XED2 (x86 encoder decoder) c++ library

[ferrit.rce]

Hi All,

I just want to use XED2 library made by Intel for assembly encoding. According to the documentation the asm syntax differs from MASM so I have to convert all my original assemblies to XED2 assembly. The question is how? I've read all docus and found out the basic differences but call and jump instructions are pretty special. Is there MASM -> XED conversion howto somewhere? For instance how can I convert the following to XED syntax:

1. call far 0x11223344
2. call near 0x11223344
3. call dword ptr [0x11223344]
4. jmp far 0x11223344
5. jmp near 0x11223344
6. jmp dword ptr [0x11223344]

Thanks in advance!

BR,
Ferrit

[sendersu]

Quote:

Originally Posted by ferrit.rce

Hi All,

I just want to use XED2 library made by Intel for assembly encoding. According to the documentation the asm syntax differs from MASM so I have to convert all my original assemblies to XED2 assembly. The question is how? I've read all docus and found out the basic differences but call and jump instructions are pretty special. Is there MASM -> XED conversion howto somewhere? For instance how can I convert the following to XED syntax:

1. call far 0x11223344
2. call near 0x11223344
3. call dword ptr [0x11223344]
4. jmp far 0x11223344
5. jmp near 0x11223344
6. jmp dword ptr [0x11223344]

Thanks in advance!

BR,
Ferrit

if it's just up to changing 0x to ...h so regular expressions will help you here?..

[ferrit.rce]

Maybe I was not explicit enough

This works:
MASM: xor eax, eax
XED2: xor eax eax

Quote:

c:\pin-2.13-62141-msvc10-windows\extras\xed2-ia32\bin>xed.exe -e "xor eax eax"
Request: XOR MODE:1, REG0:EAX, REG1:EAX, SMODE:1
OPERAND ORDER: REG0 REG1
Encodable! 31C0
.byte 0x31,0xc0

This doesn't:
MASM: jmp far 0x11223344
XED2: jmp_far 0x11223344
XED2: jmp_far 11223344h

Quote:

c:\pin-2.13-62141-msvc10-windows\extras\xed2-ia32\bin>xed.exe -e "jmp_far 0x11223344"
[XED CLIENT ERROR] Bad register name: 0X11223344 on operand 1

c:\pin-2.13-62141-msvc10-windows\extras\xed2-ia32\bin>xed.exe -e "jmp_far 11223344h"
[XED CLIENT ERROR] Bad register name: 11223344H on operand 1

The question is the XED2 syntax.

[ragdog]

Quote:

MASM: jmp_far 0x11223344

This is not masm you must remove 0x and add a h @ end

example
012345678h

[|roe]

Just a slight educated guess. I've read a little (scrambled) through some PDF's from various Universities mentioning xed2 keyword and found that this was made by Intel. Available at http://www.pinpoint.org

You may search there for "XED2" keyword and see if the Downloads and Discussions/Documentation help you. Seems they provide for a flavor of Operating Systems like Window$ and Linux.

And here is some more research from University

Code:

http://www.cs.virginia.edu/kim/publicity/pin/docs/20751/Xed/html/main.html

Edit: Hmm, actually you got me interested, let me download this and play a bit with it... you made me curious, albeit I am unfamiliar with cpp

[h8er]

Hi, the documentation at cs.virginia.edu seems outdated, take look at the documentation in the folder pin-2.13-62141-msvc10-windows\extras\xed2-ia32\doc\ref-manual\html\group__CMDLINE.html or at this site

Code:

http://software.intel.com/sites/landingpage/pintool/docs/58423/Xed/html/group__CMDLINE.html

to encode a jmp you have to do something like this:

Code:

xed -e jmp "BRDISP:11223344"

Code:

g:\projects\pin-2.13-62141-msvc10-windows\extras\xed2-ia32\bin>xed -e jmp "BRDISP:11223344"
Request: JMP BRDISP_WIDTH:32, MODE:1, RELBR:0x11223344, SMODE:1
OPERAND ORDER: RELBR
Encodable! E944332211
.byte 0xe9,0x44,0x33,0x22,0x11

for pointers:

Code:

xed -e jmp "MEM4:EAX"

Code:

g:\projects\pin-2.13-62141-msvc10-windows\extras\xed2-ia32\bin>xed -e jmp "MEM4:
EAX"
Request: JMP EASZ:2, MEM_WIDTH:4, MEM0:dword ptr [EAX], MODE:1, SMODE:1
OPERAND ORDER: MEM0
Encodable! FF20
.byte 0xff,0x20

[h8er]

I can't edit the post above (don't know why), here is a jmp dword ptr [0x11223344]

Code:

xed -e jmp "MEM4:-,-,-,11223344"

Code:

g:\projects\pin-2.13-62141-msvc10-windows\extras\xed2-ia32\bin>xed -e jmp "MEM4:-,-,-,11223344"
Request: JMP DISP_WIDTH:32, MEM_WIDTH:4, MEM0:dword ptr [0x11223344], MODE:1, SMODE:1
OPERAND ORDER: MEM0
Encodable! FF2544332211
.byte 0xff,0x25,0x44,0x33,0x22,0x11

[ferrit.rce]

Hey h8er! You're the maaan