OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: May 16, 2007 11:57 CDT by lausybob .

ASM is quite understandable, though it should just be possible to read bytecode too shouldn't it?

Anyone got a bytecode dictionary i can use as a reference?

jms		May 16, 2007 12:05.38 CDT
How I learned to translate some of is was to do this: 1) Install NASM. 2) Write some working assembly code, and compile it. 3) hexdump -C outputfile This will show you the bytes! As well in Ollydbg you can just hit a certain line of instructions and right click go "Follow in Dump -> Selection", then in the bottom right hand pane you'll see the instruction, then right-click and hit "Hex -> 16 Bytes" and you will see what the instructions translate to. Hope this helps.

anonymouse		May 16, 2007 13:13.15 CDT
i believe he is talking about bytecodes as in java bytecodes kind of thing the intermediate vm code referances

MohammadHosein		May 16, 2007 14:32.49 CDT
http://mrl.nyu.edu/~meyer/jvmref/ref-Java.html

neoxfx		May 16, 2007 23:35.51 CDT
I think he was talking about VB, didnt you lausybob?

eamous		May 18, 2007 09:10.43 CDT
> lausybob: ASM is quite understandable, though it should just be possible to read bytecode too shouldn\'t it? > > Anyone got a bytecode dictionary i can use as a reference? Hello lausybob, Personally, I don't think understanding and reading byte-code would be the most effective way to do reverse engineering on compiled class/ archived jar files, however if you insist to go with this approach here are some links for the class files format and the java-opcode that would be more than enough: http://en.wikipedia.org/wiki/Class_(file_format) http://en.wikipedia.org/wiki/Java_bytecode I suggest using JAD decompiler where you can decompile *.class files and modify the decompiled code: http://www.kpdus.com/jad.html Keeping in mind that JAD only supports the following class versions: 45.3, 46.0 and 47.0 and the best work around for the unsupported classes� versions is to use a tool called retroweaver were you can transform new classes to the old (supported) ones: http://retroweaver.sourceforge.net/ Please let me know if you need any help. Cheers, Essa Amous.

lausybob		May 19, 2007 08:14.38 CDT
> jms: How I learned to translate some of is was to do this: > > 1) Install NASM. > 2) Write some working assembly code, and compile it. > 3) hexdump -C outputfile > > This will show you the bytes! As well in Ollydbg you can just hit a certain line of instructions and right click go \"Follow in Dump -> Selection\", then in the bottom right hand pane you\'ll see the instruction, then right-click and hit \"Hex -> 16 Bytes\" and you will see what the instructions translate to. Hope this helps. Hmm, quite alot of work there aye? Well, if there's no such thing as a dictionary this seems to be the best approach. I wasn't looking into java, but thanks for the info on that topic too.

mugg		May 23, 2007 19:54.12 CDT
> Anyone got a bytecode dictionary i can use as a reference? Do you mean "opcode" reference? Are you trying to read hex representations of x86 instruction statements? You're question is not specific enough. If I'm guessing correctly, go to the source: Intel� 64 and IA-32 Architectures Software Developer's Manual, Volume 2A: Instruction Set Reference, A-M Intel� 64 and IA-32 Architectures Software Developer's Manual Volume 2B: Instruction Set Reference, N-Z http://www.intel.com/products/processor/manuals/index.htm Each mnemonic is listed with a concise technical description and its representative bytes (i.e. sysenter 0x0f34h). You'll see that Appendix A.3 has an opcode table for one, two and three byte opcode maps. You'll need to read the "using opcode tables" section to decipher the tables. Good luck! You could check out the asmsrv.c tables of Oleh Yuschuk's earlier Ollydbg source, or the opcode table section of Matt Connover's x64dis code in disasm_x86_tables.h, to see how they are used in disassemblers. Also, turn on and pay attention to the opcode bytes provided in olly and ida listings, presented along with the disassembled code.

orkblutt		May 24, 2007 10:54.04 CDT
http://faydoc.tripod.com/cpu/

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit