:[diStorm}: Updates

Gil Dabah distorm at gmail.com
Mon Oct 2 19:42:44 EDT 2006 

Hi everyone,

 

There's a new release of diStorm version 1.5.16, which you can find here:
http://www.ragestorm.net/distorm/

There were a few minor bugs (to be accurate, some instructions weren't
properly decoded) so now everything is fine. The instructions are
SMSW/MOVSXD/MOVZXD.

I also added support for SVM (That's AMD's virtualization) instruction set.

>From now on, diStorm will be available for Python2.5 as well as versions 2.3
and 2.4.

 

For your general knowledge, if you use diStorm64 to disassemble 64bit
streams, sometimes you will encounter:

DB 0x48

PUSH RAX

In this case, you have to know that PUSH RAX is already promoted to 64bits
even without the 0x48, that's the REX prefix to enable operand size to be
64bits.

This is absolutely the compiler/assembler code generation error; though it
won't crash the process of execution, the CPU will silently ignore it.

Anyways, if you encounter such cases and you're not sure whether it's a
compiler code generation error or diStorm's parsing error, don't hesitate to
email me.

 

Another feature of diStorm which isn't exported both to the C Library and
neither to Python is a new field that indicates the opcode class type of the
instruction.

There are merely a few class types such as: Integer Instructions, FPU, MMX,
SSE, 3DNow, VMX, etc.You get the idea. Now I wasn't sure whether it might
come handy or not, I would like to know what you think.

 

In addition, I uploaded a new version of diSlib, the Python PE Parser, it's
now capable of parsing PE+ (AMD64) images!

diSlib also uses diStorm to show how easy it is to disassemble the entry
point routine.

 

About diStorm3, currently, I work hard on implementing the instructions'
templates of real 80x86 integer instructions. So every 80x86 instruction
become a set of Virtual Opcodes.

For example: MOV EAX, EBX, is translated into: ASSIGN(REG(0), REG(3)). All
these virtual opcodes are actually nodes of expression trees. When this is
all done, you will be able to translate a stream of instructions into an
expressions tree and do whatever you just wish with this tree, may it be,
analyzing, rebuilding, parsing, translation to high level language, etc. If
you wish to learn more info, please email me privately.

 

Next update, hopefully, will be IGEN (Instructions Generator) source code,
so you will be able to tinker with your own instructions.

 

Regards,

Gil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/distorm_ragestorm.net/attachments/20061003/e002efe0/attachment.html

More information about the diStorm mailing list