Heya Fella RCE's

I want to release my so Far app i'v been working on (mainly for personal knowledge),
this time its a:
PE Viewer
Disassmbler
Packer Identifer

i want to hear any commets (bad/good),
its still in development so give me a slack
i hope ppl somehow find it useble cuz i dont because all of those tools around

attached, 41kb
Tested Under win98SE (2K/XP/NT unknown, should work though)
thnx to all who have been working along the way
ttl
Bengaly

YEP!

Hey guys! How you can live without replies
Sensei-Bengaly's thread???


Ok, I download this cake and tested on itself!
(closer)

So nothing displayed in "Export/Imports" for UPX-ed EXE??

***********
more, more bugs, plEasE

HQ Bug report...

0002) OK, now I de-UPX-ed Proview.exe and try again "Import/Export".
Nothing again

0003) I open FMEMPRO.EXE (delfi).
No more response...

0004) ORDINALs looks very funny in "Import/Export"...
You shoud "disassemble" them into decimal...



*******
continued...continued...continued...continued...

it just wont work at all on my 2000 it will load the file but if you try any options it will just freeze

err thats an old built ;P
kinda crappy

i have no idea about winCrappy2000 sorry

Hi Bengaly,

Kudos on your ProView app, looks to be handy. From your readme file I see you developed your own disassembler engine, nice work. If you want to pursue this there are a few things you might want to check out.

You say you've picked up 50 or so opcodes that you can parse into correct disassembly so far, out of easily 100,000 in a medium sized app. Still, that's a good start on being able to map out the entire Intel 1 and 2-byte opcode map. Developing code from scratch would be a lot of work, just take a look at the source of Borg or the NASM disassembler. Really, your best best would be to incorporate an existing disassembler into your code.

But if you want to continue with it, check out a couple of things by Z0mbie. There's a PE_STAT program, which calculates frequencies of the PE EXE/DLL opcode usage (Opcode Frequency Statistics). On a 2.5Mb file I got 107478 distinct opcodes being used, the first 2 being 8B and 89 (mov modr/m) at 19% and 9%, then E8 (Call) at 5%. You may be able to develop a strategy based on this.

Another thing you could use is his Length Disassembly Engine, LDE32.bin. It tries to recognize sections of bytes as discrete instructions, defined by the base 1/2 byte opcode. This you still have to parse into a disassembled instruction. It actually works pretty well incorporated into your own code, but it's written as a byte patch and not easily modified (or understandable) unless disassembled itself. As it stands I've found it isn't able to recognize a number of newer opcodes and had errors because of it.

I ended up using the NASM disassembler as a module, I would think it's probably the most updated around. While the main disassember engine disasm.c isn't being worked on any more, some of the associated opcode files still are, with new versions out often.

Cheers,
Kayaker

Hi Kayaker,
thank you for your reply (the only kindly one here..),
i know its allot of work to make an disassembly engine,
and i know there are some diasm.c sources out there, but i still wanna do it my own and from scrach, this way u control all around enviorment.
the beta proview above is really old by now..and have a very bad diss view and also limited size, which doesn't in the current built,
the real problem on decoding opcodes come when some are used for multiple instruction (i.e: 0x80 opcode - big one..).
as for those apps you have mentioned above, i will check them out (thnx)...
i have seen borg/nasm & others, they got some cool coding which can make ur life much esier, but the point remains when u need to make a uni project..i am on my own this time..
and i think i will cover usefull list of opcodes in 2 years..
also need to concern about packer identifier (any good byte signatures list arround?) and such..

Greets
Ben