From: io_x on 5 Nov 2009 02:47 "wolfgang kern" <nowhere(a)never.at> ha scritto nel messaggio news:hcrv8j$s7s$1(a)newsreader2.utanet.at... > Esra wrote: > >>>>> Well done Esra, jump into instructions were my favorites as well. >>>> Eh? Don't think it was me doing that. >>> just disassemble your own entry.com to see what I mean :) > >> Do you mean ye olde "debug" doesn't know about some newer opcodes? >> "My" entry was io_x's "table-less" entry with a couple of minor savings. > > No, I meant: > > db 0B5h > Label: > ;followed by > PUSH imm16 > ;disassembles to > MOV CH,68h > ; and there's more of this in your code ... where is that? there is no jump-call inside one instruction (at last for what the disassembly show) ---------- 00000000 BFAC01 mov di,0x1ac 00000003 B507 mov ch,0x7 00000005 F3AA rep stosb 00000007 BE5D00 mov si,0x5d 0000000A D50A aad 0000000C 88C4 mov ah,al 0000000E AC lodsb 0000000F 2C30 sub al,0x30 00000011 7DF7 jnl 0xa 00000013 88E3 mov bl,ah 00000015 BFFA01 mov di,0x1fa 00000018 BE1500 mov si,0x15 0000001B B82B2D mov ax,0x2d2b 0000001E BA7C4E mov dx,0x4e7c 00000021 57 push di 00000022 B119 mov cl,0x19 00000024 AB stosw 00000025 8825 mov [di],ah 00000027 47 inc di 00000028 E2FA loop 0x24 0000002A AA stosb 0000002B C7050D0A mov word [di],0xa0d 0000002F AF scasw 00000030 92 xchg ax,dx 00000031 4E dec si 00000032 75EE jnz 0x22 00000034 C60524 mov byte [di],0x24 00000037 C645AF7F mov byte [di-0x51],0x7f 0000003B BF4802 mov di,0x248 0000003E B002 mov al,0x2 00000040 AA stosb 00000041 B119 mov cl,0x19 00000043 E85500 call 0x9b 00000046 6BEA03 imul bp,dx,byte +0x3 00000049 01EF add di,bp 0000004B B10A mov cl,0xa 0000004D E84B00 call 0x9b 00000050 69EA9C00 imul bp,dx,word 0x9c 00000054 01EF add di,bp 00000056 C7052020 mov word [di],0x2020 0000005A B104 mov cl,0x4 0000005C E83C00 call 0x9b 0000005F BD0300 mov bp,0x3 00000062 21EA and dx,bp 00000064 F6C201 test dl,0x1 00000067 7403 jz 0x6c 00000069 BD9C00 mov bp,0x9c 0000006C 80FA01 cmp dl,0x1 0000006F 7602 jna 0x73 00000071 F7DD neg bp 00000073 803B4E cmp byte [bp+di],0x4e 00000076 740F jz 0x87 00000078 42 inc dx 00000079 E2E4 loop 0x5f 0000007B 81FCFCFF cmp sp,0xfffc 0000007F 7314 jnc 0x95 00000081 5A pop dx 00000082 5F pop di 00000083 B104 mov cl,0x4 00000085 EBF1 jmp short 0x78 00000087 57 push di 00000088 52 push dx 00000089 89E8 mov ax,bp 0000008B D1FD sar bp,1 0000008D C7032020 mov word [bp+di],0x2020 00000091 01C7 add di,ax 00000093 EBC1 jmp short 0x56 00000095 5A pop dx 00000096 B409 mov ah,0x9 00000098 CD21 int 0x21 0000009A C3 ret 0000009B B8354E mov ax,0x4e35 0000009E F7EB imul bx 000000A0 40 inc ax 000000A1 93 xchg ax,bx 000000A2 0FB6C7 movzx ax,bh 000000A5 99 cwd 000000A6 F7F9 idiv cx 000000A8 C3 ret --------------------------- for the program "debug" seems it have some problem in the disassembly of some code for example the program "debug" print (using -u) 15AE:013E B002 MOV AL,02 15AE:0140 AA STOSB 15AE:0141 B119 MOV CL,19 15AE:0143 E85500 CALL 019B 15AE:0146 6B DB 6B 15AE:0147 EA0301EFB1 JMP B1EF:0103 15AE:014C 0AE8 OR CH,AL 15AE:014E 4B DEC BX for the same piece of code "ndisasmw" says 0000003E B002 mov al,0x2 00000040 AA stosb 00000041 B119 mov cl,0x19 00000043 E85500 call 0x9b 00000046 6BEA03 imul bp,dx,byte +0x3 00000049 01EF add di,bp 0000004B B10A mov cl,0xa 0000004D E84B00 call 0x9b 00000050 69EA9C00 imul bp,dx,word 0x9c 00000054 01EF add di,bp so it is like "debug" program not recognice the instruction imul bp,dx,byte +0x3 only for print (it execute it good) > when you jump to 'Label', that's infact inside one instruction > meaning another one then. > this trick were often seen to confuse disassemblers, > but real hackers may figure this on a glimpse ... > > __ > wolfgang
From: wolfgang kern on 5 Nov 2009 02:54 Esra wrote: >>>>>> Well done Esra, jump into instructions were my favorites as well. >>>>> Eh? Don't think it was me doing that. >>>> just disassemble your own entry.com to see what I mean :) >>> Do you mean ye olde "debug" doesn't know about some newer opcodes? >>> "My" entry was io_x's "table-less" entry with a couple of minor savings. Sorry for I assumed you 'are' Espineter :) ;Espineter from Spain 120 bytes official hc29 compo (nasm entry.asm -o entry.com) org 256 db -52+1 ;2nd table value, 1st at 00FF is -1+1=0 db 1+1 ;3rd table value, 4th is 52+1 (xor ax,imm opcode) xor ax,'-+' ;init AX to '+' and '-' chars db 0B5h ;mov ch,68h main0 push 0D0Ah ;reset some memory (with CRLF) before and after the maze loop main0 __ wolfgang
From: Frank Kotler on 6 Nov 2009 01:26 io_x wrote: .... > so it is like "debug" program not recognice the instruction > imul bp,dx,byte +0x3 > only for print (it execute it good) Apparently, DEBUG still only knows 8086 instructions. Only the single-operand form of imul was supported. The three-operand form (the two-operand form is a special case of the three-operand form) was apparently introduced in the 80186 (286, for practical purposes - 186's are rare). David Lindauer has written a debugger - like DEBUG, but (much!) brighter... http://home.myfairpoint.net/fbkotler/grdbdl94.zip Open source, too! Best, Frank
From: wolfgang kern on 6 Nov 2009 10:05
Frank Kotler posted: .... >> so it is like "debug" program not recognice the instruction >> imul bp,dx,byte +0x3 >> only for print (it execute it good) > Apparently, DEBUG still only knows 8086 instructions. Only the > single-operand form of imul was supported. The three-operand form (the > two-operand form is a special case of the three-operand form) was > apparently introduced in the 80186 (286, for practical purposes - 186's > are rare). Yeah. > David Lindauer has written a debugger - like DEBUG, but (much!) brighter... > > http://home.myfairpoint.net/fbkotler/grdbdl94.zip > > Open source, too! Thanks Frank, I couldn't refuse to check on it, but this .zip seems to be corrupted or I missed a rename-hint(tarball) ? __ wolfgang |