Using the disasm source code [Archive] - RCE Messageboard's Regroupment

View Full Version : Using the disasm source code

drPL

September 10th, 2008, 19:58

Hi,
I'm new here, please be gentle

I've been using Ollydbg on and off for years in my attempt to learn x86 assembler. I've decided to experiment with the Disasm source code as provided on the Ollydbg website, but I have a few questions, which hopefully someone can answer.

It doesn't look like the source file enable a determination of which Win32 API is called ... how is this done? That is, how can you translate a call xxxxxx routine to mean (eg) call Win32.ReadFile ?

Does Disasm also provide information about the pre-asm preamble in a PE, such as the .data section? If not, how does this get displayed in the hex dump window in Ollydbg?

My last point concerns the use of Disasm in a windows program. I'd like to read in another executable, which is then totally disassembled, and I thought about the following:

FILE *input;
char filename[100]; // filename will be something like "helloworld.exe"
int count;
char *cFile;
ulong lFileLen;

input = fopen(filename, "rb" ));

lFileLen = ftell(input);

cFile = calloc(lFileLen + 1, sizeof(char));
fread(cFile, 1, iFileLen, input);

t_disasm da;
ulong l = Disasm( cFile,
iFileLen,
????????, <----------------------- what goes here????? The initial address of the PE? If so, won't this confuse the disassembler?
&da,
DISASM_CODE);

I'm not sure about the section I've marked above, and hence not sure if my little routine will work. Can anyone help?

Many thanks

Paul

_wh_

September 11th, 2008, 04:39

this function needs the opcode and returns the menemonic for it .that's all

all pe-file related things as to be done by you

blabberer

September 11th, 2008, 07:48

the disasm source is very very old it pertains to ollydbg version 1.04

the disasm source contains only one function and it needs a char pointer

ulong Disasm(char *src,ulong srcsize,ulong srcip,
t_disasm *disasm,int disasmmode);

all the file related thinga magics will be done by you and you have to provide the proper address to the function

CreateFile-> ReadFile-> ParseFile for Pe header AddressOf Entry Point -> provide Disasm Function with that Address
take back the Dusassembled Buffer -> do whatever you want use the return Of that function to go to Next Possibly Valid Address Disassemble
and keep on Doing it till teh whole code is disasembled or till you hit a block where you cant deduce the next branch
now you have to adopt heuristics -> your own analysis data etc to further disassemble and the game becomes endless from here

drPL

September 11th, 2008, 10:58

Ah, I should have guessed it was old by the "2001" date at the end

Is a more recent version of the source to be released soon?

Thanks for your help!

upb

September 11th, 2008, 14:10

better use this
http://bastard.sourceforge.net/

bilbo

September 11th, 2008, 23:49

A search inside Sourceforge will give you other interesting results:

TatraDIS (last updated on Christmas 2007), nice interface, written in Delphi, including a Delphi control for your programs

UDis86, simple library well documented

PEReader, with interesting code-locating techniques and an attempt to identify the arguments of the Windows API

Best regards, bilbo

drPL

September 12th, 2008, 01:27

Thanks Bilbo and upb, I have read some of the technical material (Microsoft papers etc.), and it was tough going at first. I was wondering if there was any source code showing how to do it from scratch? I've found some code that will enable the entrypoint to be found, but I'm having some difficulty finding out an easy way (!) to determine the data in thunk tables. Perhaps the Bastard source files might be able to help...

drPL

September 12th, 2008, 11:09

Just one more question: how on earth does Olly manage to determine the exported dll function prototypes (even down to the name of the argument in MSDN!) ??

blabberer

September 12th, 2008, 15:24

olly creates its own custom tables and stores its analysis data in those tables and then utilises them to label the functions with args
take a look at Analyse Function in ollydbg take a look at all those NM_ labels take a look at custom function description in ollydbg help file

drPL

September 13th, 2008, 16:09

Thanks for your help. Oleh informs that there is a 900k internal database of windows API (their prototypes). Gosh. I'd better start typing then....

blabberer

September 14th, 2008, 06:52

and oleh if he informed hasnt exaggerated anything

Code:



005D739C  WinMain..AL=hCurrInstance,L=hPrevInstance,A=CmdLine,SW_X:ShowSta

005D73DC  te.DllEntryPoint..AL=hDLLInstance,DLL_X:CallReason,P=pReserved.W

005D741C  inProc..Aw=hWnd,WM_X:Message,H=wParam,H=lParam.DllInstall..AB=In

005D745C  stall,A=CmdLine.Format..@M=format,....Sformat..@P=ptr,M=format,.

005D749C  ...StdFunc0..@.StdFunc1..@u=Arg1.StdFunc2..@u=Arg1,u=Arg2.StdFun

005D74DC  c3..@u=Arg1,u=Arg2,u=Arg3.StdFunc4..@u=Arg1,u=Arg2,u=Arg3,u=Arg4

005D751C  .StdFunc5..@u=Arg1,u=Arg2,u=Arg3,u=Arg4,u=Arg5.StdFunc6..@u=Arg1

005D755C  ,u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6.StdFunc7..@u=Arg1,u=Arg2,u=A

005D759C  rg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7.StdFunc8..@u=Arg1,u=Arg2,u=Arg3,

005D75DC  u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8.StdFunc9..@u=Arg1,u=Arg2,u=Ar

005D761C  g3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9.StdFunc10..@u=Arg1,

005D765C  u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9,u=Arg10.

005D769C  StdFunc11..@u=Arg1,u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=A

005D76DC  rg8,u=Arg9,u=Arg10,u=Arg11.StdFunc12..@u=Arg1,u=Arg2,u=Arg3,u=Ar

005D771C  g4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9,u=Arg10,u=Arg11,u=Arg12.St

005D775C  dFunc13..@u=Arg1,u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg

005D779C  8,u=Arg9,u=Arg10,u=Arg11,u=Arg12,u=Arg13.StdFunc14..@u=Arg1,u=Ar

005D77DC  g2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9,u=Arg10,u=Ar

005D781C  g11,u=Arg12,u=Arg13,u=Arg14.StdFunc15..@u=Arg1,u=Arg2,u=Arg3,u=A





snippppppppppppp



005F1E1E  DOS_MaxMem,B2@H= DOS_ReloSS,B2@H= DOS_ExeSP,B2@H= DOS_ChkSum,B2@

005F1E5E  H= DOS_ExeIP,B2@H= DOS_ReloCS,B2@H= DOS_TablOff,B2@H= DOS_Overla

005F1E9E  y.COFFheader..HB2@COFF_MACHINE:Machine,B2@I= NumberOfSections,D4

005F1EDE  @H= TimeDateStamp,D4@H= PointerToSymbolTable,D4@I= NumberOfSymbo

005F1F1E  ls,B2@I= SizeOfOptionalHeader,B2@COFF_CHARACT: Characteristics.C

005F1F5E  OFFoptstdheader..HB2@COFF_OPTMAGIC:MagicNumber,A1@I= MajorLinker

005F1F9E  Version,A1@I= MinorLinkerVersion,D4@I= SizeOfCode,D4@I= SizeOfIn

005F1FDE  itializedData,D4@I= SizeOfUninitializedData,D4@H= AddressOfEntry

005F201E  Point,D4@H= BaseOfCode,D4@H= BaseOfData.COFFspecificheader..HD4@

005F205E  H=ImageBase,D4@H= SectionAlignment,D4@H= FileAlignment,B2@I= Maj

005F209E  orOSVersion,B2@I= MinorOSVersion,B2@I= MajorImageVersion,B2@I= M

005F20DE  inorImageVersion,B2@I= MajorSubsystemVersion,B2@I= MinorSubsyste

005F211E  mVersion,D4@D= Reserved,D4@I= SizeOfImage,D4@I= SizeOfHeaders,D4

005F215E  @H= CheckSum,B2@COFF_SUBSYSTEM: Subsystem,B2@H= DLLCharacteristi

005F219E  cs,D4@I= SizeOfStackReserve,D4@I= SizeOfStackCommit,D4@I= SizeOf

005F21DE  HeapReserve,D4@I= SizeOfHeapCommit,D4@H= LoaderFlags,D4@I= Numbe

005F221E  rOfRvaAndSizes.COFFdirectory..HD4@H= Export Table address,D4@I=

005F225E  Export Table size,D4@H= Import Table address,D4@I= Import Table

005F229E  size,D4@H= Resource Table address,D4@I= Resource Table size,D4@H

005F22DE  = Exception Table address,D4@I= Exception Table size,D4@H= Certi

005F231E  ficate File pointer,D4@I= Certificate Table size,D4@H= Relocatio

005F235E  n Table address,D4@I= Relocation Table size,D4@H= Debug Data add

005F239E  ress,D4@I= Debug Data size,D4@H= Architecture Data address,D4@I=

005F23DE   Architecture Data size,D4@H= Global Ptr address,D4@D= Must be 0

005F241E  ,D4@H= TLS Table address,D4@I= TLS Table size,D4@H= Load Config

005F245E  Table address,D4@I= Load Config Table size,D4@H= Bound Import Ta

005F249E  ble address,D4@I= Bound Import Table size,D4@H= Import Address T

005F24DE  able address,D4@I= Import Address Table size,D4@H= Delay Import

005F251E  Descriptor address,D4@I= Delay Import Descriptor size,D4@H= COM+

005F255E   Runtime Header address,D4@I= Import Address Table size,D4@D= Re

005F259E  served,D4@D= Reserved.COFFsection..HA8@D=SECTION,D4@I= VirtualSi

005F25DE  ze,D4@H= VirtualAddress,D4@I= SizeOfRawData,D4@H= PointerToRawDa

005F261E  ta,D4@H= PointerToRelocations,D4@H= PointerToLineNumbers,B2@I= N

005F265E  umberOfRelocations,B2@I= NumberOfLineNumbers,D4@COFF_SECTCHAR: C

005F269E  haracteristics.

if you want to have some help then you can check out jstormes stollyplugin and its source and or its ini file he uses almost the same syntax of size defined mechanism to show the structures

Code:



[t_sorted]

0=name_[MAX_PATH],db,260

1=n,dword,4

2=nmax,dword,4

3=selected,dword,4

4=seladdr,dword,4

5=itemsize,dword,4

6=version_,dword,4

7=data,dword,4

8=sortfunc,PSORTFUNC,4

9=destfunc,PDESTFUNC,4

10=sort,dword,4

11=sorted,dword,4

12=index,dword,4

13=suppresserr,dword,4

dELTA

September 19th, 2008, 17:03

A bunch of disasm libraries in the CRCETL, for you to study and learn from:

http://www.woodmann.com/collaborative/tools/Category

isassembler_Libraries

condzero

September 20th, 2008, 09:43

I use disasm in my Armageddon tool. While some may consider it old, how much has really changed? Yes, it does have some weaknesses, but is fairly straightforward and easy to integrate and use for basic things (i.e. disassemble / assemble a few instructions on the fly). I wouldn't recommend it though for full blown disassembling or assembling many, many instructions or a whole program.

cheers

disavowed

October 14th, 2008, 14:50

i've been using distorm since it's one of the few that supports x64. it's not the easiest code to work with, but you can get it to do what you need with just a few hours of tinkering.

Darren

October 14th, 2008, 18:36

Hacker Disassembler Engine

http://patkov-site.narod.ru/eng.html#hde32

I've always thought this was a nice tidy piece of code