Tweet
LDE32 is a simple length disassembly engine written by virus author z0mbie. You simply give it a chunk of code and it breaks the code down into its individual instructions, allowing you to determine the length of each instruction. It seems to work fine on the standard x86 instruction set but I dont believe it has any support for extended instructions like MMX.
The following example disassembles this code, which is the start of a Powerbasic function ...
00403D30 . 55
00403D31 . 8BEC
00403D33 . 53
00403D34 . 56
00403D35 . 57
00403D36 . BB 00804000
00403D3B . 66:2E:F705 60454000 0400
00403D45 . 0F85 08010000
00403D4B . 6A 00
So I've simply defined it as ...
sCode = CHR$(&h55,&h8B,&hEC,&h53,&h56,&h57,&hBB,&h00,&h80,&h40,&h00,&h66,&h2E,&hF7,&h05,&h60,&h45,&h40,&h00,&h04,&h00,&h0F,&h85,&h08,&h01,&h0,&h0,&h6A,&h00)
Here is the resulting output after parsing it through LDE32 ...
00143D44: 55 (Len: 1)
00143D45: 8B (Len: 2)
00143D47: 53 (Len: 1)
00143D48: 56 (Len: 1)
00143D49: 57 (Len: 1)
00143D4A: BB (Len: 5)
00143D4F: 66 (Len: 10)
00143D59: 0F (Len: 6)
00143D5F: 6A (Len: 2)
LDE32.BAS:
The following example disassembles this code, which is the start of a Powerbasic function ...
00403D30 . 55
00403D31 . 8BEC
00403D33 . 53
00403D34 . 56
00403D35 . 57
00403D36 . BB 00804000
00403D3B . 66:2E:F705 60454000 0400
00403D45 . 0F85 08010000
00403D4B . 6A 00
So I've simply defined it as ...
sCode = CHR$(&h55,&h8B,&hEC,&h53,&h56,&h57,&hBB,&h00,&h80,&h40,&h00,&h66,&h2E,&hF7,&h05,&h60,&h45,&h40,&h00,&h04,&h00,&h0F,&h85,&h08,&h01,&h0,&h0,&h6A,&h00)
Here is the resulting output after parsing it through LDE32 ...
00143D44: 55 (Len: 1)
00143D45: 8B (Len: 2)
00143D47: 53 (Len: 1)
00143D48: 56 (Len: 1)
00143D49: 57 (Len: 1)
00143D4A: BB (Len: 5)
00143D4F: 66 (Len: 10)
00143D59: 0F (Len: 6)
00143D5F: 6A (Len: 2)
LDE32.BAS:
Code:
#COMPILE EXE #INCLUDE "win32api.inc" GLOBAL sTable AS STRING * 2049, ptrTable AS DWORD %MAX_INSTRUCTIONS = 8 '// Maximum number of instructions to disassemble FUNCTION PBMAIN() AS LONG #REGISTER NONE DIM sCode AS STRING, ptrCode AS DWORD, ptrTable AS DWORD, result AS LONG, CurPos AS LONG, Instructions AS LONG '// Code to disassemble sCode = CHR$(&h55,&h8B,&hEC,&h53,&h56,&h57,&hBB,&h00,&h80,&h40,&h00,&h66,&h2E,&hF7,&h05,&h60,&h45,&h40,&h00,&h04,&h00,&h0F,&h85,&h08,&h01,&h0,&h0,&h6A,&h00) ptrCode = STRPTR(sCode): ptrTable = VARPTR(sTable) ! push ptrTable ; build disasm flag tables ! call disasm_init ! mov ebx, ptrCode ; &h401000 cycle: ! mov CurPos, ebx ! push ebx ; disasm offset ! push ptrTable ; internal disasm table ! call disasm_main ! mov result, eax ! push ebx ! push eax IF result = -1 THEN GOTO EndOfDisasm STDOUT HEX$(CurPos,8) & ": " & HEX$(ASC(MID$(sCode, CurPos - ptrCode + 1, 1)),2) & " (Len: " & STR$(result) & ")" ! pop eax ! pop ebx ! add ebx, eax ! inc Instructions ! cmp Instructions, %MAX_INSTRUCTIONS ! jng cycle EndOfDisasm: STDOUT "DONE": WAITKEY$ EXIT FUNCTION disasm_init: ! db &h0C8,&h000,&h000,&h000,&h060,&h08B,&h07D,&h008 ! db &h0FC,&h0E8,&h005,&h000,&h000,&h000,&h061,&h0C9 ! db &h0C2,&h004,&h000,&h033,&h0C0,&h050,&h050,&h050 ! db &h068,&h000,&h0A8,&h0AA,&h002,&h068,&h07F,&h068 ! db &h0FF,&h03F,&h068,&h0A0,&h0DE,&h0E6,&h0FF,&h068 ! db &h0FF,&h0FF,&h0D5,&h0DB,&h068,&h0AA,&h0AA,&h0FE ! db &h0FF,&h068,&h0AA,&h0AA,&h0AA,&h0AA,&h068,&h000 ! db &h000,&h0AA,&h0AA,&h050,&h050,&h050,&h050,&h050 ! db &h050,&h068,&h054,&h001,&h000,&h000,&h068,&h055 ! db &h0F5,&h0FF,&h041,&h068,&h0AA,&h0DD,&h0DE,&h055 ! db &h068,&h011,&h051,&h095,&h019,&h068,&h0FF,&h01F ! db &h011,&h011,&h068,&h0AA,&h0FF,&h011,&h0FA,&h068 ! db &h096,&h0CF,&h060,&h08E,&h068,&h0AA,&h0D6,&h072 ! db &h0FC,&h068,&h088,&h0AA,&h0AA,&h0AA,&h068,&h0D5 ! db &h088,&h088,&h088,&h068,&h09B,&h055,&h08D,&h052 ! db &h068,&h053,&h0D5,&h06C,&h036,&h068,&h0FF,&h055 ! db &h055,&h035,&h068,&h0F9,&h0D6,&h0FE,&h0FF,&h068 ! db &h088,&h088,&h088,&h068,&h068,&h088,&h088,&h088 ! db &h088,&h068,&h0CA,&h047,&h053,&h08D,&h068,&h0DF ! db &h07B,&h0C6,&h0DC,&h068,&h0AA,&h0AA,&h0AA,&h0AA ! db &h068,&h0AA,&h0AA,&h0AA,&h0AA,&h068,&h0FD,&h04F ! db &h0A9,&h0AB,&h068,&h0EA,&h0FE,&h0A7,&h0D4,&h068 ! db &h029,&h075,&h0FF,&h053,&h068,&h0FE,&h0A7,&h0A4 ! db &h0FF,&h068,&h04A,&h0FA,&h09F,&h092,&h068,&h0FF ! db &h029,&h0E9,&h07F,&h0B9,&h000,&h002,&h000,&h000 ! db &h033,&h0DB,&h0E8,&h013,&h000,&h000,&h000,&h0AB ! db &h0E2,&h0F8,&h0C3,&h00B,&h0DB,&h075,&h007,&h058 ! db &h05E,&h05A,&h056,&h050,&h0B3,&h020,&h04B,&h0D1 ! db &h0EA,&h0C3,&h0E8,&h0EC,&h0FF,&h0FF,&h0FF,&h00F ! db &h083,&h0A2,&h000,&h000,&h000,&h0E8,&h0E1,&h0FF ! db &h0FF,&h0FF,&h073,&h006,&h0B8,&h000,&h008,&h000 ! db &h000,&h0C3,&h0E8,&h0D4,&h0FF,&h0FF,&h0FF,&h072 ! db &h06E,&h0E8,&h0CD,&h0FF,&h0FF,&h0FF,&h073,&h061 ! db &h0E8,&h0C6,&h0FF,&h0FF,&h0FF,&h073,&h054,&h0E8 ! db &h0BF,&h0FF,&h0FF,&h0FF,&h072,&h02D,&h0E8,&h0B8 ! db &h0FF,&h0FF,&h0FF,&h073,&h006,&h0B8,&h080,&h000 ! db &h000,&h000,&h0C3,&h0E8,&h0AB,&h0FF,&h0FF,&h0FF ! db &h073,&h006,&h0B8,&h008,&h002,&h000,&h000,&h0C3 ! db &h0E8,&h09E,&h0FF,&h0FF,&h0FF,&h073,&h006,&h0B8 ! db &h003,&h000,&h000,&h000,&h0C3,&h0B8,&h030,&h000 ! db &h000,&h000,&h0C3,&h0E8,&h08B,&h0FF,&h0FF,&h0FF ! db &h073,&h006,&h0B8,&h008,&h008,&h000,&h000,&h0C3 ! db &h0E8,&h07E,&h0FF,&h0FF,&h0FF,&h073,&h006,&h0B8 ! db &h005,&h000,&h000,&h000,&h0C3,&h0B8,&h020,&h000 ! db &h000,&h000,&h0C3,&h0B8,&h000,&h010,&h000,&h000 ! db &h0C3,&h0B8,&h010,&h000,&h000,&h000,&h0C3,&h0E8 ! db &h05F,&h0FF,&h0FF,&h0FF,&h073,&h013,&h0E8,&h058 ! db &h0FF,&h0FF,&h0FF,&h073,&h006,&h0B8,&h001,&h000 ! db &h000,&h000,&h0C3,&h0B8,&h010,&h008,&h000,&h000 ! db &h0C3,&h0B8,&h008,&h000,&h000,&h000,&h0C3,&h0E8 ! db &h03F,&h0FF,&h0FF,&h0FF,&h072,&h006,&h0B8,&h0FF ! db &h0FF,&h0FF,&h0FF,&h0C3,&h0B8,&h000,&h000,&h000 ! db &h000,&h0C3 disasm_main: ! db &h0C8,&h000,&h000,&h000,&h060,&h08B,&h075,&h00C ! db &h0FC,&h033,&h0DB,&h033,&h0C0,&h0AC,&h08B,&h04D ! db &h008,&h00B,&h01C,&h081,&h03C,&h0F6,&h074,&h004 ! db &h03C,&h0F7,&h075,&h011,&h081,&h0CB,&h000,&h008 ! db &h000,&h000,&h0F6,&h006,&h038,&h075,&h006,&h081 ! db &h0CB,&h000,&h018,&h000,&h000,&h03C,&h0CD,&h075 ! db &h00B,&h083,&h0CB,&h010,&h080,&h03E,&h020,&h075 ! db &h003,&h083,&h0CB,&h040,&h03C,&h00F,&h075,&h008 ! db &h0AC,&h00B,&h09C,&h081,&h000,&h004,&h000,&h000 ! db &h083,&h0FB,&h0FF,&h075,&h009,&h089,&h05C,&h024 ! db &h01C,&h0E9,&h0F0,&h000,&h000,&h000,&h0F7,&h0C3 ! db &h001,&h000,&h000,&h000,&h074,&h005,&h083,&h0F3 ! db &h001,&h0EB,&h0A8,&h0F7,&h0C3,&h000,&h010,&h000 ! db &h000,&h074,&h00A,&h083,&h0F3,&h008,&h0A8,&h001 ! db &h075,&h003,&h083,&h0F3,&h018,&h0F7,&h0C3,&h000 ! db &h008,&h000,&h000,&h074,&h058,&h0AC,&h08A,&h0E8 ! db &h08A,&h0C8,&h066,&h081,&h0E1,&h007,&h0C0,&h080 ! db &h0FD,&h0C0,&h074,&h049,&h0F7,&h0C3,&h004,&h000 ! db &h000,&h000,&h074,&h018,&h066,&h083,&h0F9,&h006 ! db &h074,&h00A,&h080,&h0FD,&h040,&h074,&h01D,&h080 ! db &h0FD,&h080,&h075,&h031,&h081,&h0CB,&h000,&h002 ! db &h000,&h000,&h0EB,&h029,&h080,&h0F9,&h004,&h075 ! db &h006,&h08A,&h00E,&h046,&h080,&h0E1,&h007,&h080 ! db &h0FD,&h040,&h075,&h008,&h081,&h0CB,&h000,&h001 ! db &h000,&h000,&h0EB,&h011,&h080,&h0FD,&h080,&h074 ! db &h006,&h066,&h083,&h0F9,&h005,&h075,&h006,&h081 ! db &h0CB,&h000,&h004,&h000,&h000,&h0F7,&h0C3,&h080 ! db &h000,&h000,&h000,&h074,&h014,&h081,&h0F3,&h000 ! db &h002,&h000,&h000,&h0F7,&h0C3,&h004,&h000,&h000 ! db &h000,&h075,&h006,&h081,&h0F3,&h000,&h006,&h000 ! db &h000,&h0F7,&h0C3,&h008,&h000,&h000,&h000,&h074 ! db &h00E,&h083,&h0F3,&h020,&h0F7,&h0C3,&h002,&h000 ! db &h000,&h000,&h075,&h003,&h083,&h0F3,&h060,&h0F7 ! db &h0C3,&h000,&h001,&h000,&h000,&h074,&h001,&h0AC ! db &h0F7,&h0C3,&h000,&h002,&h000,&h000,&h074,&h002 ! db &h066,&h0AD,&h0F7,&h0C3,&h000,&h004,&h000,&h000 ! db &h074,&h001,&h0AD,&h0F7,&h0C3,&h010,&h000,&h000 ! db &h000,&h074,&h001,&h0AC,&h0F7,&h0C3,&h020,&h000 ! db &h000,&h000,&h074,&h002,&h066,&h0AD,&h0F7,&h0C3 ! db &h040,&h000,&h000,&h000,&h074,&h001,&h0AD,&h02B ! db &h075,&h00C,&h089,&h074,&h024,&h01C,&h061,&h0C9 ! db &h0C2,&h008,&h000 END FUNCTION
Comment