Results 1 to 10 of 10

Thread: Sun VirtualBox Disassembler Explantation

  1. #1
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5

    Sun VirtualBox Disassembler Explantation

    Hey,

    because i needed a good disassembler for my projects i check different distributions in the internet. most of them are homebrew and the support, or lets better talk about MAINTAINANCE is in most cases not the best.

    I really hate it if use a component and realize that there is a bug and the releaser of the component is not able to fix it or sometimes has no real interest in fixing it. That sucks.

    Thats why i focused on a disassembler which is well maintained and last but not least a good one.

    During my search i stumbled over VirtualBox, which is an similar SUN implementation of VMWARES Workstation. The difference is that VirtualBox comes with source, or at least you can download the source ( http://www.sun.com/software/products/virtualbox/get.jsp ).

    I thought that the pretty sure have to have an working disassembler inside there virtual machine and bingo....they have.
    The problem was that the disassembler was not contained in form of a library, it was simple integrated in the source.

    It took me about 2 hours to explant the needed source parts out of virtualbox and built a project for a library for it.

    I now use it for my projects and it is very usefull for me.

    There is only one problem you will discover when you try the example. I looking forward for your solutions for the problem

    Regards,

    OHPen aka PAPiLLiON


  2. #2
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Addition:

    To make you not thinking that the disassembler library i produced is buggy i have to mention that for some unknown reason it isn't working in the debug version.

    the assignment

    RTUINTPTR pInstr = (RTUINTPTR)testfunc;

    results in wrong pointer, instead of pInstr pointing to the beginning of the testfunc. I will track the reason for it as soon as possible.

    OHPen
    Last edited by OHPen; July 17th, 2008 at 06:57.
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Cool. Thanks for sharing OHPen, and looking forward to that bugfix update too.

    CRCETL:
    http://www.woodmann.com/collaborative/tools/index.php/VirtualBox_Disassembler_Library
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #4
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    @delta: I'm pretty sure that it is not bug in the library because what i do is just a simple casting. The casting cannot change a pointer, beside if you cast to a smaller data type the original pointer value is cut. But in this case the pointer i'm casting to is an unsigned int on my system 32bit large. No truncation in this case.

    It's really strange, probably it's some bug in the msvs in debug mode...
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  5. #5
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    REMARK:

    I check the library again and i was wrong. There is no bug in it. Everything is working fine even as DEBUG-Release.

    Regards,

    OHPen.
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  6. #6
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    I think the problem is that in VC debug mode, function pointers to your functions are pointers to JMPs to the real code.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  7. #7
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    exactly, although i debug nearly ever day, i forgot that and thought the libraries has some bug, hehe.
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  8. #8
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    Wow! Innotek VirtualBox has been bought by Sun and comes Open Source! That is a great news!

    If you do not want to point to the internal functions jump table, built by the Microsoft Linker in debug mode, you can always check for the first byte of the function and, if it is 0xE9 (JMP), you can redirect your disassembler to the true function address calculated from the following 4 bytes...
    Code:
    if (*(unsigned char *)pInstr == 0xE9) pInstr += 5 + *(unsigned long *)(pInstr+1);
    And do not forget to define LOG_ENABLED at top of file DisasmCore.cpp, else the registers names do not show in the disassembly!

    Best regards, bilbo
    Last edited by bilbo; July 18th, 2008 at 23:09.
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  9. #9
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Hehe, thats a nice suggestion, thank you

    Actually i think about building up a tool which should be able to extract all necessary files out of the VirtualBox source archive automatically. Should be no problem and would be great to get a ready made project out of a new released version of VirtualBox in seconds.

    Regards,

    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  10. #10
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    That sounds really great I think OHPen.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. VDisAsm Interactive Disassembler needs your help.
    By VDisAsm in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: September 7th, 2012, 08:43
  2. How to use a Disassembler and a Debugger together
    By MagicFX in forum OllyDbg Support Forums
    Replies: 5
    Last Post: October 10th, 2007, 11:17
  3. Open Source Virtual Machine - VirtualBox v1.5.0
    By JMI in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: September 16th, 2007, 01:36
  4. IDA Pro Disassembler 4.9 released
    By Zero in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: September 30th, 2005, 12:36
  5. New Disassembler - Spasm
    By Aquatic in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: May 11th, 2003, 03:04

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •