View Full Version : How to disassemble Startup code of Binary
joeblack_2k2
March 17th, 2004, 13:04
When disassembling a binary file, I only see the code portions starting at the main routine. Is it possible to disassemble the compiler startup and exit code as well ?
dELTA
March 17th, 2004, 14:13
This sounds to me like some kind of misunderstanding. Any normal disassembler will be able to show you the disassembled code at the entrypoint of the executable (check the EntryPoint field of the PE header to see what address this is), and this is indeed the first code that is executed when a program is launched. If the code at this address is indeed the code of your "main" procedure, then your compiler/linker hasn't generated any additional startup code.
What makes you think that the code you see in the disassembly is your "main" procedure? Which disassembler are you using?
Polaris
March 17th, 2004, 14:37
Quote:
[Originally Posted by dELTA]This sounds to me like some kind of misunderstanding. Any normal disassembler will be able to show you the disassembled code at the entrypoint of the executable (check the EntryPoint field of the PE header to see what address this is), and this is indeed the first code that is executed when a program is launched. If the code at this address is indeed the code of your "main" procedure, then your compiler/linker hasn't generated any additional startup code.
What makes you think that the code you see in the disassembly is your "main" procedure? Which disassembler are you using? |
Delta is right... I answered the same question on another forum with a "IDA will do it... With no problems".
Surely he is not much into disassembling: probably he is looking at the code he wanna analize without knowing that
Byez,
Polaris
joeblack_2k2
March 17th, 2004, 14:59
Delta, I'm using IDA. IDA shows (amongst other) the current position in the binary. This position matches the position of the file when opened with a hex editor.
When I scroll to the very first line of code in IDA, the current position is shown as e.g. 0x400. The hex-code of IDA at 0x400 corresponds to what Hexedit shows at 0x400. Unfortunately all the code from 0x000 to 0x400 is not available in IDA.
The same is true for the end: IDA ends at 001E17FF (which is commented "END start"

while the file in Hexedit ends at 1E31F8.
That is why I think that there are parts of code which IDA doesn't show.
Is there a possibility to tell IDA to do so ? Might be missing dll's be the reason ?
Thx,
JB
Quote:
[Originally Posted by dELTA]This sounds to me like some kind of misunderstanding. Any normal disassembler will be able to show you the disassembled code at the entrypoint of the executable (check the EntryPoint field of the PE header to see what address this is), and this is indeed the first code that is executed when a program is launched. If the code at this address is indeed the code of your "main" procedure, then your compiler/linker hasn't generated any additional startup code.
What makes you think that the code you see in the disassembly is your "main" procedure? Which disassembler are you using? |
Iwarez
March 17th, 2004, 16:18
The missing bytes are the .exe header and the other sections like resources and other things not related to the disassembly of a file.
dELTA
March 17th, 2004, 20:34
joeblack_2k2, an exe file does not run linearly from the start to the end, which seems to be your current conception. The entrypoint can be anywhere in the code section, and it is specified in the PE header. When disassembling a file in IDA, it will normally take you to the entrypoint automatically to start out with. Also, dll:s have nothing to do with the disassembly of the main executable module in a program.
I strongly urge you do read up on PE executable files in general, or you will have very big problems going on any further.
I recommend checking out the "PE Tutorials" in the "Tutorials" section of Iczelion site (http://spiff.tripnet.se/~iczelion/), and continuing from there.
joeblack_2k2
March 18th, 2004, 00:38
Delta, thanks for your tip !
Actually I was not talking about the execution of an exe-file, but just analysing the hex-view in IDA. This view <b>does</b> show me linear file contents. And within this view I found out, that parts (in the beginning and the end) in comparison with a "normal" hex editor are missing.
Btw, I am inspecting a file for Pocket PC.
I wonder whether these files are PEs too ?
JB
Iwarez
March 23rd, 2004, 17:57
The pocketpc files are also PE files with the same structure. And once again... IDA doesn't show you the header of an .exe so it's normal you don't see some bytes.
The Svin
March 28th, 2004, 14:36
Well,. C,C++ and other HLL compiled apps have start up code and the is option in IDA not to show it, I'm not fun of IDA (too slow and has disasm engein with errors) but by default start up is collapsed (+ - to control it)
You can look up address of begining of code section and go to there using G and typing address (mostly 401000h) Anyway, indeed frist section at the begining of PE binary is pseudo section, and contains stab, headers, directory information, in other words - has nothing to do with code of main programm.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.