24 PM »
Try Olly: Select a range of lines well before and after the codes you are interested in, then hit Ctrl A like "analyse".

mineiro

  • Member
  • ****
  • Posts: 615
Re: disassembler
« Reply #2 on: May 07, 2017, 10:18:52 PM »
You can check on intel/amd manuals about opcode generation.
https://software.intel.com/en-us/articles/intel-sdm

On link below have a c source code of a disassembler that you can check too.
http://www.agner.org/optimize/#objconv
I'd rather be this ambulant metamorphosis than to have that old opinion about everything

minor28

  • Member
  • **
  • Posts: 121
Re: disassembler
« Reply #3 on: May 07, 2017, 10:42:56 PM »
With Ollydbg I found out that it appears that a lot of data is stored between two processes. This means that the dumpbin as well as my disassembler do not decode correctly when you save data that way.

The process after data
Code: [Select]
00 55 8B add byte ptr [ebp-75h],dl
EC in al,dx
insted of
Code: [Select]
55 puch EBP
8B EC mov EBP,ESP

Thanks

sinsi

  • Guest
Re: disassembler
« Reply #4 on: May 08, 2017, 06:32:52 AM »
Code: [Select]
6E outs dx,byte ptr [esi]
67 ;no mnemonic. Prefix for 16 bit addressing
65 ;prefix for gs segment. 64 (next byte) is fs segment
64 00 4C 69 6E add byte ptr fs:[ecx+ebp*2+6Eh],cl

Maybe they're not code bytes but text?
Code: [Select]
6E 67 65 64 00 4C 69 6E    nged.Lin

newrobert

  • Regular Member
  • *
  • Posts: 38
Re: disassembler
« Reply #5 on: May 08, 2017, 06:56:03 AM »
it's look like ascii code, maybe in .text session;