QE Plugin version 2 to format DumpPE results with optimisation options.

[hutch--]

This QE40 plugin is aimed initially at formatting DumpPE output so its usable as code. t is useful for checking what MASM does with .IF and similar notation but as the DLL uses similar code to a number of automatic code optimisers I have played with over time, I added the safest of the code optimisations so that the user has the option of further modifying the formatted code.

In order it performs jump optimisation of a couple of different types, eliminated jumps to jumps, inverts reversed jumps and removed any dead jumps from earlier jump removal. The second option removes un-needed zero tests where the flag is set by the preceding operation. The last option is instruction replacement with what are generally faster alternatives but there is a risk that some of these replacements are unsafe (agressive optimisation) so the replaced instruction is commented off to the side if the replacement does not work correctly.

There are many other optimisations but the variation range with flag settings is so large that it is nearly impossible to get it to work reliably so I have left these ones out. Feedback on this DLL would be appreciated.

The second version is now attached, it corrected a problem with chained jumps of the following format.

Code Select Expand


main proc

    jmp label0
    nop
  label0:
    jmp label1
    nop
  label1:
    jmp label2
    nop
  label2:
    jmp label3
    nop
  label3:
    jmp label4
    nop
  label4:
    jmp label5
    nop
  label5:
    jmp label6
    nop
  label6:

    ret

main endp


When disassembled in DumpPE it looks like this.

Code Select Expand


00401025                    fn_00401025:                ; Xref 00401000
00401025 EB01                   jmp     loc_00401028
00401027 90                     nop
00401028                    loc_00401028:               ; Xref 00401025
00401028 EB01                   jmp     loc_0040102B
0040102A 90                     nop
0040102B                    loc_0040102B:               ; Xref 00401028
0040102B EB01                   jmp     loc_0040102E
0040102D 90                     nop
0040102E                    loc_0040102E:               ; Xref 0040102B
0040102E EB01                   jmp     loc_00401031
00401030 90                     nop
00401031                    loc_00401031:               ; Xref 0040102E
00401031 EB01                   jmp     loc_00401034
00401033 90                     nop
00401034                    loc_00401034:               ; Xref 00401031
00401034 EB01                   jmp     loc_00401037
00401036 90                     nop
00401037                    loc_00401037:               ; Xref 00401034
00401037 EB01                   jmp     loc_0040103A
00401039 90                     nop
0040103A                    loc_0040103A:               ; Xref 00401037
0040103A C3                     ret


Run through the DLL it has the chained jumps removed so that each jump in the old chain branches directly to the last label.

Code Select Expand


; ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

fn_00401025:

    jmp lbl6
    nop
    jmp lbl6
    nop
    jmp lbl6
    nop
    jmp lbl6
    nop
    jmp lbl6
    nop
    jmp lbl6
    nop
    jmp lbl6
    nop

  lbl6:
    ret


The DLL is designed essentially to work on one procedure at a time once it has been disassembled in DumpPE. Using the old trick of putting a number of NOPS before and after the procedure so you can easily find it, select the procedure in the DumpPE output and try the DLL on the selected code.

[attachment deleted by admin]

[hutch--]

I have posted a new version that fixed a problem with the jump optimisation above.