[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <d8360fbf0501071314536b2ddf@mail.gmail.com>
From: shadown at gmail.com (shadown)
Subject: Re: ndisasm bad opcodes interpretation
my mistake...
short jump:
it's JMP_Address + 2 + Second_Byte_value = Next_Instruction_Address
shadown@...ster:~/tmp$ echo -n -e "\x75\x65" > a
shadown@...ster:~/tmp$ ndisasm -b32 a
00000000 7565 jnz 0x67
shadown@...ster:~/tmp$ ~/instalar/libdisassemble/disassemble.py a 0x0 0xff
Disassembling file a at offset: 0x0
00000000: jnz 0x65
this is where my mistake came from ;)
thnx
On Fri, 7 Jan 2005 13:30:21 -0300, shadown <shadown@...il.com> wrote:
> Hi,
>
> not a vulnerability but could be a headache while reverse ingineering
> or binary auditing/interpreting, etc. (ok anything related with
> disassembling)
> get wrong values.
>
> shadown@...ster:/tmp$ ndisasm -b32 salida
> 00000000 49 dec ecx
> 00000001 6E outsb
> 00000002 7465 jz 0x69
> 00000004 6C insb
> 00000005 6563747561 arpl [gs:ebp+esi*2+0x61],si
> 0000000A 6C insb
> 0000000B 207072 and [eax+0x72],dh
> 0000000E 6F outsd
> 0000000F 7065 jo 0x76
> 00000011 7274 jc 0x87
> 00000013 7920 jns 0x35
> 00000015 6F outsd
> 00000016 66204968 o16 and [ecx+0x68],cl
> 0000001A 61 popa
> 0000001B 51 push ecx
> 0000001C 7565 jnz 0x83
> 0000001E 52 push edx
> 0000001F 00 db 0x00
> shadown@...ster:/tmp$ ndisasm -V
> NDISASM version 0.98.38 compiled Jan 7 2005
> shadown@...ster:/tmp$
>
> i.e:
> 0000001C 7565 jnz 0x83
> sould had been jnz 0x65
>
> I've just tested ndisasm 0.98.36 and 0.98.38
>
> cheers.
> shadown
> --
> Sergio Alvarez
> Security, Research & Development
> IT Security Consultant
> email: shadown@...il.com
>
> This message is confidential. It may also contain information that is
> privileged or otherwise legally exempt from disclosure. If you have
> received it by mistake please let us know by e-mail immediately and
> delete it from your system; should also not copy the message nor
> disclose its contents to anyone. Many thanks.
>
--
Sergio Alvarez
Security, Research & Development
IT Security Consultant
email: shadown@...il.com
This message is confidential. It may also contain information that is
privileged or otherwise legally exempt from disclosure. If you have
received it by mistake please let us know by e-mail immediately and
delete it from your system; should also not copy the message nor
disclose its contents to anyone. Many thanks.
Powered by blists - more mailing lists