Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
[Previous] [Index] [Next]

VIRXASM32

Author: Malum

From author's docs

Description

VirXasm32 is the length-disassembler of 32 bit executable code of Intel processors.

I decided to exclude error flag from dizasm tables that's why VirXasm disassemble all opcodes (possible and impossible). Also disasm know nothing about CODE/REG field (imho all len-dizasms not process field CODE/REG. exclude TEST). It well process all prefixes.

Size of VirXasm is only 333 bytes (amazing but it smaller then v1.3 :). VirXasm well disassemble itself. Of cause external calls, absolute offsets in code are not present. But version "A" have delta offset (call delta/pop ebp) that's why I wrote version "B" without delta offsets were all data pushs in stack.

Now VirXasm support MMX, SSE, SSE2, 3DNOW ...

How to use it

Before use VirXasm include file VirXasm32_v1.5.asm to your virus, set ESI on disassembling code, call VirXasm32 and it will return in EAX length of instruction. Also you must have 180 bytes in stack. For example:

        ; ...
        mov     esi, offset instrs
nxt:    call    VirXasm32
        add     esi, eax
        cmp     eax, 5
        jne     nxt
        ; ...
include VirXasm32_v1.5b.asm

About code

For description of opcodes I used two tables on group (normal and extended groups). In first table each instruction have one bit of present mod r/m byte (I used BT instruction). In second table each instruction have two bits. First bit is presence of immediate value and second bit is size of immediate value. (0 - byte, 1 - double word or word if 66h prefix present) Some opcodes can not be descripted via this method (ENTER,RET N,IRET N,JMP,CALL FAR, and fucking TEST). VirXasm process it apart. Also my dizasm use special order of opcodes in opcode table (for example: 0xh,1xh,2xh,3xh are equal, in extended group, 1xh,2xh,4xh,5xh,6xh,9xh,Dxh,Exh Fxh are equal too and in normal group in 4xh,5xh,7xh,9xh,Bxh,Dxh,Exh,Fxh opcodes have places by pairs (oh, my bad english)).

History


Comments
Download
(Full info)

 FilenameSizeDescriptionDate 
virxasm10.zip6871VirXAsm 1.0Jul 2006MD5 sum 21f88358ad1a78899173bbb81289df61
virxasm11.zip8418VirXAsm 1.1Jul 2006MD5 sum bc51ba6bf7595cdb3a16166be324382b
virxasm12.zip8707VirXAsm 1.2Aug 2006MD5 sum 85ef2b6052a55c6b6e01e0dd1c165009
virxasm13.zip8855VirXAsm 1.3Aug 2006MD5 sum 57dbbc8aaf3f9eb4215201d84f350ba4
virxasm14.zip8859VirXAsm 1.4Sep 2006MD5 sum 5f3e176ff2c087efb9d777697fd0eeee
virxasm15.zip8929VirXAsm 1.5Sep 2006MD5 sum 1a4c3d43779a87b49354071e0f953556
virxasm15adv.zip19090VirXAsm 1.5 (adv)Jul 2008MD5 sum e84f5f8ffce33cb4b8cf6604208735b0


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua