Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-09-2005, 16:17
visu
 
Posts: n/a
Instruction Size

What is simplest way to determine the size of instruction ? Basically, I have a memory location of instruction and I like to know the next instruction address.

Any existing source code ?

Visu
Reply With Quote
  #2  
Old 04-09-2005, 16:38
dyn!o's Avatar
dyn!o dyn!o is offline
Friend
 
Join Date: Nov 2003
Location: Own mind
Posts: 214
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 8
Thanks Rcvd at 0 Times in 0 Posts
dyn!o Reputation: 1
Complex question.

It depends on the sort of protection are you working on.

1. Common software.
I would suggest a disassembler source engine (you can find few on the net, as I remember also on OllyDbg page). This will deal with all offsets.

2. Crypted software.
I would suggest EIP logger since some protections use polymorphic and/or metamorphic engines, thus you will fail with disassembler engine.

3. Crypted software with virtual machine.
This is the worst assumption. In this case I would suggest to write own disassembler (for decompiling opcodes and in some fancy protections even operation types) and tracer (code flow execution control). Hard thing but the most effective.

Regards.

Last edited by dyn!o; 04-09-2005 at 16:44.
Reply With Quote
  #3  
Old 04-09-2005, 17:41
Hero Hero is offline
VIP
 
Join Date: Jan 2005
Posts: 224
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 4
Thanks Rcvd at 2 Times in 2 Posts
Hero Reputation: 1
Hi visu
I assume that your program is running in debug mode.Run for a single step event
then decrease values of EIP from CONTEXT(using GetThreadContext).This will be
size.
If your proram is not running(like disassembler) you should use the cpu reference
for instruction structure because the indtruction lengths are various(1-14 byte
for intel)

sincerely yours
__________________
I should look out my posts,or JMI gets mad on me!
Reply With Quote
  #4  
Old 04-09-2005, 19:21
upb's Avatar
upb upb is offline
Friend
 
Join Date: Apr 2002
Location: Elbonia
Posts: 63
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 0 Times in 0 Posts
upb Reputation: 0
how will a polymorphic engine fail the disassembler?
the code will be different but doesnt it still consist of x86 instructions?
Reply With Quote
  #5  
Old 04-09-2005, 22:12
Cobi Cobi is offline
Friend
 
Join Date: Sep 2004
Location: Germany
Posts: 55
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Cobi Reputation: 0
You should read the "Intel Architecture Software Developer's Manual, Volume 2: Instruction Set Reference".
(I personally think its written like crap but try it yourself)
For a length-disassembler this should help you:
http://vx.netlux.org/lib/vzo16.html
Greetz, Cobi
Reply With Quote
  #6  
Old 04-09-2005, 22:30
dyn!o's Avatar
dyn!o dyn!o is offline
Friend
 
Join Date: Nov 2003
Location: Own mind
Posts: 214
Rept. Given: 1
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 8
Thanks Rcvd at 0 Times in 0 Posts
dyn!o Reputation: 1
"how will a polymorphic engine fail the disassembler?"
A polymorphic engine, used in software protection, (polymorphism, in the meaning of object oriented languages, is a completely different thing) usually features code obfuscation. A "brainless" software disassembler will take the first companionate set of bytes as the instruction and miss many places in the log (you can try it in any debugger... take PeLock, as example, and perform single step tracing of decryption code - you will understand what I mean).

"the code will be different but doesnt it still consist of x86 instructions?"
This time it is not only about different code but obfuscation used in polymorph engines. These tricks will fool usual software disassembler.

Last edited by dyn!o; 04-10-2005 at 01:43.
Reply With Quote
  #7  
Old 04-10-2005, 05:41
drocon
 
Posts: n/a
a simple LDE (length-disassembler engine) isn't hard to write, take a few days to digest the intel instruction encoding, and then just follow the chart. everything is pretty straight forward.

you'll be needing 2 tables, 256 byte each, one for normal instructions, and one for 'extended' (0x0f) ones. In those tables, store flags for relevent information, such as the instruction takes its param from modrm bytes, or it's naturally a 1-byte opcode, or maybe it accepts imm32 (such as B8 'mov', etc...)

when you load the opcode, simply match that value with the table, and from there, follow the encoding rules to determine the length. some stuff *may* be somewhat tricky though.

my suggestion would be to read up on:

http://www.pdos.lcs.mit.edu/6.828/2004/readings/i386/s17_02.htm

it's a lot simplier IMO than the intel books, cleaner, and as for table, look for Sang Cho's disassembly/assembly table, avaliable on google.

if you're completely not familiar with the instruction encoding, i suggest you read The Svin's opcode tutorials, avaliable at win32asm boards (boards.win32asmcommunity.com)

hope it helps

-drocon
Reply With Quote
  #8  
Old 04-24-2005, 01:34
taipan
 
Posts: n/a
Quote:
Originally Posted by visu
What is simplest way to determine the size of instruction ?
EliCZ wrote a small prg for this. It's very good!

hxxp://www.anticracking.sk/elicz/export/X86IL.zip
Reply With Quote
  #9  
Old 04-24-2005, 08:20
doug
 
Posts: n/a
There is a ton of those on the net.
Bengaly (PVDasm) offers one, there's one on the ollydbg website, z0mbie wrote a few (google for ADE32, LDE - his website seems down). If all you need is the length of the instruction, then the simplest solution is probably ADE32 or as, taipan wrote, ELiCZ's X86IL.

It's a good exercise to write one yourself; you'll master the instruction format afterwards.
Reply With Quote
  #10  
Old 05-16-2005, 18:23
goggles99 goggles99 is offline
Friend
 
Join Date: Aug 2004
Posts: 62
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 4 Times in 4 Posts
goggles99 Reputation: 0
Smile

Just to add one more that I have found (and actually used). It's written in C++
it's called InstLenDisasm, you can find it here.
http://www.security.org.sg/code/antihookexec.html <-- interesting article too btw
look inside the antihookexec zip file.

also, since z0mbie's website seem to be gone, you can get ADE32, LDE, and XDE
here
http://www.madchat.org/vxdevl/engines/
or here
http://vx.netlux.org/vx.php?id=eidx&page=0
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hex-rays PPC decompiler and bctr instruction jonwil General Discussion 0 04-10-2021 20:17
[idaref] IDA Pro Instruction Reference Plugin sh3dow Community Tools 2 01-03-2015 19:03
Strange Instruction CTS BE thomasantony General Discussion 2 03-23-2005 04:41


All times are GMT +8. The time now is 07:35.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )