News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Intel to AT&T syntax translation

Started by Jovanna, June 27, 2019, 12:12:53 AM

Previous topic - Next topic

Jovanna

Dear Friends,
Thanks to Carlos Garcia and his publication, he provided this Assembler code (used to detect VMware virtual machine):
   __asm
   {
      mov eax, 0x564D5868;              ascii: VMXh
      mov edx, 0x5658;              ascii: VX(port)
      in eax, dx;                   input from Port
      cmp ebx, 0x564D5868;              ascii: VMXh
      setz ecx;             if successful->flag = 0
      mov vmflag, ecx

      ret
   }
I need to translate it to AT&T syntax, because Code::Blocks require it, and this is difficult to me. Would you please help correcting my try:

int RetInt1 ()
{
   unsigned int vm_flag = 1;
   try
   {
           asm volatile(
           "movl $0x564d5868, %eax\n\t"
           "cpuid\n\t"
           "movl $0x5658, (%edx)\n\t"
           "cpuid\n\t"
           "in (%dx), %eax\n\t"
           "cmp $0x564d5868, %ebx\n\t"
           "setz %ecx\n\t"
           "movl (%ecx), vm_flag\n\t"
           );
   if (vm_flag == 0)
       {
        asm ("movl $1, %eax\n\t");       
        }
        else
        {
         asm ("movl $0, %eax\n\t");           
        }
   }
   catch (int e)
   {
      asm ("movl $0, %eax\n\t");      
   }
}
Thank you in advance.
Kind regards!!


jack

I am rather inexperienced in asm, but I do from time to time write small inline asm procedures
the two codes look different to me, there's no Cupid in top snippet, also, the parentheses around the operands look wrong to me.

aw27

This is another egg of Columbus.
One way to do it is disassemble with GDB, cause by default its disassembly-flavor is att

Jovanna

Hi Jack,
thanks for the answer.
I am absolutely beginner in assembler but need to inline some asm functions in C++ code.
I needed the At&T syntax because Code::Blocks IDE requires it (it was one of my 73 app-versions before to discover the existence of The Great Microsoft Visual C++ 2015 Redistributable Update 3 RC, (thanks to AW and TimoVJL).. (see my topic here: http://masm32.com/board/index.php?topic=7854.15)
btw:  dll-made by Code::Blocks was OK solution - it runs OK on a virtual machine (no need to add MSVS redistributables), but I needed VS for the dll too)
Anyway, I solved this problem with Visual Studio and I go on with the Intel-asm-syntaxis.
Kind regards

Jovanna

AW: interesting, but I don't have an idea how to do it...

LiaoMi

Quote from: Jovanna on July 05, 2019, 07:43:45 PM
Hi Jack,
thanks for the answer.
I am absolutely beginner in assembler but need to inline some asm functions in C++ code.
I needed the At&T syntax because Code::Blocks IDE requires it (it was one of my 73 app-versions before to discover the existence of The Great Microsoft Visual C++ 2015 Redistributable Update 3 RC, (thanks to AW and TimoVJL).. (see my topic here: http://masm32.com/board/index.php?topic=7854.15)
btw:  dll-made by Code::Blocks was OK solution - it runs OK on a virtual machine (no need to add MSVS redistributables), but I needed VS for the dll too)
Anyway, I solved this problem with Visual Studio and I go on with the Intel-asm-syntaxis.
Kind regards

Hi Jovanna,

maybe this technique will help you - https://stackoverflow.com/questions/199966/how-do-you-use-gcc-to-generate-assembly-code-in-intel-syntax, for this you need to install the Msys2 package https://www.msys2.org/

aw27

Using GDB is difficult, so if you have objdump in your Windows (may be installed with mingw), proceed like this:

1)
Assemble with MASM or with VS inline this :
(cortesy JWASM samples)


VMwareInstalled proc
    mov eax, 0564D5868h
    mov ebx, 08685D465h
    mov ecx, 10
    mov dx, 05658h
    in eax, dx
    cmp ebx, 564D5868h
    setz al
    movzx eax,al
ret
VMwareInstalled endp


2) Then run objdump -d test.exe


401000:       b8 68 58 4d 56          mov    $0x564d5868,%eax
401005:       bb 65 d4 85 86          mov    $0x8685d465,%ebx
40100a:       b9 0a 00 00 00          mov    $0xa,%ecx
40100f:       66 ba 58 56             mov    $0x5658,%dx
401013:       ed                      in     (%dx),%eax
401014:       81 fb 68 58 4d 56       cmp    $0x564d5868,%ebx
40101a:       0f 94 c0                sete   %al
40101d:       0f b6 c0                movzbl %al,%eax
401020:       c3                      ret


That's it.  :thumbsup:

As you noticed "carlos garcia" code is wrong, or incorrectly copied.

aw27

I did not like the output look, so I cooked a batch file to leave it better:


@echo off

"objdump.exe" -d test.exe > dumpin.txt
powershell -command "(Get-Content 'dumpin.txt') | Foreach-Object {$_ -replace '^\w.*','' -replace '^.*:\s*([0-9,a-f,A-F]{2}\s){1,9}\s{1,50}', ''} | Set-Content 'dumpout.txt'"


This is the end result:









mov    $0x564d5868,%eax
mov    $0x8685d465,%ebx
mov    $0xa,%ecx
mov    $0x5658,%dx
in     (%dx),%eax
cmp    $0x564d5868,%ebx
sete   %al
movzbl %al,%eax
ret   


As you can see, I could not figure out the way to remove the top blank lines in spite of various regex attempts. Any Regex expert here?  :sad:

TimoVJL

#8
Intel2GAS

EDIT: an old intel2gas.cc converted to C.

EDIT: It was for python 2, so some fixes for Python 3. Also masm to gas not supported.
May the source be with you

aw27

Got it (it needed another pipe):


@echo off

"objdump.exe" -d test.exe > dumpin.txt
powershell -command "(Get-Content 'dumpin.txt') | Foreach-Object {$_ -replace '^\w.*','' -replace '^.*:\s*([0-9,a-f,A-F]{2}\s){1,9}\s{1,50}', '' | select-string -pattern '^\w.*'} | Set-Content 'dumpout.txt'"


Output:


mov    $0x564d5868,%eax
mov    $0x8685d465,%ebx
mov    $0xa,%ecx
mov    $0x5658,%dx
in     (%dx),%eax
cmp    $0x564d5868,%ebx
sete   %al
movzbl %al,%eax
ret 


Quote from: TimoVJL on July 06, 2019, 10:16:02 AM
Intel2GAS

Will have a look.  :thumbsup:

Jovanna

Dear AW, TimoVJL, LiaoMi and Jack,
Dear Friends,
Thanks a lot for your help!! I even haven't supposed there exist such converting-tools -Intel-GAS, awesome!   :angelic:
Btw, here is the origin code of Carlos, I tried and it is working: https://brundlelab.wordpress.com/2012/10/21/detecting-vmware/
But detecting VMWare only  :sad:
I dream to be enough experienced in Assembler, to be able to write if-else-cascade-code and realize RedPill technique about a virtual machine detection, by Segmentation Faults with SIDT ("Red Pill") and SGDT ("No Pill")
(from the link below..: Red Pill and No Pill actually had one or both of the following problems:
   The SIDT and SGDT CPU instructions expect to write some data into a memory location. A large amount of the sample code I found allocated 2 bytes on the stack, typically with char[2]. The problem is that at the very least, when running in i386, both of these CPU instructions require 6 bytes, not 2 bytes. The lower 2 bytes is the table limit, while the upper 4 is the base IDTR or GDTR address.
   the SIDT and SGDT CPU instructions need 6 bytes in i386 mode, but in my case I'm running in AMD64. Looking up these instructions in AMD's documents [1, 2, pages 299-300] you'll note that in AMD64 you need 10 bytes of memory, not 6 bytes. So at the very least, your code will need some sort of #if statements to detect at compile-time how to allocation or interpret the results of SIDT and SGDT.)
http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/index.html

Because of article-mentioned-problems, I wonder if this is possible? Is it possible to be covered all CPU options by if-else and the corresponding array-length?

Thanks a lot again
& and have Nice Day!!