The fool encoder

guga · January 14, 2016, 10:42:20 AM

It found only 3 errors. One with a XMM1 data size (I´ll fix that later - movd XMM1 D$esp+014 ; instead of movd XMM1 W$esp+014) and other with Jochen´s library here:

Code Select


Code04295F7: I7:
    test cl 05 | je L9>  ; Code0429617
    or B$ebp-034 04
    lea eax D$edx*4+Data0429914 <----- This address does not exists !!!! It is a simple value. Something wrong with the linker happened ? Because masm (or jwasm) should be using that address or insert the proper error code. Idapro produces the same result. Olly too.

Code Select


Code0429E28: K4:
    lea eax D$edi*4+Data0429E6D <----- same as above. This address does not exists. How the linker assembled it ?
    call eax

About the above 2 problems regarding the address, this is a problematic decision. If we simply disallow the disassembler to interpret any non referenced address as data/code, we are easily leading to errors on the rest of the code, because this value is both (a address or a immediate). So, it is more a matter of choice of interpretation then a error per se. Can be enhanced i guess, to overcome those problems by some linkers (i saw some of those things too in watcom files - rare to happens, fortunately), but i´ll think on a solution later.

But for your project of writing a disassembler keep in mind that what you need to do at the very 1st place is analyze the contents of the PE sections). So, the better technique is use maps (as i explained earlier in another post).

On the sections map you flag what is a resource (that is data), IAT (also data), data section (also ata), virtual section (as the name says...virtual data), the PE header itself (data....but unused most of the time), the MZ header (idem), etc..For that, the better is check the characteristics of the section, regardless the name it was labeled (.text., .data., .idata., .potato., .orange, whatever :icon_mrgreen: ). So, you must flag everything that you know that belongs to data on the very 1st place.

All that left can be either code or data and this is where the disassembler will works to try to separate data in the middle of code.

jj2007 · January 14, 2016, 02:44:46 PM

Quote from: guga on January 14, 2016, 10:42:20 AM
It found only 3 errors ... with Jochen´s library here:

Code Select Expand
Code04295F7: I7: test cl 05 | je L9> ; Code0429617 or B$ebp-034 04 lea eax D$edx*4+Data0429914 <----- This address does not exists !!!! It is a simple value. Something wrong with the linker happened ? Because masm (or jwasm) should be using that address or insert the proper error code. Idapro produces the same result. Olly too.

Code Select Expand
Code0429E28: K4: lea eax D$edi*4+Data0429E6D <----- same as above. This address does not exists. How the linker assembled it ? call eax

Nice find, Gustavo :t

(the code works like a charm, of course. This is Float2Asc, tested a thousand times...)

#1:
test cl, 4+1 ; MbXmmR or MbXmmI
.if !Zero?
or byte ptr f2sInt, 4 ; prevent %u correction below
lea eax, [MovXmmStr+4*edx-80]
lea edx, f2sTmp64
call eax
test cl, 1 ; odd or even?
.if Zero?
fld REAL8 ptr [edx]
.else
fild QWORD ptr [edx]
.endif
.endif

Olly:

Code Select

00406F48   ³.  F6C1 05       ³test cl, 05
00406F4B   ³. 74 1B         ³jz short 00406F68
00406F4D   ³.  804D CC 04    ³or byte ptr [ebp-34], 04
00406F51   ³.  8D0495 647240 ³lea eax, [edx*4+407264]
00406F58   ³.  8D55 F8       ³lea edx, [ebp-8]
00406F5B   ³.  FFD0          ³call eax

MovXmmStr:
movlps qword ptr [edx], xmm0 ; 4 bytes incl. ret
retn
movlps qword ptr [edx], xmm1
retn

Olly:

Code Select

004072B4   Ú.  0F1302        movlps [edx], xmm0
004072B7   À.  C3            retn
004072B8   Ú.  0F130A        movlps [edx], xmm1
004072BB   À.  C3            retn

#2:
test dl, 4+1 ; MbXmmR or MbXmmI
.if !Zero?
test dl, 1
.if Zero?
fstp QWORD ptr [ebx]
.else
fistp REAL8 ptr [ebx] ; use integer for r format
.endif
lea eax, [MovXmm+4*edi-80] ; 7 bytes
call eax
.endif

Olly:

Code Select

0040776D   ³.  F6C2 05       test dl, 05
00407770   ³. 74 14         jz short 00407786
00407772   ³.  F6C2 01       test dl, 01
00407775   ³. 75 04         jnz short 0040777B
00407777   ³.  DD1B          fstp qword ptr [ebx]
00407779   ³. EB 02         jmp short 0040777D
0040777B   ³>  DF3B          fistp qword ptr [ebx]
0040777D   ³>  8D04BD C27740 lea eax, [edi*4+4077C2]
00407784   ³.  FFD0          call eax

MovXmm:
movlps xmm0, qword ptr [ebx] ; 4 bytes each incl. ret
retn

Olly:

Code Select

00407812   Ú.  0F1203        movlps xmm0, [ebx]
00407815   À.  C3            retn

Grincheux · January 14, 2016, 03:31:42 PM

Thank you sinsi for the link. I downloaded the file but when I run it it crashes!

Grincheux · January 14, 2016, 05:06:16 PM

What do you want to check here ?

QuoteDirectory Name VirtAddr VirtSize
-------------------------------------- -------- --------
Export 00000000 00000000
Import 00002000 00000534
Resource 00004000 00034D90
Exception 00000000 00000000
Security 00000000 00000000
Base Relocation 00000000 00000000
Debug 00000000 00000000
Decription/Architecture 00000000 00000000
Machine Value (MIPS GP) 00000000 00000000
Thread Storage 00000000 00000000
Load Configuration 00000000 00000000
Bound Import 00000000 00000000
Import Address Table 00000000 00000000
Delay Import 00000000 00000000
COM Runtime Descriptor 00000000 00000000
(reserved) 00000000 00000000

No IAT

Only

QuoteImport 00002000 00000534

So I must look for the datas section (intialized and unitialized), the code section.

QuoteSize of Code 00000C00
Size of Initialized Data 00000A00
Size of Uninitialized Data 00000000
Address of Entry Point 00001880
Base of Code 00001000
Base of Data 00002000
Image Base 00400000

Here is the command lines that created the file analyzed by dumppe

QuoteC:\JWasm\Bin\JWASM.EXE -9 -Fl -c -zlf -zlp -zls -W3 -coff -Cp -nologo /I"C:\JWasm\Include" "ASD.asm"
C:\JWasm\Bin\JWlink.EXE FORMAT WINDOWS PE LIBPATH C:\JWasm\Lib OPTION SHOWDEAD OPTION NXCOMPAT OPTION NORELOCS OPTION ELIMINATE OPTION CHECKSUM RESOURCE ASD.res RUNTIME WINDOWS NAME ASD.exe FILE ASD.obj

guga · January 14, 2016, 05:48:07 PM

You must analyze 1st what is data and what is code. The easier way to do that is seeing what are the contents of the data. For example, you start at the very 1st byte (MZ), this belongs to the IMAGE_DOS_HEADER structure. Since you know it is all data, you flag it as such. Then you see the pointers to it´s member. In case, the next pointer is the PE header.

You go there and do the same, flag all this structure as data.
Then do the same as before.... check the pointers of the members.

If they points to virtual data, you flag it as such on the previous created map file.
If they are data you do the same.

How you know they which members points to data only ? Check the contents of _IMAGE_DATA_DIRECTORY. All those members are pointers to data (in form of structures)

The next thing is analyzing the contents of the IMAGE_SECTION_HEADER.

You start by seeing if at that section the EntryPoint is there or not. If is there, it _may_ be code section. To make sure, you check for the characteristics of that section. (IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_CNT_CODE).

If they do not contains...then the section is formed by data only. You flag it as such.

Go to the next section. See if there is the EP. Ok....Ep found there...then this sections is the one you must target the disassembler since it may contains code + data

Do the same for the remainder sections (perhaps you already flagged them when you checked IMAGE_DATA_DIRECTORY).

See ? You need to follow the contents of the PE structures....discard everything that may be data 1st and then only what is left is what you need to analyze. Much much faster then do a byte by byte scan in all data since the very 1st one ('MZ').

Try dl Ida somewhere, it really will help you understand what it is needed to do.(Since you are having difficulties with Olly and RosAsm)

Grincheux · January 14, 2016, 06:07:19 PM

In the OptionalHeader I got the code and unitialized data

Code Select


			mov		eax,lpNtHeader

			INVOKE	ImageRvaToSection,lpNtHeader,NULL,[eax].IMAGE_NT_HEADERS.OptionalHeader.BaseOfCode
			mov		lpSectionCode,eax

			mov		eax,lpNtHeader

			INVOKE	ImageRvaToSection,lpNtHeader,NULL,[eax].IMAGE_NT_HEADERS.OptionalHeader.BaseOfData
			mov		lpSectionUData,eax

Quote0x0513C180 41 55 54 4f 00 00 00 00 12 5b 00 00 00 10 00 00 00 5c 00 00 00 02 00 00 00 00 00 AUTO.....[.......\.........
0x0513C19B 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bd 10 00 00 00 70 ......... ..`.rdata.......p
0x0513C1B6 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 44 .......^..............@..@D
0x0513C1D1 47 52 4f 55 50 00 00 64 34 ab 00 00 90 00 00 00 06 00 00 00 70 00 00 00 00 00 00 GROUP..d4«..........p......
0x0513C1EC 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c4 e1 17 00 00 d0 ab ........@..À.rsrc...Äá...Ð«
0x0513C207 00 00 e2 17 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 60 8b ..â...v..............@..@`.
0x0513C222 54 24 2c 0f b6 0a 8b 7a 01 69 c9 01 01 01 01 66 0f 6e c1 66 0f 70 c0 00 8b c7 83 T$,.¶..z.iÉ....f.nÁf.pÀ..Çƒ

I cannot check the EntryPoint because for a DLL it is 0, not always DllMain.
The only address I have not got again is for the initialized data.

I will go to see what are the "@DGROUP" and "rdata".

Grincheux · January 15, 2016, 04:31:09 AM

The pupils made a good work.
All is loaded in memory.
The section addresses are well known and checked as DATA or CODE
I join the part of the that make this part of the job

The MASM Forum

News:

The fool encoder

guga

jj2007

Grincheux

Grincheux

guga

Grincheux

Grincheux