May 30, 2007

LDE32的C语言版本

2007.7.11更新:
VX Heavens上找到的.备份一下.
0x4553lde


It based on ADE32 disassembler engine by z0mbie, modified and ported to AT&T asm.

table.h - contain table of opcodes from 0x00 to 0xFF, it define the type of each other.

There is the main function l_disasm(). It get one parameter from stack, which point to array with data. Return value reside in %eax - length of opcode.

Example:


 
 ...

    mov data,%eax

    add $123,%eax         # data

    push %eax

    call l_disasm

    ...

    

LDE32v1.6_for_asm
LDE32_for_vc

 
LDE32 is a library which may be used to determine length of any x86 instructiion, i.e. to provide partial disassembling. LDE32 has only two subroutines.
void pascal disasm_init(void* tableptr);
This subroutine used to build internal data table of 2048 byte length.
int pascal disasm_main(void* opcodeptr, void* tableptr);
This subroutine used to disassemble one instruction. It returns length of instruction in bytes, or -1 if an error occured. Subroutines preserves all registers; code is offset-independent; no data used except 2k at tableptr.

 


google真是个好东西.用找到的LDE32把前几天写的那个Ring3 Inline Hook Demo修改了一下,现在不用怕被hook函数前的opcode没有对齐咯: )

 


    
// LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE 
//C Language Edition
//Modified by Joerkky
//version 1.05 

DWORD LDE32(void ADDR) 
{
 DWORD t1[]={0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,0,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0x4000,0x4000,0x4000,0x4000,0x8000,0x8000,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x4000,0x4000,8,8,0x1008,0x0018,0x2000,0x6000,0x0100,0x4100,0,0,0,0,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x4100,0x6000,0x4100,0x4100,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0,0,0,0,0,0,0,0,0,0,0x2002,0,0,0,0,0,0x0020,0x0020,0x0020,0x0020,0,0,0,0,0x0100,0x2000,0,0,0,0,0,0,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x4100,0x4100,0x0200,0,0x4000,0x4000,0x4100,0x6000,0x0300,0,0x0200,0,0,0,0,0,0x4000,0x4000,0x4000,0x4000,0x0100,0x0100,0,0,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x0100,0x2000,0x2000,0x2002,0x0100,0,0,0,0,8,0,8,8,0,0,0,0,0,0,0,0,0,0,0x4000,0x4000};
 DWORD t0[]={0x4000,0x4000,0x4000,0x4000,-1,-1,0,-1,0,0,0,0,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x2000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0,0,0,0x4000,0x4100,0x4000,-1,-1,0,0,0,0x4000,0x4100,0x4000,-1,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,-1,-1,0x4100,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,0x4000,-1,-1,-1,-1,-1,-1,0,0,0,0,0,0,0,0,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1};
 DWORD eax=0,edx=0;
 unsigned char ecx=(unsigned char )ADDR,dl=(unsigned char )&edx,al=(unsigned char )&eax;
 do {
  dl[0]=dl[0]&0xf7;
  al[0]=*ecx;
  ecx++;
  edx=edx|t1[eax];
 } while (dl[0]&0x8);
 if ((al[0]==0xF6)||(al[0]==0xF7)) {
  dl[1]=dl[1]|0x40;
  if (!((ecx)&0x0111000b)) dl[1]=dl[1]|0x80;
 } 
 else 
  if (al[0]==0xCD) {
   dl[1]=dl[1]|1;
   if (ecx==0x20) dl[1]=dl[1]|4;
  }
  else 
   if (al[0]==0xF) {
    al[0]=*ecx;ecx++;edx=edx|t0[eax];
    if (edx==-1) return edx;
   }
 if (dl[1]&0x80) {
  dl[1]=(dl[1])^0x20;
        if (!(al[0]&0x00000001b)) dl[1]=dl[1]^0x11;
 }
 if (dl[1]&0x40) {
  al[0]=*ecx;
  ecx++;
  al[1]=*al;
  eax=eax&0xC007;
  if(!(al[1]==0xC0))
   if (dl[0]&0x10) 
    if(((al[0]==6)&&(al[1]==0))||(al[1]==0x80))
     dl[0]=dl[0]|2;
    else 
     if (al[1]==0x40) dl[0]=dl[0]|1;
   else {
    if (al[0]==4) {
     al[0]=*ecx;
     ecx++;
     al[0]=al[0]&7;
    }
    if (al[1]==0x40) 
     dl[0]=dl[0]|1;
    else
     if ((al[1]==0x80)||((al[0]==5)&&(al[1]==0)))
      dl[0]=dl[0]|4;
   }
 }
 if (dl[0]&0x20) {
  dl[0]=dl[0]^2;
  if (!(dl[0]&0x10)) dl[0]=dl[0]^6;
 }
 if (dl[1]&0x20) {
  dl[1]=dl[1]^2;
  if (!(dl[1]&0x10)) dl[1]=dl[1]^6;
 }
 eax=(DWORD)ecx-(DWORD)ADDR;
 edx=edx&0x707;
 al[0]=al[0]+dl[0]+dl[1];
 return eax;
}

Comments
Write a Comment
Recent
Search