LDE32的C语言版本

Published on 2007 - 05 - 30

2007.7.11更新:
VX Heavens上找到的.备份一下.
0x4553lde



It based on ADE32 disassembler engine by z0mbie, modified and ported to AT&T asm.

table.h - contain table of opcodes from 0x00 to 0xFF, it define the type of each other.


There is the main function l_disasm(). It get one parameter from stack, which point to array with data. Return value reside in %eax - length of opcode.


Example:


 ...
mov data,%eax
add $123,%eax # data
push %eax
call l_disasm
...



LDE32v1.6_for_asm
LDE32_for_vc


LDE32 is a library which may be used to determine length of any x86 instructiion, i.e. to provide partial disassembling. LDE32 has only two subroutines.
void pascal disasm_init(void* tableptr);
This subroutine used to build internal data table of 2048 byte length.
int pascal disasm_main(void* opcodeptr, void* tableptr);
This subroutine used to disassemble one instruction. It returns length of instruction in bytes, or -1 if an error occured. Subroutines preserves all registers; code is offset-independent; no data used except 2k at tableptr.



google真是个好东西.用找到的LDE32把前几天写的那个Ring3 Inline Hook Demo修改了一下,现在不用怕被hook函数前的opcode没有对齐咯: )


// LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE
//C Language Edition
//Modified by Joerkky
//version 1.05

DWORD LDE32(
void
ADDR)
{
DWORD t1[]
={0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x4000,0x4000,8,8,0x1008,0x0018,0x2000,0x6000,0x0100,0x4100,0,0,0,0,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x4100,0x6000,0x4100,0x4100,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0,0,0,0,0,0,0,0,0,0,0x2002,0,0,0,0,0,0x0020,0x0020,0x0020,0x0020,0,0,0,0,0x0100,0x2000,0,0,0,0,0,0,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x4100,0x4100,0x0200,0,0x4000,0x4000,0x4100,0x6000,0x0300,0,0x0200,0,0,0,0,0,0x4000,0x4000,0x4000,0x4000,0x0100,0x0100,0,0,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x2000,0x2000,0x2002,0x0100,0,0,0,0,8,0,8,8,0,0,0,0,0,0,0,0,0,0,0x4000,0x4000};
DWORD t0[]
={0x4000,0x4000,0x4000,0x4000,-1,-1,0,-1,0,0,0,0,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0,0,0,0x4000,0x4100,0x4000,-1,-1,0,0,0,0x4000,0x4100,0x4000,-1,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,-1,-1,0x4100,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,-1,-1,-1,-1,-1,-1,0,0,0,0,0,0,0,0,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1};
DWORD eax
=0,edx=0;
unsigned
char ecx=(unsigned char
)ADDR,dl=(unsigned char )&edx,al=(unsigned char )&eax;
do {
dl[
0]=dl[0]&0xf7;
al[
0]=*ecx;
ecx
++;
edx
=edx|t1[eax];
}
while (dl[0]&0x8);
if ((al[0]==0xF6)||(al[0]==0xF7)) {
dl[
1]=dl[1]|0x40;
if (!((ecx)&0x0111000b)) dl[1]=dl[1]|0x80;
}

else
if (al[0]==0xCD) {
dl[
1]=dl[1]|1;
if (
ecx==0x20) dl[1]=dl[1]|4;
}

else
if (al[0]==0xF) {
al[
0]=*ecx;ecx++;edx=edx|t0[eax];
if (edx==-1) return edx;
}

if (dl[1]&0x80) {
dl[
1]=(dl[1])^0x20;
if (!(al[0]&0x00000001b)) dl[1]=dl[1]^0x11;
}

if (dl[1]&0x40) {
al[
0]=*ecx;
ecx
++;
al[
1]=*al;
eax
=eax&0xC007;
if(!(al[1]==0xC0))
if (dl[0]&0x10)
if(((al[0]==6)&&(al[1]==0))||(al[1]==0x80))
dl[
0]=dl[0]|2;
else
if (al[1]==0x40) dl[0]=dl[0]|1;
else {
if (al[0]==4) {
al[
0]=*ecx;
ecx
++;
al[
0]=al[0]&7;
}

if (al[1]==0x40)
dl[
0]=dl[0]|1;
else
if ((al[1]==0x80)||((al[0]==5)&&(al[1]==0)))
dl[
0]=dl[0]|4;
}

}

if (dl[0]&0x20) {
dl[
0]=dl[0]^2;
if (!(dl[0]&0x10)) dl[0]=dl[0]^6;
}

if (dl[1]&0x20) {
dl[
1]=dl[1]^2;
if (!(dl[1]&0x10)) dl[1]=dl[1]^6;
}

eax
=(DWORD)ecx-(DWORD)ADDR;
edx
=edx&0x707;
al[
0]=al[0]+dl[0]+dl[1];
return eax;
}

Comments
Write a Comment