disassembler

[NOVARSEG]

press any key to scroll thru EXE file

Change the file name to what you want.

Very limited right now. Need to add more instructions

Code: QB64: [Select]

1. OPEN "atestasm.exe" FOR BINARY AS #1
2. DIM x AS LONG
3. DIM xx AS INTEGER
4. DIM count AS LONG
5.  
6. DIM T AS STRING
7. DIM hexString AS STRING
8. DIM R AS INTEGER
9.  
10. DIM hx AS STRING
11. DIM A AS INTEGER
12. DIM Z AS INTEGER
13.  
14. T = SPACE$(LOF(1))
15. GET #1, , T
16. x = 1
17.  
18. DO
19.     IF x > LOF(1) - 10 THEN EXIT DO
20.  
21.     x = x + 1
22.     IF ASC(T, x) = &HC7 THEN
23.         x = x + 1:
24.         IF ASC(T, x) = &H00 THEN
25.             Z = Z + 1
26.             GOSUB hex4
27.             PRINT: PRINT "MOV [EAX], "; hexString
28.         END IF
29.     END IF
30.  
31.  
32.  
33.     x = x + 1
34.     IF ASC(T, x) = &HA1 THEN
35.         Z = Z + 1
36.         GOSUB hex4
37.         PRINT: PRINT "MOV EAX, "; "[ "; hexString; "]"
38.     END IF
39.  
40.  
41.     IF Z = 10 THEN
42.         Z = 0
43.         DO
44.             i$ = INKEY$
45.             IF i$ = CHR$(27) THEN END
46.             IF i$ <> "" THEN EXIT DO
47.         LOOP
48.     END IF
49.  
50.  
51. LOOP
52.  
53.  
54. CLOSE
55. END
56.  
57.  
58. hex4:
59. hexString = ""
60. DO
61.     IF xx = 4 THEN xx = 0: EXIT DO
62.     xx = xx + 1
63.     A = ASC(T, x + xx)
64.     R = A MOD 16
65.     IF R < 10 THEN
66.         hx = CHR$(R + 48)
67.     END IF
68.     IF R >= 10 THEN
69.         hx = CHR$(R + 55)
70.     END IF
71.  
72.     A = A - R
73.     A = A / 16
74.     IF A < 10 THEN
75.         hx = CHR$(A + 48) + hx
76.     END IF
77.     IF A >= 10 THEN
78.         hx = CHR$(A + 55) + hx
79.     END IF
80.  
81.     hexString = hx + " " + hexString
82.     hx = ""
83.  
84. LOOP
85. x = x + 4
86. RETURN
87.  

[NOVARSEG]

I'm using some online disassemblers and other sources to make sure code is working. I found that most of the online disassemblers make mistakes example:

83 C0  FF    =   ADD EAX, FFFF

which is wrong for 32 bit assembler

it should be  for 32 bit
83 C0  FFFF   = ADD EAX, FFFF

For 16 bit :
83 C0  FF = ADD AX, FF

********
Also for 32 bit
81 C0  FFFFFFFF   = ADD EAX, FFFFFFFF

for 16 bit
81 C0  FFFF   = ADD AX, FFFF


Another thing, writing a disassembler is not easy!

[NOVARSEG]

Ok I've checked about 5 online disassemblers so far and they are all consistently wrong??

83 C0  FF    =   ADD EAX, FFFF

How can that be?

83 C0  EE    =   ADD EAX, FFFFFFEE  ?????

Are these online disassemblers all using the same program ???

[NOVARSEG]

Online disassemblers don't seem to be working properly.

http://shell-storm.org/online/Online-Assembler-and-Disassembler/?opcodes=83c081%0D%0A%0D%0A%0D%0A%0D%0A&arch=x86-16&endianness=big&dis_with_addr=True&dis_with_raw=True&dis_with_ins=True#disassembly

83 C0 80  =    add ax, -0x80

83 C0 81   =   add ax, -0x7f

https://defuse.ca/online-x86-assembler.htm#disassembly2

83 c0 79      =          add    eax,0x79

83 c0 80      =         add    eax,0xffffff80

https://onlinedisassembler.com/odaweb/

83c079 =  add  eax, 0x79

83c080   =  add eax,0xffffff80

[SMcNeill]

Seems like it’s just impossible to disassemble an EXE anymore. 

[NOVARSEG]

It's doable

From some good sources, they recommend starting with the MOV instructions and then go from there.

From my experience with 16 bit assembler, start with simple instructions, The more complex ones are based on the simple instructions.

[luke]

Is it perhaps, just maybe, possible that all the disassemblers are correct and you're mistaken?

Opcode 83 is "add imm8 to r/m16/m32 with sign extension", which means the imm8 is treated as a signed value that is sign-extended to the size of the destination.

0x80 sign-extended to a 32 bit number can be written as either -0x7f or 0xffffff80 by the properties of twos complement, so either output is correct.

If you're going to write something that works with x86 instructions you really can't escape sitting down with the Intel Developer Manuals.

[SpriggsySpriggs]

This sounds quite complex

[NOVARSEG]

@luke

Thanks, did not know that 83 was opcode with a signed immediate value

That 2s compliment stuff is what confused me.

https://defuse.ca/online-x86-assembler.htm#disassembly2

Ok so let's use an immediate value that has a  positive  signed value  = 7FFF FFFF

The disassembler in the above link is in 32 bit mode so it should accept 4 bytes for the immediate value field.

Here is what the result is:

Disassembly:
0:  83 c0 ff                add    eax,0xffffffff
3:  ff                      (bad)
4:  ff                      (bad)
5:  7f                      .byte 0x7f

The disassembler is rejecting 3 bytes. Is this how the immediate value should be decoded?

whereas it get it right with

Disassembly:
0:  81 c0 ff ff ff 7f       add    eax,0x7fffffff

When we use a negative signed value 8000 0000 look what happens

Disassembly:
0:  83 c0 00                add    eax,0x0
3:  00 00                   add    BYTE PTR [eax],al
5:  80                      .byte 0x80

the assembler inserts an instruction in the immediate value field

but gets it right with

Disassembly:
0:  81 c0 00 00 00 80       add    eax,0x80000000

[luke]

You are wrong to assume that 0x83 takes an immediate value of varying width on difference architectures.

https://www.felixcloutier.com/x86/add Note that 0x83 always takes an imm8 argument - a single byte immediate value. It does not make sense to provide a larger number, the opcode simply doesn't work that way.

[NOVARSEG]

Ok imm8.   

I tried even with the disassembler in 64 bit mode and it is still imm8

opcode 83  is NOT effected by a 66h prefix byte yep

What confused me was the imm8 spec

[NOVARSEG]

..............

[SMcNeill]

Do you understand how negative values are stored in memory, or represented as hex values?

Run this little program, which prints out the hex values for -1 to -20, as signed bytes, integers, and longs:

Code: QB64: [Select]

1. FOR i = 1 TO 20
2.     v%% = -i: v% = -i: v& = -i
3.     PRINT i,
4.     PRINT HEX$(v%%), 'byte
5.     PRINT HEX$(v%), 'integer
6.     PRINT HEX$(v&) 'long
7. NEXT

Your output should look like the following:

Code: [Select]

1       FF        FFFF      FFFFFFFF
 2       FE        FFFE      FFFFFFFE
 3       FD        FFFD      FFFFFFFD
 4       FC        FFFC      FFFFFFFC
 5       FB        FFFB      FFFFFFFB
 6       FA        FFFA      FFFFFFFA
 7       F9        FFF9      FFFFFFF9
 8       F8        FFF8      FFFFFFF8
 9       F7        FFF7      FFFFFFF7
 10      F6        FFF6      FFFFFFF6
 11      F5        FFF5      FFFFFFF5
 12      F4        FFF4      FFFFFFF4
 13      F3        FFF3      FFFFFFF3
 14      F2        FFF2      FFFFFFF2
 15      F1        FFF1      FFFFFFF1
 16      F0        FFF0      FFFFFFF0
 17      EF        FFEF      FFFFFFEF
 18      EE        FFEE      FFFFFFEE
 19      ED        FFED      FFFFFFED
 20      EC        FFEC      FFFFFFEC
Now, as you can see, the value of -1 starts as a full complement of F values.  For a byte, it's FF.  For an integer, it's FFFF.  For a long, it's FFFFFFFF.   As your negative value increases, you simply count down from there.  FE or FFFE, or FFFFFFFE.

Not only do you need to know your variable value, but you also have to know the variable type, to know what the value is.

So pushing 81 into a single byte gives you the correct value of -0x7F, for that byte. 

Now, for the x86 disassembler, you need to remember that your full x86 register is in 32-bit bytes -- EAX.

EAX is the full 32-bit value
AX is the lower 16-bits
AL is the lower 8 bits
AH is the bits 8 through 15 (zero-based)

So 81 as a byte is going to be the same as EAX FFFFFF81.

You pushed 81 into the lowest 8 bits of your 32-bit register, but the disassembler is reporting the value of the whole 32-bit EAX register for you.


And that's the great and mysterious issue you're seeing with your disassembly that has you running around in circles wondering what's going on.  It's just basically different ways of representing the same value...

81 as a signed byte = FF81 as a signed integer = FFFFFF81 as a signed long.

That's all there is to it!

[NOVARSEG]

@SMcNeill


............

[SMcNeill]

@SMcNeill


............

@NOVARSEG

?????????????