-
Notifications
You must be signed in to change notification settings - Fork 0
/
disasm.ASM
431 lines (390 loc) · 12.6 KB
/
disasm.ASM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
; disasm.asm (CC0)
; Based on Zydis
;
; Developed by Boo Khan Ming (2023)
;
format PE console
entry start
include 'win32a.inc'
struct ZydisDecodedInstruction ; (sizeof=0x148, align=0x8, copyof_249)
machine_mode dd ?
mnemonic dd ?
length db ?
a db ?
b db ?
c db ?
encoding dd ?
opcode_map dd ?
opcode db ?
stack_width db ?
operand_width db ?
address_width db ?
operand_count db ?
operand_count_visible db ?
db ?
db ?
db ?
db ?
db ?
db ?
attributes dq ?
cpu_flags dq ?
fpu_flags dq ?
avx rb 0x24 ;ZydisDecodedInstructionAvx_ ?
meta rb 0x14 ;ZydisDecodedInstructionMeta_ ?
raw rb 0xD8 ;ZydisDecodedInstructionRaw_ ?
ends
struct ZydisDisassembledInstruction ; (sizeof=0x4D0, align=0x8, copyof_251)
runtime_address dq ?
info ZydisDecodedInstruction
operands rb 0x320 - 8
text rb 0x60 + 8
ends
BUFFER_SIZE = 640 * 1024
section '.data' readable writable
_message0 db 'Usage: disasm <executable filename>',13,10
_msglen0 = $ - _message0
_message1 db 'Error opening file.',13,10
_msglen1 = $ - _message1
_message2 db 'Error reading file.',13,10
_msglen2 = $ - _message2
_message3 db 'Invalid EXE',13,10
_msglen3 = $ - _message3
_message4 db 'Invalid PE',13,10
_msglen4 = $ - _message4
_message5 db 'Only 32-bit (x86) PE is supported.',13,10
_msglen5 = $ - _message5
_message6 db 'Only 64-bit (x64) PE is supported.',13,10
_msglen6 = $ - _message6
_message7 db 'Code section not found.',13,10
_msglen7 = $ - _message7
_message8 db 'ZydisDisassembleIntel failed.',13,10
_msglen8 = $ - _message8
_dummy dd ?
_short db ?
db 0
_double dw ?
_hexnum rb 8
_hexval rb 2
_digits db '0123456789ABCDEF'
_space1 db 32,32
_len1 = $ - _space1
_space2 db 32
_len2 = $ - _space2
_filename rb MAX_PATH
_fnlen dd ?
_buffer rb BUFFER_SIZE
_len dd ?
_ptr dd ?
_handle dd ?
_stdout dd ?
_count dd ?
_offset dd 0
_pe_start dd ?
_pe_id_r rb 4
_pe_id db 'P','E',0,0
_mz_id_r rb 2
_mz_id db 'M','Z'
_machine dw ?
_section dw ?
_baseofcode dd ?
_fileptr dd ?
_magic dw ?
_virtualaddress dd ?
_sizeofrawdata dd ?
_pointertorawdata dd ?
_sectiontable rb 40
_zydismode dd 0
_runtimeaddress dd ?
_instruction ZydisDisassembledInstruction
align 8
IMAGE_FILE_MACHINE_I386 = 0x014c
IMAGE_FILE_MACHINE_AMD64 = 0x8664
PE32 = 0x10b
PE64 = 0x20b
OffsetToBaseOfCode = 0xac - 0x80
OffsetToImageBaseForPE32 = 0xb4 - 0x80
OffsetToImageBaseForPE64 = 0xb0 - 0x80
OffsetToSectionTableForPE32 = 0x178 - 0x80
OffsetToSectionTableForPE64 = 0x178 - 0x80 + 16
OffsetToMagicNumber = 0x98 - 0x80
section '.code' code readable executable
start:
invoke GetCommandLine
push eax
mov edi, eax
or ecx, -1
xor eax, eax
repnz scasb ; Calculate total length of command line arguments
not ecx
pop eax
mov dword [_fnlen], ecx
push eax
mov edi, eax
or ecx, -1
mov eax, 32
repnz scasb ; Calculate length of first command line argument (APPNAME)
not ecx
pop eax
inc ecx
sub dword [_fnlen], ecx ; Compute the length of second command line argument (_FILENAME)
cmp dword [_fnlen], 0
jle .err0
add eax, ecx
mov ecx, dword [_fnlen]
mov esi, eax
lea edx, [_filename]
mov edi, edx
rep movsb
;invoke GetStdHandle, -11
;invoke WriteConsole, eax, _filename, dword [_fnlen], _dummy, 0
invoke CreateFile, _filename, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0
mov dword [_handle], eax
cmp eax, INVALID_HANDLE_VALUE
je .err1
invoke GetStdHandle, -11
mov dword [_stdout],eax
invoke ReadFile, dword [_handle], _mz_id_r, 2, _len, 0
test eax, eax
jz .err2
movzx ebx, word [_mz_id_r]
cmp bx, word [_mz_id]
jnz .err3
invoke SetFilePointer, dword [_handle], 0x3C, 0, FILE_BEGIN
invoke ReadFile, dword [_handle], _pe_start, 4, _len, 0
test eax, eax
jz .err2
invoke SetFilePointer, dword [_handle], dword [_pe_start], 0, FILE_BEGIN
invoke ReadFile, dword [_handle], _pe_id_r, 4, _len, 0
test eax, eax
jz .err2
mov ebx, dword [_pe_id_r]
cmp ebx, dword [_pe_id]
jnz .err4
invoke ReadFile, dword [_handle], _machine, 2, _len, 0
test eax, eax
jz .err2
movzx ebx, word [_machine]
cmp ebx, IMAGE_FILE_MACHINE_AMD64
jz .is64
mov [_zydismode],1
.is64:
invoke ReadFile, dword [_handle], _section, 2, _len, 0
test eax, eax
jz .err2
mov ebx, dword [_pe_start]
add ebx, OffsetToMagicNumber
mov [_fileptr], ebx
invoke SetFilePointer, dword [_handle], dword [_fileptr] , 0, FILE_BEGIN
invoke ReadFile, dword [_handle], _magic, 2, _len, 0
test eax, eax
jz .err2
mov ebx, dword [_pe_start]
add ebx, OffsetToBaseOfCode
mov [_fileptr], ebx
invoke SetFilePointer, dword [_handle], dword [_fileptr] , 0, FILE_BEGIN
invoke ReadFile, dword [_handle], _baseofcode, 4, _len, 0
test eax, eax
jz .err2
movzx ebx, word [_magic]
cmp ebx, PE32
jz .isPE32
mov ebx, dword [_pe_start]
add ebx, OffsetToImageBaseForPE64
mov [_fileptr], ebx
invoke SetFilePointer, dword [_handle], dword [_fileptr] , 0, FILE_BEGIN
invoke ReadFile, dword [_handle], _runtimeaddress, 4, _len, 0
test eax, eax
jz .err2
mov ebx, [_baseofcode]
add [_runtimeaddress], ebx
mov ebx, dword [_pe_start]
add ebx, OffsetToSectionTableForPE64
mov [_fileptr], ebx
invoke SetFilePointer, dword [_handle], dword [_fileptr] , 0, FILE_BEGIN
jmp .continue
.isPE32:
mov ebx, dword [_pe_start]
add ebx, OffsetToImageBaseForPE32
mov [_fileptr], ebx
invoke SetFilePointer, dword [_handle], dword [_fileptr] , 0, FILE_BEGIN
invoke ReadFile, dword [_handle], _runtimeaddress, 4, _len, 0
test eax, eax
jz .err2
mov ebx, [_baseofcode]
add [_runtimeaddress], ebx
mov ebx, dword [_pe_start]
add ebx, OffsetToSectionTableForPE32
mov [_fileptr], ebx
invoke SetFilePointer, dword [_handle], dword [_fileptr] , 0, FILE_BEGIN
.continue:
movzx ecx, word [_section]
.scan: ;loop through all section table until match found for code section
push ecx
invoke ReadFile, dword [_handle], _sectiontable, 40, _len, 0
test eax, eax
jz .err2
pop ecx
mov ebx, dword [_sectiontable + 12]
mov [_virtualaddress], ebx
mov ebx, dword [_sectiontable + 16]
mov [_sizeofrawdata], ebx
mov ebx, dword [_sectiontable + 20]
mov [_pointertorawdata], ebx
mov ebx, dword [_baseofcode]
cmp ebx, dword [_virtualaddress]
jz .donescan
dec ecx
jnz .scan
jmp .err7
.donescan:
invoke SetFilePointer, dword [_handle], dword [_pointertorawdata] , 0, FILE_BEGIN
invoke ReadFile, dword [_handle], _buffer, [_sizeofrawdata], _len, 0
test eax, eax
jz .err2
;mov ecx, dword [_len]
;test ecx, ecx
;jz .close
invoke CloseHandle, [_handle]
.decode:
lea edx, [_buffer]
add edx, [_offset]
cinvoke ZydisDisassembleIntel, [_zydismode], 0,[_runtimeaddress], edx, [_len], _instruction
test eax,eax
js .err8
push eax
mov edx, [_runtimeaddress]
mov ecx, 8
call ConvertLongHex
call PrintOffset
call PrintLongSpace
mov edx, 96
lea esi, [_instruction.text]
call Print
call PrintLine
movzx edx, byte [_instruction.info.length]
add [_runtimeaddress], edx
add [_offset], edx
mov edx, [_offset]
cmp edx, [_sizeofrawdata]
jae .done
pop eax
test eax,eax
jns .decode
jmp .done
; while (ZYAN_SUCCESS(ZydisDisassembleIntel(
; /* machine_mode: */ ZYDIS_MACHINE_MODE_LONG_64,
; /* runtime_address: */ runtime_address,
; /* buffer: */ data + offset,
; /* length: */ sizeof(data) - offset,
; /* instruction: */ &instruction
; ))) {
; printf("%016" PRIX64 " %s\n", runtime_address, instruction.text);
; offset += instruction.info.length;
; runtime_address += instruction.info.length;
; }
.close:
invoke CloseHandle, [_handle]
jmp .done
.err0:
lea edx, [_message0]
mov ecx, _msglen0
jmp .error
.err1:
lea edx, [_message1]
mov ecx, _msglen1
jmp .error
.err2:
lea edx, [_message2]
mov ecx, _msglen2
jmp .error
.err3:
lea edx, [_message3]
mov ecx, _msglen3
jmp .error
.err4:
lea edx, [_message4]
mov ecx, _msglen4
jmp .error
.err5:
lea edx, [_message5]
mov ecx, _msglen5
jmp .error
.err6:
lea edx, [_message6]
mov ecx, _msglen6
jmp .error
.err7:
lea edx, [_message7]
mov ecx, _msglen7
jmp .error
.err8:
lea edx, [_message8]
mov ecx, _msglen8
.error:
invoke GetStdHandle, -11
invoke WriteConsole, eax, edx, ecx, _dummy, 0
.done:
invoke ExitProcess,0
PrintLongSpace:
mov edx, _len1
lea esi, [_space1]
call Print
ret
PrintShortSpace:
mov edx, _len2
lea esi, [_space2]
call Print
ret
PrintLine:
mov edx, 2
mov [_double], 0x0A0D
lea esi, [_double]
call Print
ret
PrintOffset:
mov edx, 8
lea esi, [_hexnum]
call Print
ret
PrintHex:
mov edx, 2
lea esi, [_hexval]
call Print
ret
PrintChar:
mov edx, 1
lea esi, [_short]
call Print
ret
Print:
;invoke WriteConsole, dword [_stdout], esi, edx, _dummy, 0
invoke WriteFile, dword [_stdout], esi, edx, _dummy, 0
ret
ConvertLongHex: ;-) Nice code snippet by Tomasz Grysztar (flat assembler)
xor ebx,ebx
.loop1:
rol edx,4
mov eax,edx
and eax,1111b
mov al,[_digits+eax]
mov [ebx+_hexnum],al
inc ebx
dec ecx
jnz .loop1
ret
section '.idata' import readable writable
library kernel32, 'KERNEL32.DLL',\
Zydis, 'Zydis.dll'
import kernel32,\
GetStdHandle, 'GetStdHandle', \
WriteConsole, 'WriteConsoleA', \
CreateFile, 'CreateFileA', \
ReadFile, 'ReadFile', \
WriteFile, 'WriteFile', \
CloseHandle, 'CloseHandle', \
GetCommandLine, 'GetCommandLineA', \
SetFilePointer, 'SetFilePointer', \
ExitProcess,'ExitProcess'
import Zydis,\
ZydisDisassembleIntel, "ZydisDisassembleIntel"