ndisasm bad opcodes interpretation

From: shadown (shadown_at_gmail.com)
Date: 01/07/05

  • Next message: shadown: "Re: ndisasm bad opcodes interpretation"
    Date: Fri, 7 Jan 2005 13:30:21 -0300
    To: vuln-dev@securityfocus.com, full-disclosure@lists.netsys.com
    
    

    Hi,

    not a vulnerability but could be a headache while reverse ingineering
    or binary auditing/interpreting, etc. (ok anything related with
    disassembling)
    get wrong values.

    shadown@twister:/tmp$ ndisasm -b32 salida
    00000000 49 dec ecx
    00000001 6E outsb
    00000002 7465 jz 0x69
    00000004 6C insb
    00000005 6563747561 arpl [gs:ebp+esi*2+0x61],si
    0000000A 6C insb
    0000000B 207072 and [eax+0x72],dh
    0000000E 6F outsd
    0000000F 7065 jo 0x76
    00000011 7274 jc 0x87
    00000013 7920 jns 0x35
    00000015 6F outsd
    00000016 66204968 o16 and [ecx+0x68],cl
    0000001A 61 popa
    0000001B 51 push ecx
    0000001C 7565 jnz 0x83
    0000001E 52 push edx
    0000001F 00 db 0x00
    shadown@twister:/tmp$ ndisasm -V
    NDISASM version 0.98.38 compiled Jan 7 2005
    shadown@twister:/tmp$

    i.e:
    0000001C 7565 jnz 0x83
    sould had been jnz 0x65

    I've just tested ndisasm 0.98.36 and 0.98.38

    cheers.
    shadown

    -- 
    Sergio Alvarez
    Security, Research & Development
    IT Security Consultant
    email: shadown@gmail.com
    This message is confidential. It may also contain information that is
    privileged or otherwise legally exempt from disclosure. If you have
    received it by mistake please let us know by e-mail immediately and
    delete it from your system; should also not copy the message nor
    disclose its contents to anyone. Many thanks.
    

  • Next message: shadown: "Re: ndisasm bad opcodes interpretation"

    Relevant Pages