Re: Creating a dis-assembler on my own - shucks !

From: Matt Taylor (para_at_tampabay.rr.com)
Date: 01/18/04 

Date: Sun, 18 Jan 2004 05:41:08 +0000 (UTC)

"Bx. C" <null@the.void> wrote in message
news:Q9lOb.4207$D%.1175@bignews1.bellsouth.net...
<snip>
> true, a far call or jump to a location specified in a 16-bit reg is
totally
> illogical... but evidently, they took the easy way out... personally, i'd
do
> like you, except, instead of dumping a "db" line for each individual byte,
> i'd go until i hit the next valid instruction, and dump a single line (if
> possible, or groups of 16 per line) for the whole chunk of invalid
> instructions... it's bad enough that doing a disassembly on what's
supposed
> to be standard alphabet text strings yields a ton of single and double
byte
> instructions... (push xxx / pop xxx / dec xxx / inc xxx / jxx xxxx,
etc)...
> i'm trying to think up the best way of identifying long text strings and
> intelligently display them as data instead of instructions, within a
> disassembly...

The easiest answer is to call it a user error. There really is no "best"
way. IDA does a good job of avoiding data by analyzing the code to determine
where the program might execute and assuming all else is data. Unfortunately
this analysis is not perfect, and there are a number of somewhat uncommon
cases which break it. Also, the first thing anyone tries when obfuscating
code is to invoke those degenerate cases which make code & data look the
same. My favorite trick is to insert a conditional branch, preferably
data-driven, that is never taken and points at obfuscated data.

-Matt

Relevant Pages

  • Re: How to Place a New Folder Under "My Computer" in the Hierarchy?
    ... Thank you, Ramesh. ... I just got stuck on step 10 of the instructions sent by ... >>> user accounts. ... >>> REG DELETE ...
    (microsoft.public.windowsxp.customize)
  • Re: PART 3. Why it seems difficult to make an OOO VAX competitive (really long)
    ... The basic concept of having a ROM somewhere in the CPU that contains cracked up code for rarely used instructions is probably not that bad. ... stack because the next RET will be mispredicted. ... %reg; would that be five? ... variables without a frame pointer or modifying the stack frame. ...
    (comp.arch)
  • Re: INC versus ADD,1
    ... I want to make sure that I understand why ADD reg, ... SAL eax, 2 ... Both INC and ADD are read-modify-write instructions, ... may just depend on cache-status and if possible, the CPU ...
    (comp.lang.asm.x86)
  • oy Custom Templates Office 2007
    ... Trying to deploy custom templates in Office 2007 Pro Plus, ... I have created my Office package with OCT, I have the reg file pointing to a ... server and that reg key included in the .msp. ... xl and pp as described in the instructions. ...
    (microsoft.public.office.misc)
  • Deploy custom templates in Office 2007
    ... Trying to deploy custom templates in Office 2007 Pro Plus, ... I have created my Office package with OCT, I have the reg file pointing to a ... server and that reg key included in the .msp. ... xl and pp as described in the instructions. ...
    (microsoft.public.office.setup)