Page 1 of 3 123 LastLast
Results 1 to 15 of 35

Thread: Dissassembly

  1. #1

    Dissassembly

    I was given this program. It closes notepad.exe.

    I would like to get it to a form that Masm 6.14 can assemble.

    I don't think it's a PE because Ollydbg locked up on it.

    And it may not use the usual Win 32 APIs to search for it in memory.
    Can some help me ?

    It was given to me as a batch file which output a .com file and then renamed
    it to a .exe.

    It works fine, though it could use some error checking.

    Thanks.

    Code:
    idata:00401000 ;
    .idata:00401000 ; 
    
    +-------------------------------------------------------------------------+
    .idata:00401000 ;      This file is generated by The Interactive Disassembler (IDA)   
    
         
    .idata:00401000 ;      Copyright (c) 2002 by DataRescue sa/nv, <ida@datarescue.com>   
    
         
    .idata:00401000 ;                       Licensed to: Freeware version                 
    
         
    .idata:00401000 ; 
    
    +-------------------------------------------------------------------------+
    .idata:00401000 ;
    .idata:00401000 ; File Name   : E:\Bat\killnp.exe
    .idata:00401000 ; Format      : Portable executable for IBM PC (PE)
    .idata:00401000 ; Section 1. (virtual address 00001000)
    .idata:00401000 ; Virtual size                  : 000002B8 (    696.)
    .idata:00401000 ; Section size in file          : 00000200 (    512.)
    .idata:00401000 ; Offset to raw data for section: 00000200
    .idata:00401000 ; Flags E0000020: Text Executable Readable Writable
    .idata:00401000 ; Alignment     : 16 bytes ?
    .idata:00401000 ; 
    .idata:00401000 ; Imports from KERNEL32.dll
    .idata:00401000 ; 
    .idata:00401000 
    .idata:00401000                 model flat
    .idata:00401000 
    .idata:00401000 ; 
    
    ---------------------------------------------------------------------------
    .idata:00401000 
    .idata:00401000 ; Segment type: Externs
    .idata:00401000 ; _idata
    .idata:00401000                 extrn ExitProcess:dword ; DATA XREF: .text:00401171r
    .idata:00401004                 extrn CreateToolhelp32Snapshot:dword
    .idata:00401004                                         ; DATA XREF: .text:004010F6r
    .idata:00401008 ; BOOL __stdcall CloseHandle(HANDLE hObject)
    .idata:00401008                 extrn CloseHandle:dword ; DATA XREF: .text:00401152r
    .idata:00401008                                         ; .text:00401169r
    .idata:0040100C                 extrn Process32First:dword ; DATA XREF: 
    
    .text:00401111r
    .idata:00401010                 extrn Process32Next:dword ; DATA XREF: 
    
    .text:0040115Er
    .idata:00401014 ; HANDLE __stdcall OpenProcess(DWORD dwDesiredAccess,BOOL 
    
    bInheritHandle,DWORD dwProcessId)
    .idata:00401014                 extrn OpenProcess:dword ; DATA XREF: .text:0040113Er
    .idata:00401018 ; BOOL __stdcall TerminateProcess(HANDLE hProcess,UINT uExitCode)
    .idata:00401018                 extrn TerminateProcess:dword ; DATA XREF: 
    
    .text:0040114Cr
    .idata:0040101C 
    .idata:0040101C 
    .text:00401020 ; 
    
    ---------------------------------------------------------------------------
    .text:00401020 
    .text:00401020 ; Segment type: Pure code
    .text:00401020 _text           segment para public 'CODE' use32
    .text:00401020                 assume cs:_text
    .text:00401020                 ;org 401020h
    .text:00401020                 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, 
    
    gs:nothing
    .text:00401020                 dd 1056h, 2 dup(0), 1048h, 1000h, 5 dup(0), 4E52454Bh
    .text:00401020                 dd 32334C45h, 6C6C642Eh, 10760000h, 10840000h, 
    
    10A00000h
    .text:00401020                 dd 10AE0000h, 10C00000h, 10D00000h, 10DE0000h, 2 dup(0)
    .text:00401020                 dd 74697845h, 636F7250h, 737365h, 72430000h, 65746165h
    .text:00401020                 dd 6C6F6F54h, 706C6568h, 6E533233h, 68737061h, 746Fh, 
    
    6C430000h
    .text:00401020                 dd 4865736Fh, 6C646E61h, 65h, 636F7250h, 33737365h, 
    
    72694632h
    .text:00401020                 dd 7473h, 72500000h, 7365636Fh, 4E323373h, 747865h, 
    
    704F0000h
    .text:00401020                 dd 72506E65h, 7365636Fh, 73h, 6D726554h, 74616E69h, 
    
    6F725065h
    .text:00401020                 dd 73736563h
    .text:004010F0                 db 2 dup(0)
    .text:004010F2 ; 
    
    ---------------------------------------------------------------------------
    .text:004010F2 
    .text:004010F2                 public start
    .text:004010F2 start:
    .text:004010F2                 push    0
    .text:004010F4                 push    2
    .text:004010F6                 call    ds:CreateToolhelp32Snapshot
    .text:004010FC                 mov     ebp, eax
    .text:004010FE                 inc     eax
    .text:004010FF                 jz      short loc_40116F
    .text:00401101                 mov     ds:dword_401190, 128h
    .text:0040110B                 push    offset dword_401190
    .text:00401110                 push    eax
    .text:00401111                 call    ds:Process32First
    .text:00401117                 or      eax, eax
    .text:00401119                 jz      short loc_401168
    .text:0040111B 
    .text:0040111B loc_40111B:                             ; CODE XREF: .text:00401166j
    .text:0040111B                 mov     esi, offset dword_4011B4
    .text:00401120                 mov     edi, offset aNnootteeppaadd ; 
    
    "NnOoTtEePpAaDd..EeXxEe"
    .text:00401125 
    .text:00401125 loc_401125:                             ; CODE XREF: .text:00401132j
    .text:00401125                 cmpsb
    .text:00401126                 jz      short loc_40112D
    .text:00401128                 dec     esi
    .text:00401129                 cmpsb
    .text:0040112A                 jnz     short loc_401158
    .text:0040112C                 dec     edi
    .text:0040112D 
    .text:0040112D loc_40112D:                             ; CODE XREF: .text:00401126j
    .text:0040112D                 inc     edi
    .text:0040112E                 test    byte ptr [edi-1], 0FFh
    .text:00401132                 jnz     short loc_401125
    .text:00401134                 push    ds:dword_401198
    .text:0040113A                 push    0
    .text:0040113C                 push    1
    .text:0040113E                 call    ds:OpenProcess
    .text:00401144                 or      eax, eax
    .text:00401146                 jz      short loc_401168
    .text:00401148                 push    eax
    .text:00401149                 push    0
    .text:0040114B                 push    eax
    .text:0040114C                 call    ds:TerminateProcess
    .text:00401152                 call    ds:CloseHandle
    .text:00401158 
    .text:00401158 loc_401158:                             ; CODE XREF: .text:0040112Aj
    .text:00401158                 push    offset dword_401190
    .text:0040115D                 push    ebp
    .text:0040115E                 call    ds:Process32Next
    .text:00401164                 or      eax, eax
    .text:00401166                 jnz     short loc_40111B
    .text:00401168 
    .text:00401168 loc_401168:                             ; CODE XREF: .text:00401119j
    .text:00401168                                         ; .text:00401146j
    .text:00401168                 push    ebp
    .text:00401169                 call    ds:CloseHandle
    .text:0040116F 
    .text:0040116F loc_40116F:                             ; CODE XREF: .text:004010FFj
    .text:0040116F                 push    0
    .text:00401171                 call    ds:ExitProcess
    .text:00401171 ; 
    
    ---------------------------------------------------------------------------
    .text:00401177 aNnootteeppaadd db 'NnOoTtEePpAaDd..EeXxEe',0 ; DATA XREF: 
    
    .text:00401120o
    .text:0040118E                 align 4
    .text:00401190 dword_401190    dd 0                    ; DATA XREF: .text:00401101w
    .text:00401190                                         ; .text:0040110Bo ...
    .text:00401194                 align 8
    .text:00401198 dword_401198    dd 0                    ; DATA XREF: .text:00401134r
    .text:0040119C                 dd 6 dup(0)
    .text:004011B4 dword_4011B4    dd 13h dup(0)           ; DATA XREF: .text:0040111Bo
    .text:00401200                 dd 2Eh dup(?)
    .text:00401200 _text           ends
    .text:00401200 
    .text:00401200 
    .text:00401200                 end start

  2. #2
    of course its PE.. see the api calls? and ida also saying its PE!

    its simple, it enumerates through the processes, looking for 'notepad.exe' (though the string in that one is a bit fucked up..), it then does an
    openprocess on the process id, then terminates

    not rocket science..

    disassembly looks shit too, are u sure u know how to use ida?

  3. #3
    Tested 2 versions of ollydbg(V1.09d and 1.10) it didn't "LOCKED" up.
    esther


    Reverse the code,Reverse Your Minds First

  4. #4

    Help

    Quote Originally Posted by esther View Post
    Tested 2 versions of ollydbg(V1.09d and 1.10) it didn't "LOCKED" up.
    < I would like to get it to a form that Masm 6.14 can assemble. >

    This is what I posted, can you help with that ?

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    Quote Originally Posted by evlncrn8 View Post
    disassembly looks shit too, are u sure u know how to use ida?
    what do you mean by that ?

  6. #6
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    Propably some of the data is code.
    A picture worth 1K words (or .5K DWORDS).

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    thats what i queried they didnt look like code to me at first sight that is the import table if you notice a little bit deeply you will see the first thunk pointers a string kernel32.dll and the other imports in there
    probably used /merge .text erw linker switch and the complete import table is sitting there in its raw form

    thats how ida shows them as far as i have seen inspite of it knowing exactly what is it and doing a pretty good job of resolving the imports too

    thats what i dont like with ida it cant make the life easier but expects one to know a bit of magic to use it

    it could have simply interspersed a hex view up there or collapsed it knowing that it is import table and not give
    dd 123
    dd 345
    dd you press d
    dd you press c
    dd you write idc
    dd you write plugin
    dd you get lost in maze

    for others to make wild guesses

  8. #8

    Comment

    Quote Originally Posted by blabberer View Post
    what do you mean by that ?
    He's just complaining.

    Hope you have a good Sunday.

    Reckin' not many use masm anymore.

  9. #9

    Thanks.

    Quote Originally Posted by esther View Post
    Tested 2 versions of ollydbg(V1.09d and 1.10) it locked up like you said.
    Thanks for verifying it.

  10. #10
    Ok guys I still have problems terminating the process of the exe.I have included the compiled exe.Anyone would kindly help? (pls scanned the attachment to comfirmed its clean from virus blah blah)

    .586
    .model flat,stdcall
    option casemap:none

    include \masm32\include\windows.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\user32.inc
    include \masm32\include\masm32.inc
    include \masm32\include\advapi32.inc

    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\kernel32.lib
    includelib \masm32\lib\masm32.lib
    includelib \masm32\lib\advapi32.lib

    .data
    FileName db "NnOoTtEePpAaDd..EeXxEe",0
    handle dd ?



    .data?
    hSnapshot HANDLE ?
    processInfo PROCESSENTRY32 <>



    .code
    start:
    invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
    mov hSnapshot,eax
    inc eax
    je @end
    mov processInfo.dwSize, sizeof PROCESSENTRY32




    invoke Process32First, hSnapshot, addr processInfo
    or eax,eax
    je @close



    @name:

    mov esi,403048h

    mov edi,offset FileName

    @compare:
    cmpsb
    dec esi
    cmpsb
    jne @test
    dec edi

    @carryon:
    inc edi
    TEST BYTE PTR DS:[EDI-1],0FFh
    jne @compare
    push 000
    push 001
    call OpenProcess
    or eax, eax
    jne @close

    push eax
    push 000
    push eax

    invoke TerminateProcess,handle,0
    invoke CloseHandle,handle

    @test:
    invoke Process32Next, hSnapshot, addr processInfo
    or eax, eax
    jnz @name


    @close:
    call CloseHandle

    @end:

    invoke ExitProcess, 0


    End start
    Attached Files Attached Files
    esther


    Reverse the code,Reverse Your Minds First

  11. #11

    Thanks and more info

    Thanks Esther.

    Some more info that may help. I have the .exe and could upload it for help in the analysis.

    The file started as some sort of script that built a .com file
    and then was made into a .exe file.

    It has no virus or malware.

  12. #12

    Almost there

    A SAFE PROGRAM

    Hackman.exe shows this text, but I didn't see it using OllyDbg. Is there a setting I need to set ?

    MASM code (works with Ver. 6.14)

    ; esther.asm Supposed to end notepad.exe
    ;
    ; Help from H.K.,Frank,
    ; Currently not working
    ;
    .586
    .model flat,stdcall
    option casemap:none

    include \masm32\include\windows.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\user32.inc
    include \masm32\include\masm32.inc
    include \masm32\include\advapi32.inc

    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\kernel32.lib
    includelib \masm32\lib\masm32.lib
    includelib \masm32\lib\advapi32.lib

    .data
    org 401020h ; SECRET TEXT Hackman shows it

    dd 1056h, 2 dup(0), 1048h, 1000h, 5 dup(0), 4E52454Bh
    dd 32334C45h, 6C6C642Eh, 10760000h, 10840000h, 10A00000h
    dd 10AE0000h, 10C00000h, 10D00000h, 10DE0000h, 2 dup(0)
    dd 74697845h, 636F7250h, 737365h, 72430000h, 65746165h
    dd 6C6F6F54h, 706C6568h, 6E533233h, 68737061h, 746Fh, 6C430000h
    dd 4865736Fh, 6C646E61h, 65h, 636F7250h, 33737365h, 72694632h
    dd 7473h, 72500000h, 7365636Fh, 4E323373h, 747865h, 704F0000h
    dd 72506E65h, 7365636Fh, 73h, 6D726554h, 74616E69h, 6F725065h
    dd 73736563h
    db 2 dup(0)

    FileName db "NnOoTtEePpAaDd..EeXxEe",0
    handle dd ?

    dword_4011B4 dd 13h dup(0)
    dd 2Eh dup(?)


    .data?

    hSnapshot HANDLE ?
    processInfo PROCESSENTRY32 <>

    .code

    start:

    invoke CreateToolhelp32Snapshot, TH32CS_SNAPPROCESS, 0
    mov hSnapshot,eax
    inc eax

    je @end
    mov processInfo.dwSize, sizeof PROCESSENTRY32
    invoke Process32First, hSnapshot, addr processInfo
    or eax,eax
    je @close

    @name:

    mov esi,offset 403048h
    mov edi,offset FileName

    @compare:

    cmpsb
    jz @carryon
    dec esi
    cmpsb
    jne @test
    dec edi

    @carryon:

    inc edi
    TEST BYTE PTR DS:[EDI-1],0FFh
    jne @compare
    push 000
    push 001
    call OpenProcess
    or eax, eax
    jne @close

    push eax
    push 000
    push eax

    invoke TerminateProcess,handle,0
    invoke CloseHandle,handle

    @test:

    invoke Process32Next, hSnapshot, addr processInfo
    or eax, eax
    jnz @name

    @close:

    call CloseHandle

    @end:

    invoke ExitProcess, 0

    End start

  13. #13
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    Ok guys I still have problems terminating the process of the exe.I have included the compiled exe.Anyone would kindly help? (pls scanned the attachment to comfirmed its clean from virus blah blah)
    you assembled it from the ida disassassembly esther ?

    im not sure what you mean by terminate the program
    but i think it may be linked with you not passing the right handle to CloseHandle()
    where are you filling up the handle first ?
    also if that is the handle from OpenProcess() your asm code doesnt seem to be saving it

    swimmer
    though your query doesnt make much sense i think you are asking if you can reassemble the asm spit by ida i think ?
    if thats your question on most circumstances it is a big no
    on small uncomplicated exes it is a yes

    if reassembling the disassembly is your main request you should check out
    bengalys pvdasm (pvdasm.reverse-engineering.net) he supports one such feature in his disassembler or another product thats named rosasm claims to have a reassembly feature

    not sure about results i have not tried both

    last of all zip up the com exe bat whatever and attach it let me see whats up with it in ollydbg

  14. #14

    File etc.

    Thanks.

    I have attached the file.

    I will check out the bengalys pvdasm advice.
    Attached Files Attached Files

  15. #15
    hi blabber,
    Sorry I don't have ida,I'm using olly to debug my "code" comparing with the "original exe"(coz I'm not sure if its the same exe that swimmer mention).As you can see my "code" is very similar to what swimmer posted the ida list.you can say I copied from there.you can try debug it and have a go (Sorry for messy code.I'm a newbie in coding heh)I have upload the batch file and the original one.
    ==================================================
    swimmer you mistook blabber's question,he wants the original.exe.
    And what you upload has errors.*invalid handle error".get the latest compiler in masm32.cjb.net

    later
    Attached Files Attached Files
    esther


    Reverse the code,Reverse Your Minds First

Similar Threads

  1. SoftICE BackTrace Dissassembly Tool
    By foxthree in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: April 22nd, 2002, 08:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •