search

ohio813 / distorm

Automatically exported from code.google.com/p/distorm
GNU General Public License v3.0
0 stars 0 forks source link

distorm_decode : 1st Param Doesn't Work #44

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
In what mode did you try to disassemble (16/32/64)?
32

What is the input buffer (binary stream) you used to reproduce the problem?
Use hex.
unsigned char rawData[] =
{
    0xFF, 0x55, 0x8b, 0xec ,0x8b ,0x45 ,0x08 ,0x03 ,0x45 ,0x0c ,0xc9 ,0xc3
} ;

What is the expected output (or what instruction)?
0x00000000 (01) 55                       PUSH EBP
0x00000001 (02) 8bec                     MOV EBP, ESP
0x00000003 (03) 8b4508                   MOV EAX, [EBP+0x8]
0x00000006 (03) 03450c                   ADD EAX, [EBP+0xc]
0x00000009 (01) c9                       LEAVE
0x0000000A (01) c3                       RET

Which tool did you use to see the expected output?
VS 2010

What do you see instead?
0x00000001 (03) ff558b                   CALL DWORD [EBP-0x75]
0x00000004 (01) ec                       IN AL, DX
0x00000005 (03) 8b4508                   MOV EAX, [EBP+0x8]
0x00000008 (03) 03450c                   ADD EAX, [EBP+0xc]
0x0000000B (01) c9                       LEAVE

What version of diStorm are you using? On what platform (Python/EXE/other)?
Revision 204, VS 2010 SP1, EXE

Please provide any additional information below.
Test Code:

_DecodeResult res;
    _DecodedInst decodedInstructions[1000];
    unsigned int decodedInstructionsCount = 0, i = 0;
    _OffsetType offset = 0;
    unsigned int dver = distorm_version();
    printf("diStorm version: %d.%d.%d\n", (dver >> 16), ((dver) >> 8) & 0xff, dver & 0xff);

    unsigned char rawData[] =
{
    0xFF, 0x55, 0x8b, 0xec ,0x8b ,0x45 ,0x08 ,0x03 ,0x45 ,0x0c ,0xc9 ,0xc3
} ;
    res = distorm_decode(offset+1, (const unsigned char*)rawData, sizeof(rawData)-1, Decode32Bits, decodedInstructions, MAX_INSTRUCTIONS, &decodedInstructionsCount);
    for (int i = 0; i < decodedInstructionsCount; i++) {
#ifdef _AMD64_
        printf("%08I64x (%02d) %-24s %s%s%s\r\n", decodedInstructions[i].offset, decodedInstructions[i].size, (char*)decodedInstructions[i].instructionHex.p, (char*)decodedInstructions[i].mnemonic.p, decodedInstructions[i].operands.length != 0 ? " " : "", (char*)decodedInstructions[i].operands.p);
#else
        printf("0x%08X (%02d) %-24s %s%s%s\r\n", decodedInstructions[i].offset, decodedInstructions[i].size, (char*)decodedInstructions[i].instructionHex.p, (char*)decodedInstructions[i].mnemonic.p, decodedInstructions[i].operands.length != 0 ? " " : "", (char*)decodedInstructions[i].operands.p);
#endif
    }

Original issue reported on code.google.com by soulmi...@gmail.com on 8 Mar 2012 at 11:16

GoogleCodeExporter commented 9 years ago 
You pass offset+1 to distorm_decode, so obviously the offset of the first 
instruction starts at 1.
Change the offset to any value you want...

Original comment by distorm@gmail.com on 8 Mar 2012 at 12:04

GoogleCodeExporter commented 9 years ago 
I pass Offset+1 to distorm_decode, the offset of the first instruction should 
start at Array Index 1, Skip the First Byte Code '0xFF'. 
BUT the outcome seems to Start at Array Index 0, Decode the front 3 bytes as an 
Instruction, It wasn't Right.
Or I Miss something ?

Original comment by soulmi...@gmail.com on 9 Mar 2012 at 3:20