Realize anti-assessment
For the first time, write such an article, because the used assembly instruction is limited, the understanding of the INTEL IA assembly directive and
Not very thorough, so if there is an incorrect understanding and bug in the following articles and procedures, please point out.
The following disassembly is implemented in accordance with the architecture of Intel X86, which is realized.
The translation of the order is not implemented for the Bihen Directive and some MMX, SSE, SSE2 instructions, but can be in existing
Expansion in the order framework.
The reference materials for articles and procedures are:
1, Intel's IA-32 Intel Architecture Software Developer's Manual V2: Instruction
SET REFERENCE;
2. The debugger WDBG program in the disc that comes with the "Application Debug Technology"
3, the anti-assembly section in the GDB source code;
If there are more information, especially this book, you can look at the following principle, because of the article
The form in this book is checked in this book, I will not draw it, too much, huh, huh, steal, :).
First, the principle of disassembly
1, Intel's IA-32 instructions:
Intel IA's instruction consists of several parts:
Prefix - 1 byte, the prefix of all instructions is divided into 4 groups (group 1: Lock and Rep, Group 2: ignored segment prefix,
Group 3: Ignore the prefix of the operating size, group 4: Ignore the prefix of the address size;
Operation code - 1, 2 or 3 bytes, 2 byte instructions are the first command code 0x0f, and the general 3-byte instruction
3 bytes are part of ModR / M, in particular below;
Modr / M byte - 1 byte, this byte indicates the form of the number of operands followed, which is divided into 3 parts:
The 7-6th is the MOD section, and the 5-3th is the REG section. The second-0 bits are the R / M part, where the MOD and R / M part combine
Indicates the addressing method of the instruction operand, and the REG portion mainly indicates the registers used, this byte is solved.
Dressing and combining the main operation code, I think this is the most important part of the translation instruction;
SIB Byte - 1 byte, in addition to the above modR / m bytes, sometimes the instruction also needs a byte to supplement
This byte is also divided into 3 parts: Section 7-6 is the scale section, and 5-3 is index
Part, the 2-0 bits are part of the Base;
Offset - 1, 2 or 4 bytes;
Immediately --1, 2 or 4 bytes;
2, decoding of the operand:
The disassembly is to translate binary word streams into a string of assembly code, and assembly code is operated by an opcode and operand.
Two parts are composed. In the translation process, the corresponding instructions are output from the corresponding array to the corresponding array in the translation.
String, and the most important thing is to translate the operand, all operands can be used:
Addressing mode operand type
It is to indicate that the addressing method has a A (direct address), c (MODR / M byte REG part indicates a control register), D (
The REG section of the ModR / M byte indicates a debug register), and E (the number of operands indicated by the MODR / M-M-byte is a general purpose)
Register or a memory address), f (EFLAGS register), g (MODR / M byte REG part indicates a universal delivery
Depositor), I (immediate), j (instruction contains a relative address), m (MODR / M byte indicates a memory address), O (no
There are modR / m bytes, the back word or double word is offset address), and the MODR / MMX register indicates a 4-byte MMX register), Q (the number of operated operations indicated by the ModR / M "is A MMX register or a memory address), R (Modr /
The MOD portion of the M-byte indicates a general register), and the REG part of the ModR / M is indicated a segment register).
T (MODR / M-M-byte REG part indicates a test register), V (MODR / M-M-byte REG part indicates a 128
Bit XMM register), W (MODR / M-N-byte indication is a 128-bit XMM register or a memory address),
X (memory address is represented by DS: Si Register), Y (memory address is represented by ES: DI register);
The operand type mainly has B (bytes), D (double byte), w (word), V (word or double word, based on the operating number).
According to the above explanation, you can view the instruction table, the table can refer to the appendix A in the book above Intel.
Table A-1 to Table A-20, translation for Modr / M bytes can refer to Table 2-1 to Table in Chapter 2.
2-3, according to these tables, you can write the data structure used in the disassembly.
3. The following example shows how to make an anti-assessment according to these tables:
If the binary sequence is 0x03, 0x70, 0xE8, the opcode is 0x03, check the instruction table Table A-2 is "Add GV,
EV ", the second byte 0x70 is ModR / M byte, binary is 01110000, then the Mod part is 1, the REG part is 6, R /
The M part is 0, check the ModR / M byte table Table 2-2 Get the GV operand is ESI, the EV operand is [EAX DISP8], DISP8
Is an 8-bit offset, then read a byte 0xe8, because this byte is negative, the reverse value is 0x18, then EV operation
The number is [EAX-0x18], so the final command output is "Add ESI, [EAX-0x18]".
4, expand instructions:
In addition to the single-byte command and the binary instruction, there is a part of the instructions that are three bytes, these instructions are called extended instructions.
The expansion instruction is part of the MODR / M byte as part of an opcode, according to the different groups and regores belonging to the instructions.
The value of the points checksum Table A-4 translation instructions, such as the operation code 0x80-0x83 is GROUP 1
Then, then determine the string of the operator according to the value of the REG, such as the REG 5 is the "SUB" instruction.
5, floating point directive:
Floating point directive does not know why escape opcode instructions, huh, huh. it is
The main operation code is an instruction of 0xD8-0XDF, and divided into several groups with this main operation code, according to MODR in each set of instructions.
The value of / m-byte value is in the 0x00-0XBF range and is not in this range in this range, instructions in this range
According to the REG part in the Modr / M-byte byte, the corresponding instruction is obtained; the instructions not in this range
Then look for the corresponding table according to the value of the Modr / M byte, the high 4 digits in the modR / m byte are the line number, the low 4 is
List.
Second, the program description
The following is an anti-assessment program and its test procedure
DISASM.H A definition of data structure required for disassembly
Disasm.c realizes the main function of disassembly
Main.c Test procedure for using the above anti-organic function
There is a detailed annotation in the program, here is some descriptions other than annotations.
1. The program implementation is mainly the translation of the single-byte instruction, the two-byte part (that is, the instructions such as 0x0f22, etc.
Directive to 0x0f is the first byte (because the DEBUGER contrary to the VC is contracted
The procedure is as if you only translate the program into a single-byte directive, but in the DISASM.H
The data structure is still written, but this part is annotated in Disasm.c;
2. About jump instructions
There are two kinds of jump instructions in the program: one is absolute address, it is directly written SEG: Offset (such as 0xea directive)
Second, the relative address is the value of the value of the address byte by the start address read into the data, in the general Debuger, the function is repositioned to a particular address, then this function is in this function. Jump pointing
The order is based on the start address of this function, plus the address value as the final address value, and the start address of the function
It is often like reading from the symbol table, because there is no relevant part of the program symbol table in this program, so
In the test program, the disassembled jump command address is calculated based on the start address of the INPUT array.
So during actual use (if as part of the DEBUGER), you must do some repairs.
change;
3, some of the extension instructions
The interpretation of this part of this section is incomplete, and the data structure is simply written, if there is
Interest readers can extend the corresponding data structures and programs to complete all instructions. If you want to explain all
Extended instructions need to redefine the GroupTAB array structure to extend the shape of the opcode and operand.
The formula is similar to the ESC_TAB structure;
4. Part of the floating point directive
When the opcode is 0xD8-0XDF, it is a floating point directive, explains most of the floating point commands in the program, not
Since there is no use of these instructions, you can only write according to the results written on the book and the result of the VC's Debuger.
Perhaps, but can be expanded;
5. About the test procedure
The program is compiled with VC6.0 in Windows 2000, but it is written in standard C, so it can be ported under Linux.
However, maybe some places should be changed. The test program is open an executable, and then reads a certain offset.
Binary code, write to another file after translation, this program can find the code segment with the symbol table
Translation, but I have not tried it. The program can be used in conjunction with the tool Dumpbin with the VC belt, that is, dumpbin / disasm
The command generates the reverse assembly file of the executable program, then look at the disassembly result and program generation of the offset.
The result is the same. The assembler that is offset from 0x00401110 in the disassembled file obtained by the command line.
Here:
00401110: 55 Push EBP
00401111: 8b EC MOV EBP, ESP
00401113: 83 EC 40 SUB ESP, 40H
00401116: 53 Push EBX
00401117: 56 Push ESI
00401118: 57 Push EDI
00401119: 8D 7D C0 LEA EDI, [EBP-40H]
0040111C: B9 10 00 00 00 MOV ECX, 10H
00401121: B8 cc cc cc cc Mov Eax, 0cccccccch
00401126: F3 AB Rep Stos DWORD PTR [EDI]
Then set the offset = 0x1110 in main.c, and the resulting result file can be obtained as follows:
Push EBP
MOV EBP, ESP
SUB ESP, 0x40
Push EBX
PUSH ESI
Push EDI
Lea Edi, [EBP-0x40]
MOV ECX, 0x10
Mov Eax, 0xccccccccccccc
Rep Stos DWORD PTR [EDI]
Of course, the format is not as good as it, huh, but the format can be adjusted, :). http://www.smth.edu.cn/bbsanc.php?path=/groups/comp.faq/CRACK/aboutCrack/ASM/M.1053718961.p0
