I am new to Capstone and PE structure... beg your indulgence
I want to extract hex number which means opcode and operands in Python using Capstone
Here is my example:
if there is a file that looks like this
.text:00404499 8B 0D 14 61 41 00
mov ecx, dword_416114
the hex num -'8D' is the hex number including (mov, ecx, dword_416114) right?
so I tried to extract the exact hex num, but i am having trouble...
Here is my code:
for ins in cs.disasm(pe.sections[0].get_data(), 0x0):
print("0x%x:\t%s\t%s" %(ins.address, ins.mnemonic, ins.op_str))
above code will show this:
0x0: xor eax, 0xff77ee8b
0x5: mov ch, dh
0x7: ja 0xffffff9f
...
0x15: inc esi
how can i get what i want?
Related
I think I'm thinking about this the wrong way, but I'm wondering how an embedded system with less than 32-bits can use 32-bit data values. I'm a beginner programmer so go easy on me :)
base 10
0100 <- carry in/out
5432
+1177
======
6609
never brought up in class but we can now extend that to two operations
100
32
+77
======
09
01
54
+11
======
66
and come up with the 6609 result because we understand that it is column based and each column treated separately.
base 2
1111
+0011
=====
11110
1111
+0011
=====
10010
110
11
+11
=====
10
111
11
+00
=====
100
result 10010
you can break your operations up into however many bits you want 8, 16, 13, 97 whatever. it is column based (for addition) and it just works. division you should be able to figure out, multiplication is just shifting and adding and can turn that into multiple operations as well
n bits * n bits = 2*n bits so if you have an 8 bit * 8 bit = 16 bit multiply you can use that on an 8 bit system otherwise you have to limit to 4 bits * 4 bits = 8 bits and work with that (or if no multiply then just do the shift and add).
base 2
abcd
* 1101
========
abcd
0000
abcd
+abcd
=========
which you can break down into a shifting and adding problem, can do N bits with a 4 or 8 or M bit processor/registers/alu
Or look at it another way, grade school algebra
(a+b)*(c+d) = ac + bc + ad + bd
mnop * tuvw = ((mn*0x100)+(op)) * ((tu*0x100)+(vw)) = (a+b)*(c+d)
and you should find that you can combine the with 0x100 terms and without,
do those separately from the without putting together parts of the answer using an 8 bit alu (or 4 bits of the 8 bit as needed).
shifting should be obvious just move the bits over to the next byte or (half)word or whatever.
and bitwise operations (xor, and, or) are bitwise so dont need anything special just keep the columns lined up.
EDIT
Or you could just try it
unsigned long fun1 ( unsigned long a, unsigned long b )
{
return(a+b);
}
00000000 <_fun1>:
0: 1166 mov r5, -(sp)
2: 1185 mov sp, r5
4: 1d40 0004 mov 4(r5), r0
8: 1d41 0006 mov 6(r5), r1
c: 6d40 0008 add 10(r5), r0
10: 6d41 000a add 12(r5), r1
14: 0b40 adc r0
16: 1585 mov (sp)+, r5
18: 0087 rts pc
00000000 <fun1>:
0: 0e 5c add r12, r14
2: 0f 6d addc r13, r15
4: 30 41 ret
00000000 <fun1>:
0: 62 0f add r22, r18
2: 73 1f adc r23, r19
4: 84 1f adc r24, r20
6: 95 1f adc r25, r21
8: 08 95 ret
bonus points if you can figure out these instruction sets.
unsigned long fun2 ( unsigned long a, unsigned long b )
{
return(a*b);
}
00000000 <_fun2>:
0: 1166 mov r5, -(sp)
2: 1185 mov sp, r5
4: 10e6 mov r3, -(sp)
6: 1d41 0006 mov 6(r5), r1
a: 1d40 000a mov 12(r5), r0
e: 1043 mov r1, r3
10: 00a1 clc
12: 0c03 ror r3
14: 74d7 fff2 ash $-16, r3
18: 6d43 0004 add 4(r5), r3
1c: 70c0 mul r0, r3
1e: 00a1 clc
20: 0c00 ror r0
22: 7417 fff2 ash $-16, r0
26: 6d40 0008 add 10(r5), r0
2a: 7040 mul r0, r1
2c: 10c0 mov r3, r0
2e: 6040 add r1, r0
30: 0a01 clr r1
32: 1583 mov (sp)+, r3
34: 1585 mov (sp)+, r5
36: 0087 rts pc
An 8 bit system can perform 8 bit operations in a single instruction and single memory access, on such an 8 bit system, 16 and 32 bit operations require additional data accesses and additional instructions.
For example, typical architectures place arithmetic results in register (often an accumulator but some architectures are more_orthogonal_ and can use any register for results), and arithmetic overflow results in a carry flag being set in a status register. In operations larger that the native architecture, the code can inspect the carry flag in order to take the appropriate action in subsequent instructions.
So say for an 8 bit system you add 1 to 255, the result in the 8 bit accumulator will be zero, with the carry flag set; the next instruction can then add one to the upper byte of a 16 bit value in response to the carry flag. This can be made to ripple through to any number of bytes or words, so that a system can be made to process operations of arbitrary bit length above that of the underlying architecture just not in a single instruction operation.
I wonder how I could optimize this code a little bit more. Now he has 467k and 59 lines.
Data segment:
code_char db 'A'
counter_space db 39
counter_char dw 1
counter_rows dw 25
Program segment:
rows:
mov cl, counter_space ;here I write space
mov ah,02h
mov dl,''
space:
int 21h
loop space
mov cx, counter_char ;here I write letters
mov ah,02h
mov dl,code_char
letters:
int 21h
loop letters
mov ah,02h ;here I go to another line(enter)
mov dl,0ah
int 21h
INC code_char ;here I change the value of variable's
DEC counter_space
ADD counter_char,2
DEC counter_rows
mov cx,counter_rows ;here I count the rows to 25
loop rows
mov ah,01h ;here I w8 to any key
int 21h
mov ah,4ch
mov al,0
int 21h
If you have any suggestions please comment.
I just started to learn Assembly.
You can make use of the fact that all other variables can be calculated from the counter_rows variable, so you really only need one variable:
code_char = 'A' + 25 - counter_rows
counter_space = counter_rows + 14
counter_char = 51 - counter_rows * 2
As counter_rows is your outer loop counter, you can just keep it in a register all the time instead of allocating memory for it. That makes it possible to run the program without any memory references at all.
There are some other small optimisations that can be done. You don't need to set the ah register to 02h other than for the first call. When setting ah to 01h for the keypress call, you can just decrement the register as you know that it was 02h before. You can set ax instead of setting ah and al separately.
If I counted correctly, this should take the actual code and data bytes down from 59 to 41:
mov bx, 25 ;counter_rows
rows:
;here I write space
mov cx, bx ; counter_space = counter_rows + 14
add cl, 14
mov ah, 02h
mov dl, 32 ;space
space:
int 21h
loop space
;here I write letters
mov cl, 51 ;counter_char = 51 - counter_rows * 2
sub cl, bl
sub cl, bl
;mov ah, 02h - already set
mov dl, 65 + 25 ;code_char = 'A' + 25 - counter_rows
sub dl, bl
letters:
int 21h
loop letters
;here I go to another line(enter)
;mov ah, 02h - already set
mov dl, 0ah
int 21h
dec bx
jnz rows
;here I wait for any key
dec ah ;02h - 1 = 01h
int 21h
mov ax,4c00h ;set ah and al in one go
int 21h
I am working on some code for my port of MikeOS. It is written in NASM x86 16 bit assembly. I am trying to change a variable that I made to have a different value. It compiles with no errors, but when I call os_print_string, it prints some wierd ASCII characters. Here is the code:
BITS 16
ORG 32768
%INCLUDE "mikedev.inc"
start:
mov si, test2 ; give si test 2 value
mov [test1], si ; give test 1 si's value
mov si, test1 ;now give test1's value to si
call os_print_string ; and print
test2 db "adsfasdfasdf", 0
test1 db "asdf", 0
This code is redundant, I know. I just need a n explanation on how to change a variable's value. Thaks in advance!
-Ryan
Another good old question, here is the answer you waited for 6.83 years :)
BITS 16
ORG 32768
%INCLUDE "mikedev.inc"
start:
mov si, test2
mov di, test1
.loop:
lodsb
or al, al
je .done
stosb
jmp .loop
.done:
mov si, test1
call os_print_string
test2 db "adsfasdfasdf", 0
test1 db "asdf ", 0
Make sure the char arrays have the same length or this will break ^^
But i am sure you know that by now ^^
I don't know what all the db, dw, dd, things mean.
I have tried to write this little script that does 1+1, stores it in a variable and then displays the result. Here is my code so far:
.386
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\masm32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\masm32.lib
.data
num db ? ; set variable . Here is where I don't know what data type to use.
.code
start:
mov eax, 1 ; add 1 to eax register
mov ebx, 1 ; add 1 to ebx register
add eax, ebx ; add registers eax and ebx
push eax ; push eax into the stack
pop num ; pop eax into the variable num (when I tried it, it gave me an error, i think thats because of the data type)
invoke StdOut, addr num ; display num on the console.
invoke ExitProcess ; exit
end start
I need to understand what the db, dw, dd things mean and how they affect variable setting and combining and that sort of thing.
Quick review,
DB - Define Byte. 8 bits
DW - Define Word. Generally 2 bytes on a typical x86 32-bit system
DD - Define double word. Generally 4 bytes on a typical x86 32-bit system
From x86 assembly tutorial,
The pop instruction removes the 4-byte data element from the top of
the hardware-supported stack into the specified operand (i.e. register
or memory location). It first moves the 4 bytes located at memory
location [SP] into the specified register or memory location, and then
increments SP by 4.
Your num is 1 byte. Try declaring it with DD so that it becomes 4 bytes and matches with pop semantics.
The full list is:
DB, DW, DD, DQ, DT, DDQ, and DO (used to declare initialized data in the output file.)
See: http://www.tortall.net/projects/yasm/manual/html/nasm-pseudop.html
They can be invoked in a wide range of ways: (Note: for Visual-Studio - use "h" instead of "0x" syntax - eg: not 0x55 but 55h instead):
db 0x55 ; just the byte 0x55
db 0x55,0x56,0x57 ; three bytes in succession
db 'a',0x55 ; character constants are OK
db 'hello',13,10,'$' ; so are string constants
dw 0x1234 ; 0x34 0x12
dw 'A' ; 0x41 0x00 (it's just a number)
dw 'AB' ; 0x41 0x42 (character constant)
dw 'ABC' ; 0x41 0x42 0x43 0x00 (string)
dd 0x12345678 ; 0x78 0x56 0x34 0x12
dq 0x1122334455667788 ; 0x88 0x77 0x66 0x55 0x44 0x33 0x22 0x11
ddq 0x112233445566778899aabbccddeeff00
; 0x00 0xff 0xee 0xdd 0xcc 0xbb 0xaa 0x99
; 0x88 0x77 0x66 0x55 0x44 0x33 0x22 0x11
do 0x112233445566778899aabbccddeeff00 ; same as previous
dd 1.234567e20 ; floating-point constant
dq 1.234567e20 ; double-precision float
dt 1.234567e20 ; extended-precision float
DT does not accept numeric constants as operands, and DDQ does not accept float constants as operands. Any size larger than DD does not accept strings as operands.
I am doing some exercises in assembly language and I found a question about optimization which I can't figure out. Can anyone help me with them
So the question is to optimize the following assembly code:
----------------------------Example1-------------------------
mov dx, 0 ---> this one I know-> xor dx,dx
----------------------------Example2------------------------
cmp ax, 0
je label
----------------------------Example3-------------------------
mov ax, x
cwd
mov si, 16
idiv si
----> Most I can think of in this example is to subs last 2 lines by idiv 16, but I am not sure
----------------------------Example4-------------------------
mov ax, x
mov bx, 7
mul bx
mov t, ax
----------------------------Example5---------------------------
mov si, offset array1
mov di, offset array2
; for i = 0; i < n; ++i
do:
mov bx, [si]
mov [di], bx
add si, 2
add di, 2
loop do
endforloop
For example 2, you should look at the and or test opcodes. Similar to example 1, they allow you to remove the need for a constant.
For example 4, remember that x * 7 is the same as x * (8 - 1) or, expanding that, x * 8 - x. Multiplying by eight can be done with a shift instruction.
For example 5, you'd think Intel would have provided a much simpler way to transfer from SI to DI, since that is the whole reason for their existence. Maybe something like a REPetitive MOVe String Word :-)
For example three, division by a power of two can be implemented as a right shift.
Note that in example 5, the current code fails to initialize CX as needed (and in the optimized version, you'd definitely want to do that too).