PDA

View Full Version : Using the disasm source code


drPL
September 10th, 2008, 19:58
Hi,
I'm new here, please be gentle

I've been using Ollydbg on and off for years in my attempt to learn x86 assembler. I've decided to experiment with the Disasm source code as provided on the Ollydbg website, but I have a few questions, which hopefully someone can answer.

It doesn't look like the source file enable a determination of which Win32 API is called ... how is this done? That is, how can you translate a call xxxxxx routine to mean (eg) call Win32.ReadFile ?

Does Disasm also provide information about the pre-asm preamble in a PE, such as the .data section? If not, how does this get displayed in the hex dump window in Ollydbg?

My last point concerns the use of Disasm in a windows program. I'd like to read in another executable, which is then totally disassembled, and I thought about the following:

FILE *input;
char filename[100]; // filename will be something like "helloworld.exe"
int count;
char *cFile;
ulong lFileLen;

input = fopen(filename, "rb" ));

lFileLen = ftell(input);

cFile = calloc(lFileLen + 1, sizeof(char));
fread(cFile, 1, iFileLen, input);

t_disasm da;
ulong l = Disasm( cFile,
iFileLen,
????????, <----------------------- what goes here????? The initial address of the PE? If so, won't this confuse the disassembler?
&da,
DISASM_CODE);

I'm not sure about the section I've marked above, and hence not sure if my little routine will work. Can anyone help?

Many thanks

Paul

_wh_
September 11th, 2008, 04:39
this function needs the opcode and returns the menemonic for it .that's all

all pe-file related things as to be done by you

blabberer
September 11th, 2008, 07:48
the disasm source is very very old it pertains to ollydbg version 1.04

the disasm source contains only one function and it needs a char pointer

ulong Disasm(char *src,ulong srcsize,ulong srcip,
t_disasm *disasm,int disasmmode);

all the file related thinga magics will be done by you and you have to provide the proper address to the function

CreateFile-> ReadFile-> ParseFile for Pe header AddressOf Entry Point -> provide Disasm Function with that Address
take back the Dusassembled Buffer -> do whatever you want use the return Of that function to go to Next Possibly Valid Address Disassemble
and keep on Doing it till teh whole code is disasembled or till you hit a block where you cant deduce the next branch
now you have to adopt heuristics -> your own analysis data etc to further disassemble and the game becomes endless from here

drPL
September 11th, 2008, 10:58
Ah, I should have guessed it was old by the "2001" date at the end

Is a more recent version of the source to be released soon?

Thanks for your help!

upb
September 11th, 2008, 14:10
better use this
http://bastard.sourceforge.net/

bilbo
September 11th, 2008, 23:49
A search inside Sourceforge will give you other interesting results:

TatraDIS (last updated on Christmas 2007), nice interface, written in Delphi, including a Delphi control for your programs

UDis86, simple library well documented

PEReader, with interesting code-locating techniques and an attempt to identify the arguments of the Windows API

Best regards, bilbo

drPL
September 12th, 2008, 01:27
Thanks Bilbo and upb, I have read some of the technical material (Microsoft papers etc.), and it was tough going at first. I was wondering if there was any source code showing how to do it from scratch? I've found some code that will enable the entrypoint to be found, but I'm having some difficulty finding out an easy way (!) to determine the data in thunk tables. Perhaps the Bastard source files might be able to help...

drPL
September 12th, 2008, 11:09
Just one more question: how on earth does Olly manage to determine the exported dll function prototypes (even down to the name of the argument in MSDN!) ??

blabberer
September 12th, 2008, 15:24
olly creates its own custom tables and stores its analysis data in those tables and then utilises them to label the functions with args
take a look at Analyse Function in ollydbg take a look at all those NM_ labels take a look at custom function description in ollydbg help file

drPL
September 13th, 2008, 16:09
Thanks for your help. Oleh informs that there is a 900k internal database of windows API (their prototypes). Gosh. I'd better start typing then....

blabberer
September 14th, 2008, 06:52
and oleh if he informed hasnt exaggerated anything

Code:

005D739C WinMain..AL=hCurrInstance,L=hPrevInstance,A=CmdLine,SW_X:ShowSta
005D73DC te.DllEntryPoint..AL=hDLLInstance,DLL_X:CallReason,P=pReserved.W
005D741C inProc..Aw=hWnd,WM_X:Message,H=wParam,H=lParam.DllInstall..AB=In
005D745C stall,A=CmdLine.Format..@M=format,....Sformat..@P=ptr,M=format,.
005D749C ...StdFunc0..@.StdFunc1..@u=Arg1.StdFunc2..@u=Arg1,u=Arg2.StdFun
005D74DC c3..@u=Arg1,u=Arg2,u=Arg3.StdFunc4..@u=Arg1,u=Arg2,u=Arg3,u=Arg4
005D751C .StdFunc5..@u=Arg1,u=Arg2,u=Arg3,u=Arg4,u=Arg5.StdFunc6..@u=Arg1
005D755C ,u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6.StdFunc7..@u=Arg1,u=Arg2,u=A
005D759C rg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7.StdFunc8..@u=Arg1,u=Arg2,u=Arg3,
005D75DC u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8.StdFunc9..@u=Arg1,u=Arg2,u=Ar
005D761C g3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9.StdFunc10..@u=Arg1,
005D765C u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9,u=Arg10.
005D769C StdFunc11..@u=Arg1,u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=A
005D76DC rg8,u=Arg9,u=Arg10,u=Arg11.StdFunc12..@u=Arg1,u=Arg2,u=Arg3,u=Ar
005D771C g4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9,u=Arg10,u=Arg11,u=Arg12.St
005D775C dFunc13..@u=Arg1,u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg
005D779C 8,u=Arg9,u=Arg10,u=Arg11,u=Arg12,u=Arg13.StdFunc14..@u=Arg1,u=Ar
005D77DC g2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9,u=Arg10,u=Ar
005D781C g11,u=Arg12,u=Arg13,u=Arg14.StdFunc15..@u=Arg1,u=Arg2,u=Arg3,u=A


snippppppppppppp

005F1E1E DOS_MaxMem,B2@H= DOS_ReloSS,B2@H= DOS_ExeSP,B2@H= DOS_ChkSum,B2@
005F1E5E H= DOS_ExeIP,B2@H= DOS_ReloCS,B2@H= DOS_TablOff,B2@H= DOS_Overla
005F1E9E y.COFFheader..HB2@COFF_MACHINE:Machine,B2@I= NumberOfSections,D4
005F1EDE @H= TimeDateStamp,D4@H= PointerToSymbolTable,D4@I= NumberOfSymbo
005F1F1E ls,B2@I= SizeOfOptionalHeader,B2@COFF_CHARACT: Characteristics.C
005F1F5E OFFoptstdheader..HB2@COFF_OPTMAGIC:MagicNumber,A1@I= MajorLinker
005F1F9E Version,A1@I= MinorLinkerVersion,D4@I= SizeOfCode,D4@I= SizeOfIn
005F1FDE itializedData,D4@I= SizeOfUninitializedData,D4@H= AddressOfEntry
005F201E Point,D4@H= BaseOfCode,D4@H= BaseOfData.COFFspecificheader..HD4@
005F205E H=ImageBase,D4@H= SectionAlignment,D4@H= FileAlignment,B2@I= Maj
005F209E orOSVersion,B2@I= MinorOSVersion,B2@I= MajorImageVersion,B2@I= M
005F20DE inorImageVersion,B2@I= MajorSubsystemVersion,B2@I= MinorSubsyste
005F211E mVersion,D4@D= Reserved,D4@I= SizeOfImage,D4@I= SizeOfHeaders,D4
005F215E @H= CheckSum,B2@COFF_SUBSYSTEM: Subsystem,B2@H= DLLCharacteristi
005F219E cs,D4@I= SizeOfStackReserve,D4@I= SizeOfStackCommit,D4@I= SizeOf
005F21DE HeapReserve,D4@I= SizeOfHeapCommit,D4@H= LoaderFlags,D4@I= Numbe
005F221E rOfRvaAndSizes.COFFdirectory..HD4@H= Export Table address,D4@I=
005F225E Export Table size,D4@H= Import Table address,D4@I= Import Table
005F229E size,D4@H= Resource Table address,D4@I= Resource Table size,D4@H
005F22DE = Exception Table address,D4@I= Exception Table size,D4@H= Certi
005F231E ficate File pointer,D4@I= Certificate Table size,D4@H= Relocatio
005F235E n Table address,D4@I= Relocation Table size,D4@H= Debug Data add
005F239E ress,D4@I= Debug Data size,D4@H= Architecture Data address,D4@I=
005F23DE Architecture Data size,D4@H= Global Ptr address,D4@D= Must be 0
005F241E ,D4@H= TLS Table address,D4@I= TLS Table size,D4@H= Load Config
005F245E Table address,D4@I= Load Config Table size,D4@H= Bound Import Ta
005F249E ble address,D4@I= Bound Import Table size,D4@H= Import Address T
005F24DE able address,D4@I= Import Address Table size,D4@H= Delay Import
005F251E Descriptor address,D4@I= Delay Import Descriptor size,D4@H= COM+
005F255E Runtime Header address,D4@I= Import Address Table size,D4@D= Re
005F259E served,D4@D= Reserved.COFFsection..HA8@D=SECTION,D4@I= VirtualSi
005F25DE ze,D4@H= VirtualAddress,D4@I= SizeOfRawData,D4@H= PointerToRawDa
005F261E ta,D4@H= PointerToRelocations,D4@H= PointerToLineNumbers,B2@I= N
005F265E umberOfRelocations,B2@I= NumberOfLineNumbers,D4@COFF_SECTCHAR: C
005F269E haracteristics.





if you want to have some help then you can check out jstormes stollyplugin and its source and or its ini file he uses almost the same syntax of size defined mechanism to show the structures

Code:

[t_sorted]
0=name_[MAX_PATH],db,260
1=n,dword,4
2=nmax,dword,4
3=selected,dword,4
4=seladdr,dword,4
5=itemsize,dword,4
6=version_,dword,4
7=data,dword,4
8=sortfunc,PSORTFUNC,4
9=destfunc,PDESTFUNC,4
10=sort,dword,4
11=sorted,dword,4
12=index,dword,4
13=suppresserr,dword,4

dELTA
September 19th, 2008, 17:03
A bunch of disasm libraries in the CRCETL, for you to study and learn from:

http://www.woodmann.com/collaborative/tools/Categoryisassembler_Libraries

condzero
September 20th, 2008, 09:43
I use disasm in my Armageddon tool. While some may consider it old, how much has really changed? Yes, it does have some weaknesses, but is fairly straightforward and easy to integrate and use for basic things (i.e. disassemble / assemble a few instructions on the fly). I wouldn't recommend it though for full blown disassembling or assembling many, many instructions or a whole program.

cheers

disavowed
October 14th, 2008, 14:50
i've been using distorm since it's one of the few that supports x64. it's not the easiest code to work with, but you can get it to do what you need with just a few hours of tinkering.

Darren
October 14th, 2008, 18:36
Hacker Disassembler Engine

http://patkov-site.narod.ru/eng.html#hde32

I've always thought this was a nice tidy piece of code