when finishing processing the lines of a file it got freezed and stop responding.. would someone please tell me what to do??? it start ok. process the jumps. then the problem comes when starting processing the lines...

as i saw moderators or new rules don't let me post links on here PM me for the app. link is someone is interested on helping me.. please!!!! the App. name is Smart Draw..

thanks !!!

Lots of programs can cause w32dasm to fall over, try IDA on it instead.

i need W32dasm to work with me.. i don't understand IDA is not so easy as Dasm.. please someone guide me or tell me how to patch Dasm to remove this problem..

Newbie2k2:

Most likely the problem is not with W32dasm, but is that the programmer of the software has coded something in his program to confuse W32dasm. There really isn't a way to "patch" W32dasm to "fix" the problem with the individual code, because it attacks the way that a dissembler works. You have to patch the program's code if this is the problem.

What I would suggest you do first (and again what everyone is supposed to do before posting a question) is do a search here for threads on "W32dasm" using the "+" sign with various other words, such as "stops working"or some such. My own quick search listed 181 topics addressing this combination, including several that have titles that should be of interest.

Second, use the link on the bottom of the Forum and go to the Anticrack site, then go to the articles section and to the "Current active topics" section. There you will find a section of articles titled RCE Anti-disassembler" which will describe for you how they block W32dasm from working.

One of the most common is to have a couple of jumps that jump back and forth to eachother. There is a short article there by
?ferret which describes this trick. You would see something like
************
400000 JMP 401000
401000 JMP 400000
He notes that:

this keeps the disassembler busy processing jump references til it run out of RAM and locks.....

pretty smart thinkin, but ez to defeat after u figure it out.....if u run across a proggy that does this, open it up in a hexeditor and nop those jumps (they aren't executed anyway)
***********

You are probably going to have to learn how to look at the code in a debugger to find this type of trick if W32dasm freezes.

There are also threads here discussing problems with the memory W32dasm allocates for export names, which you should read.


Give this a try and come back with more questions if you review these subjects and still don't figure out a solution.

Regards.

dear JIM yes i did search but this case i think has never been explained before.... noping those JUmps which i don't think are really jumps make the exe unusuable. anyway won't make any changes.. still crashing.. only happend with this exe file.. i got enought RAM.. this is the error message:

Processing lines.....line 6788

then:

W32DSM89 caused an invalid page fault in
module KERNEL32.DLL at 01d7:bff9db61.
Registers:
EAX=c00309c4 CS=01d7 EIP=bff9db61 EFLGS=00010212
EBX=00630354 SS=01df ESP=0062ffc8 EBP=00630264
ECX=00000000 DS=01df ESI=00630370 FS=0ef7
EDX=0063027c ES=01df EDI=00e7fe28 GS=0000
Bytes at CS:EIP:
53 8b 15 e4 9c fc bf 56 89 4d e4 57 89 4d dc 89
Stack dump:
i need an expert or someone to try that exe to see what is going on.. please i need help. can you try it JIM?
here it is :

JIM ok.. i got it... problem solve by deleting the last section.. thanks for your gently reply and for not insulting me like before

Hi

Let me give a bit of explanation of what's going on here. Yes, W32Dasm fails to properly disassemble PE files which have a slightly "non-standard" resource section. If you look at this file in a resource editor you'll see certain "Named Resources" such as "PNG" "SERIAL" "WMF" that go along with the standard resources such as cursor, bitmap, icon, etc. WDasm can't handle these types of resources and a crash eventually occurs somewhere in Kernel UnhandledExceptionFilter code.

Specifically, if you look at the exe file in an editor like PEBrowse you can see the Named Resources listed:

NumberOfNamedEntries = 0x0007 ; Named Resources
NumberOfIdEntries = 0x000B ; Standard Resources

Named Entry #1 ; i.e. "PNG"
Type = 0x80009226
OffsetToData = 0x800000A0
Characteristics = 0x00000000
TimeDateStamp = 0x00000000
...follows the structure of each individual resource under the heading Named Entry #1

Named Entry #2 ; i.e. "SERIAL"
Type = 0x8000921E
OffsetToData = 0x800001E8
...follows the structure of each individual resource under the heading Named Entry #2

----------------------

The .rsrc section is built as a tree-like structure with pointers to branches and subbranches describing each resource. A resource editor follows these branches and compiles them for our convenience, but in the PE file it's built up beginning with pairs of dwords for each Named (or Id) Entry, giving the Type and OffsetToData, which is a pointer to the next branch of that particular resource. In hex mode it looks like this, where the first WORD is the NumberOfNamedEntries value and follows are the DWORD values for each Named Entry#

001F900C 0700 0B00 2692 0080 A000 0080 1E92 0080
001F901C E801 0080

If you were to change the NumberOfNamedEntries to 0 and delete the pairs of dwords, Type and OffsetToData, for each Named Entry by changing them to 0 as well, W32Dasm should be able to disassemble the file. This is why deleting the .rsrc section worked.

This is an old W32Dasm bug that I'm sure could be fixed if someone bothered trying. I'm assuming W32Dasm is reading this section to get the String Refs. Somewhere in that part of the code it chokes on these Named Entries, which could be as simple a thing as the way it parses the names and the " " characters. What do we need to do here, create a mini project "Improve W32Dasm" ?? ;-)


JMI's replies have in reality only ever meant to be helpful, and his 'search till you drop' advice is probably the best advice all around. If your search was thorough you also would have found an old archived post by me right next to the other ones you found, describing this exact problem and its cause, or references to it in earlier threads on this board. I'm not saying you should have or could have found it and related it to your problem, just that it does exist and is in the huge database of information available.

Heh, why do people keep calling you JMI JIM?

Cheers,
Kayaker

Kayaker:

Once again you have proven that although you are "happy when wet," you are most certainly not "all wet." I guess people think that my nick is a name, instead of initials and while there is a name "JIM" there is no name "JMI." Anyway, I know who they are referring to, and have been called much more colorful names.



Regards.

i really apreciated your help and replies guys!! thanks alot