[Full-Disclosure] Re: ndisasm bad opcodes interpretation

Fri, 07 Jan 2005 13:55:55 -0800 

my mistake...

short jump:
it's JMP_Address + 2 + Second_Byte_value = Next_Instruction_Address

[EMAIL PROTECTED]:~/tmp$ echo -n -e "\x75\x65" > a
[EMAIL PROTECTED]:~/tmp$ ndisasm -b32 a
00000000  7565              jnz 0x67
[EMAIL PROTECTED]:~/tmp$ ~/instalar/libdisassemble/disassemble.py a 0x0 0xff
Disassembling file a at offset: 0x0
 00000000:   jnz           0x65

this is where my mistake came from ;)
thnx

On Fri, 7 Jan 2005 13:30:21 -0300, shadown <[EMAIL PROTECTED]> wrote:
> Hi,
> 
> not a vulnerability but could be a headache while reverse ingineering
> or binary auditing/interpreting, etc. (ok anything related with
> disassembling)
> get wrong values.
> 
> [EMAIL PROTECTED]:/tmp$ ndisasm -b32 salida
> 00000000 49 dec ecx
> 00000001 6E outsb
> 00000002 7465 jz 0x69
> 00000004 6C insb
> 00000005 6563747561 arpl [gs:ebp+esi*2+0x61],si
> 0000000A 6C insb
> 0000000B 207072 and [eax+0x72],dh
> 0000000E 6F outsd
> 0000000F 7065 jo 0x76
> 00000011 7274 jc 0x87
> 00000013 7920 jns 0x35
> 00000015 6F outsd
> 00000016 66204968 o16 and [ecx+0x68],cl
> 0000001A 61 popa
> 0000001B 51 push ecx
> 0000001C 7565 jnz 0x83
> 0000001E 52 push edx
> 0000001F 00 db 0x00
> [EMAIL PROTECTED]:/tmp$ ndisasm -V
> NDISASM version 0.98.38 compiled Jan 7 2005
> [EMAIL PROTECTED]:/tmp$
> 
> i.e:
> 0000001C 7565 jnz 0x83
> sould had been jnz 0x65
> 
> I've just tested ndisasm 0.98.36 and 0.98.38
> 
> cheers.
> shadown
> --
> Sergio Alvarez
> Security, Research & Development
> IT Security Consultant
> email: [EMAIL PROTECTED]
> 
> This message is confidential. It may also contain information that is
> privileged or otherwise legally exempt from disclosure. If you have
> received it by mistake please let us know by e-mail immediately and
> delete it from your system; should also not copy the message nor
> disclose its contents to anyone. Many thanks.
> 


-- 
Sergio Alvarez
Security, Research & Development
IT Security Consultant
email: [EMAIL PROTECTED]

This message is confidential. It may also contain information that is
privileged or otherwise legally exempt from disclosure. If you have
received it by mistake please let us know by e-mail immediately and
delete it from your system; should also not copy the message nor
disclose its contents to anyone. Many thanks.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to