Jump to content
Tuts 4 You

Hacker Disassembler Engine + Source Code...

Teddy Rogers

By Teddy Rogers
in Programming and Coding

Recommended Posts

Teddy Rogers

Teddy Rogers

Posted
Posted

Hacker Disassembler Engine:

Hacker Disassembler Engine, or HDE, is small disassembler engine, which intend to code analyse. HDE get length of command, prefixes, ModR/M and SIB bytes, opcode, immediate, displacement, relative address, etc. For example, you can use HDE when writing unpackers or decryptors executable files, because more others disassemblers too big, get only disasm listing and aren't intended for code analys, but more simple

length disassemblers usually get too little info. HDE get enough info to analyse, but it has very small size. HDE package include DLL, object, header files and and source.

+ support MMX, SSE, SSE2, SSE3, 3DNow! instructions

+ high-speed & small size (coded in assembler ;)

+ compatibility with most coding language

To disassemble should call hde_disasm function:

   void hde_disasm(
	 void *pCode			   // pointer to code
	 HDE_STRUCT *pHDE_STRUCT   // pointer to structure HDE_STRUCT
	 )

After execute, you get filled structure HDE_STRUCT:

   typedef struct _HDE_STRUCT
   {
	 BYTE	len;		   // length of command
	 BYTE	p_rep;		 // rep/repnz/.. prefix: 0xF2 or 0xF3
	 BYTE	p_lock;		// lock prefix 0xF0
	 BYTE	p_seg;		 // segment prefix: 0x2E, 0x36, 0x3E, 0x26, 0x64, 0x65
	 BYTE	p_66;		  // prefix 0x66
	 BYTE	p_67;		  // prefix 0x67
	 BYTE	opcode;		// opcode
	 BYTE	opcode2;	   // second opcode, if first opcode equal 0x0F
	 BYTE	modrm;		 // ModR/M byte
	 BYTE	modrm_mod;	 //   - mod byte of ModR/M
	 BYTE	modrm_reg;	 //   - reg byte of ModR/M
	 BYTE	modrm_rm;	  //   - r/m byte of ModR/M
	 BYTE	sib;		   // SIB byte
	 BYTE	sib_scale;	 //   - scale (ss) byte of SIB
	 BYTE	sib_index;	 //   - index byte of SIB
	 BYTE	sib_base;	  //   - base byte of SIB
	 BYTE	imm8;		  // immediate imm8
	 WORD	imm16;		 // immediate imm16
	 DWORD   imm32;		 // immediate imm32
	 BYTE	disp8;		 // displacement disp8
	 WORD	disp16;		// displacement disp16, if prefix 0x67 exist
	 DWORD   disp32;		// displacement disp32
	 BYTE	rel8;		  // relative address rel8
	 WORD	rel16;		 // relative address rel16, if prefix 0x66 exist
	 DWORD   rel32;		 // relative address rel32
   } HDE_STRUCT;
Opcode and len fields always exist, others are optional and depend of command. If

field's value equal zero, then it isn't existing.

Note: HDE work only with 32-bit commands of x86 processors !

Improvements, suggestions and bugfixes are welcomed.

Home Page:

http://vxheavens.com/vx.php?id=eh04

Ted.

hde.0.02.zip

hde.0.03.zip

hde28b.zip

hde28c.zip

hde6404c.zip

hde27b.zip

hde27c.zip

  • 1 month later...
antrobs

antrobs

Posted
Posted

Oopss! not for me need to practice coding first, but it's a good tool to collect.... :D Thanks

aNtRoBs

  • 4 months later...
Oldschool Hardtrancer

Oldschool Hardtrancer

Posted
Posted

Hacker Disassembler Engine (HDE) v0.06

version 0.06 [03.01.2007]

+ some optimization: changed standard stack frames in procedures to

more optimized enter/leave

+ corrected C/C++ header file

+ added C example

version 0.05 [28.11.2006]

+ fixed bug with displacements (thx: Napalm)

+ fixed bug with length of command

+ added object files in elf32 format

  • 2 months later...
Oldschool Hardtrancer

Oldschool Hardtrancer

Posted
Posted

Hacker Disassembler Engine (HDE) version 0.07 - 09.02.2007

- fixed bug with F6 and F7 opcodes

- added support of FPU commands

- optimized and small code

- corrected documentation

Loki

Loki

Posted
Posted

Has anyone actually done anything useful with this? I've not really looked at it and was wondering if its worthwhile.

Whiterat

Whiterat

Posted
Posted

Very useful indeed :)

Great for trying to differentiate between opcodes and data. (i.e 0xCC and INT3 when restoring nanos)

Loki

Loki

Posted
Posted

Ah, fair point. Think I'll download and store this one for when a have a bit of time spare then!

Thanks for the comment WhiteRat.

Killboy

Killboy

Posted
Posted

One very good argument is its size. 1kb is almost nothing, very useful for creating Imprec plugins which need some more advanced treatment like removing junk code, counting commands etc...

  • 5 months later...
Oldschool Hardtrancer

Oldschool Hardtrancer

Posted
Posted (edited)

Hacker Disassembler Engine (HDE) version 0.08

version 0.08 [27.08.2007]

+ sources translated to nasm

+ code is position independent now

Edited by Oldschool Hardtrancer
  • 3 months later...
Oldschool Hardtrancer

Oldschool Hardtrancer

Posted
Posted
version 0.09 [02.10.2007]

+ optimized and small code from 978 to 660 bytes

rendari

rendari

Posted
Posted

Very useful for deobfuscation :)

  • 1 month later...
What

What

Posted
Posted

Hacker Disassembler Engine 32 version 0.11

* now the function follow C convension

* now elf32 object file doesn't contain nasm's comment, so bug when linking with mingw-gcc disappear

* now omf object is compiled directly with nasm, and there is no bug when linking with Borland C++

* now win32 dll doesn't contain versioninfo

* corrected pascal header file

BlacKaT

BlacKaT

Posted
Posted
Very useful for deobfuscation :)

indeed.

  • 2 weeks later...
4e4en

4e4en

Posted
Posted

It would be great, if you would add some samples.

in4matics

in4matics

Posted
Posted (edited)

How to use:

var
	instruction :HDEInstruction; // holds instruction info
...
	HDEDisasm(buffer, instruction); // param 'buffer' holds the data to disassemble (pchar, pointer...)

HDEInstruction struct:

	HDEInstruction = packed record
		len		: byte;	 { length of command							 }
		p_rep	  : byte;	 { rep/repz (0xf3) & repnz (0xf2) prefix		 }
		p_lock	 : byte;	 { lock prefix: 0xf0							 }
		p_seg	  : byte;	 { segment prefix: 0x2e,0x36,0x3e,0x26,0x64,0x65 }
		p_66	   : byte;	 { operand-size override prefix: 0x66			}
		p_67	   : byte;	 { address-size override prefix: 0x67			}
		opcode	 : byte;	 { opcode										}
		opcode2	: byte;	 { second opcode (if first opcode is 0x0f)	   }
		modrm	  : byte;	 { ModR/M byte								   }
		modrm_mod  : byte;	 {   mod field of ModR/M						 }
		modrm_reg  : byte;	 {   reg field of ModR/M						 }
		modrm_rm   : byte;	 {   r/m field of ModR/M						 }
		sib		: byte;	 { SIB byte									  }
		sib_scale  : byte;	 {   scale field of SIB						  }
		sib_index  : byte;	 {   index field of SIB						  }
		sib_base   : byte;	 {   base field of SIB						   }
		imm8	   : byte;	 { immediate value imm8						  }
		imm16	  : word;	 { immediate value imm16						 }
		imm32	  : dword;	{ immediate value imm32						 }
		disp8	  : byte;	 { displacement disp8							}
		disp16	 : word;	 { displacement disp16						   }
		disp32	 : dword;	{ displacement disp32						   }
		rel8	   : byte;	 { relative address rel8						 }
		rel16	  : word;	 { relative address rel16						}
		rel32	  : dword;	{ relative address rel32						}{i}		imm32_offs : byte;	 { immediate value (imm32) offset in code		} \\ NEW
{i}		disp32_offs: byte;	 { displacement (disp32) offset in code		  } \\ NEW
{i}		rel32_offs : byte;	 { relative address (rel32) offset in code	   } \\ NEW
	end;

Regards

Edited by in4matics
Caliber

Caliber

Posted
Posted (edited)

i am using a different language at the moment for my disassm project. i was curious if someone already had the following.

this library as a .dll already compiled-

a list of functions that the library contains, and their associated types, returns, etc.

i am currently using the freely posted ollydbg 1.0 engine for disassm in one of my projects, but that library is very old and does not contain the sse, instructions, etc.

thanks in advance for the help!

best,

Cal

Edited by Caliber
HVC

HVC

Posted
Posted
this library as a .dll already compiled-

Yes, it also has coff, omf and elf32 objects, that you can statically link to your code.

a list of functions that the library contains, and their associated types, returns, etc.

One function:

hde32_disasm(const void *code, hde32s *hs)

which takes two parameters:

-a pointer to the code you want to disassemble...

- a pointer to the following structure:

typedef struct {

unsigned char len; /* length of command */

unsigned char p_rep; /* rep/repz (0xf3) & repnz (0xf2) prefix */

unsigned char p_lock; /* lock prefix: 0xf0 */

unsigned char p_seg; /* segment prefix: 0x2e,0x36,0x3e,0x26,0x64,0x65 */

unsigned char p_66; /* operand-size override prefix: 0x66 */

unsigned char p_67; /* address-size override prefix: 0x67 */

unsigned char opcode; /* opcode */

unsigned char opcode2; /* second opcode (if first opcode is 0x0f) */

unsigned char modrm; /* ModR/M byte */

unsigned char modrm_mod; /* mod field of ModR/M */

unsigned char modrm_reg; /* reg field of ModR/M */

unsigned char modrm_rm; /* r/m field of ModR/M */

unsigned char sib; /* SIB byte */

unsigned char sib_scale; /* scale field of SIB */

unsigned char sib_index; /* index field of SIB */

unsigned char sib_base; /* base field of SIB */

unsigned char imm8; /* immediate value imm8 */

unsigned short imm16; /* immediate value imm16 */

unsigned long imm32; /* immediate value imm32 */

unsigned char disp8; /* displacement disp8 */

unsigned short disp16; /* displacement disp16 */

unsigned long disp32; /* displacement disp32 */

unsigned char rel8; /* relative address rel8 */

unsigned short rel16; /* relative address rel16 */

unsigned long rel32; /* relative address rel32 */

} hde32s;

Now, since all this information is in the package, i don't know if you have it available... :unsure:

There you go:

http://patkov-site.narod.ru/download/hde32-0.11.tar.gz

Killboy

Killboy

Posted
Posted

BTW This is just an LDE, that is, it will just give some formatted basic information about the opcode such as:

length

prefix

[relative] addresses (if any)

but no mnemonics :)

You might want to take a look at BeaEngine/LDE64 from Beatrix/FRET which support 32 + 64 bit + MMX, SSE, SSE2, SSE3, SSSE3 (SSE4), VMX...

http://reverseengineering.online.fr/tools/...gine/index1.php

  • 4 months later...
linhanshi

linhanshi

Posted
Posted

16 august 2008, Thursday

Hacker Disassembler Engine 32 version 0.15

now engine detects instruction with invalid operands (like `lea eax,ecx')

changes in the documentation and headers

  • 1 month later...
What

What

Posted
Posted (edited)

Latest versions, noticed this topic was a couple versions behind an lacking other types:

Asm Version

hde32-0.24.tar.gz (Sources + i386 libraries, 23.4 KB)

_http://patkov-site.narod.ru/download/hde32-0.24.tar.gz

C Version

hde32c-0.24.01.tar.gz (Sources, 4.7 KB)

_http://patkov-site.narod.ru/download/hde32c-0.24.01.tar.gz

64 Bit

hde64c-0.01.tar.gz (Sources, 11.3 KB)

_http://patkov-site.narod.ru/download/hde64c-0.01.tar.gz

Edited by What
GEEK

GEEK

Posted
Posted

@killboy

can attach BeaEngine here coz the original dead

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...