{"id":8748,"date":"2023-09-27T22:38:17","date_gmt":"2023-09-27T22:38:17","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8748"},"modified":"2023-09-28T10:07:44","modified_gmt":"2023-09-28T10:07:44","slug":"zydisinfo-the-disassembler-that-breaks-the-code-twice","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2023\/09\/27\/zydisinfo-the-disassembler-that-breaks-the-code-twice\/","title":{"rendered":"ZydisInfo – the disassembler that breaks the code, twice"},"content":{"rendered":"\n

The moment I heard of machine code and its opcodes… I fell in love. Being able to understand machine code from just looking at the binary (okay, mostly its hexadecimal representation) felt like magic. And since many simple x86 assembly instructions are quite easy to decipher, I really liked the fact I could not only ‘read some of the code’ by just looking at binary, but also use that knowledge to patch code here and there, too. <\/p>\n\n\n\n

Of course, today everyone knows about nopping code with 0x90, or changing the conditional jumps from 0x74, 0x75 to 0xEB, but back then it was something special. Unfortunately, once you learn the basics, this feeling doesn’t last for too long, because the opcodes got … complicated, and they did so, pretty quickly, too. The FPU, MMX, SSEn, AVXn instructions are not for the faint-hearted, and it takes a lot effort to understand them on a mathematical level, let alone memorizing their opcodes. And on top of that, the new CPUs arrived, bytecode in many different forms is a thing, and on top of that we have code virtualizers, so now it’s really prohibitive to even think of learning any of it… unless you are a dedicated low-level code fan.<\/p>\n\n\n\n

Still, even in 2023 it really helps to know some of the most important opcodes, at least in the x86\/x64 world. Malware uses many tricks to obfuscate code, use opcodes to enforce incorrect disassembly, or trigger exceptions on undocumented instructions. Patching is also still a thing, and knowing at least a subset of most popular opcodes helps to quickly understand what is going on. For example, if some random routine is looking for some specific byte values that correspond to known opcodes it’s really handy to know some of them to quickly make an educated guess that we are looking at some sort of length disassembler, or a hooking\/unhooking routine…<\/p>\n\n\n\n

Let’s admit it though – we can’t learn it all, so, it’s time to cheat a bit and then hopefully win some…<\/p>\n\n\n\n

Knowing how complicated all of this became, for a long time I dreamed of a tool that takes a series of bytes, interprets it as code, and breaks it down into smaller chunks where the respective parts of the alleged machine instruction are clearly deconstructed, described, and represented; that is, the prefixes, the opcode itself, the operation direction, the size of the argument, the R\/M, MOD, REG, SIB, and IMM and DISP parts, etc. and all are extracted and presented in a nice way to the user…<\/p>\n\n\n\n

And after thinking of it for a long time I only last week asked<\/a> about a tool like this…<\/p>\n\n\n\n

Thanks to Steve Eckels<\/a>, we now know<\/a> that such tool does exist! It’s called Zydisinfo<\/a>, and It was created by Joel H\u00f6ner<\/a> et al (with Florian Bernd creating most of Zydisinfo, as per this twit<\/a>). <\/p>\n\n\n\n

Over last few days I spent some time playing around with Zydisinfo and I am really impressed. This is a fantastic educational tool that many students and assembler lovers will find absolutely delightful to work with.<\/p>\n\n\n\n

Let’s see a few examples:<\/p>\n\n\n\n

ZydisInfo -64 “90”<\/strong> (NOP)<\/p>\n\n\n\n

no surprise here…<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

ZydisInfo -64 “74 01”<\/strong> (short jump)<\/p>\n\n\n\n

no surprise here either…<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

ZydisInfo -64 “67 8B 04 C1”<\/strong> (mov eax, dword ptr ds:[ecx+eax*8])<\/p>\n\n\n\n

a more complicated example and it still works like a charm…<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Isn’t that cool? <\/p>\n\n\n\n

Joel et al, you really killed it! Touche!<\/p>\n","protected":false},"excerpt":{"rendered":"

The moment I heard of machine code and its opcodes… I fell in love. Being able to understand machine code from just looking at the binary (okay, mostly its hexadecimal representation) felt like magic. And since many simple x86 assembly … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,16],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8748"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8748"}],"version-history":[{"count":2,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8748\/revisions"}],"predecessor-version":[{"id":8761,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8748\/revisions\/8761"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8748"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8748"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8748"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}