Results 1 to 15 of 15

Thread: Using the disasm source code

  1. #1

    Using the disasm source code

    I'm new here, please be gentle

    I've been using Ollydbg on and off for years in my attempt to learn x86 assembler. I've decided to experiment with the Disasm source code as provided on the Ollydbg website, but I have a few questions, which hopefully someone can answer.

    It doesn't look like the source file enable a determination of which Win32 API is called ... how is this done? That is, how can you translate a call xxxxxx routine to mean (eg) call Win32.ReadFile ?

    Does Disasm also provide information about the pre-asm preamble in a PE, such as the .data section? If not, how does this get displayed in the hex dump window in Ollydbg?

    My last point concerns the use of Disasm in a windows program. I'd like to read in another executable, which is then totally disassembled, and I thought about the following:

    FILE *input;
    char filename[100]; // filename will be something like "helloworld.exe"
    int count;
    char *cFile;
    ulong lFileLen;

    input = fopen(filename, "rb" ));

    lFileLen = ftell(input);

    cFile = calloc(lFileLen + 1, sizeof(char));
    fread(cFile, 1, iFileLen, input);

    t_disasm da;
    ulong l = Disasm( cFile,
    ????????, <----------------------- what goes here????? The initial address of the PE? If so, won't this confuse the disassembler?

    I'm not sure about the section I've marked above, and hence not sure if my little routine will work. Can anyone help?

    Many thanks

    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    this function needs the opcode and returns the menemonic for it .that's all

    all pe-file related things as to be done by you

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    the disasm source is very very old it pertains to ollydbg version 1.04

    the disasm source contains only one function and it needs a char pointer

    ulong Disasm(char *src,ulong srcsize,ulong srcip,
    t_disasm *disasm,int disasmmode);

    all the file related thinga magics will be done by you and you have to provide the proper address to the function

    CreateFile-> ReadFile-> ParseFile for Pe header AddressOf Entry Point -> provide Disasm Function with that Address
    take back the Dusassembled Buffer -> do whatever you want use the return Of that function to go to Next Possibly Valid Address Disassemble
    and keep on Doing it till teh whole code is disasembled or till you hit a block where you cant deduce the next branch
    now you have to adopt heuristics -> your own analysis data etc to further disassemble and the game becomes endless from here

  4. #4
    Ah, I should have guessed it was old by the "2001" date at the end

    Is a more recent version of the source to be released soon?

    Thanks for your help!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Registered User upb's Avatar
    Join Date
    May 2003
    Blog Entries
    better use this
    “The key to understanding complicated things is to know what not to look at and what not to compute and what not to think.”

  6. #6
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    A search inside Sourceforge will give you other interesting results:

    TatraDIS (last updated on Christmas 2007), nice interface, written in Delphi, including a Delphi control for your programs

    UDis86, simple library well documented

    PEReader, with interesting code-locating techniques and an attempt to identify the arguments of the Windows API

    Best regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  7. #7
    Thanks Bilbo and upb, I have read some of the technical material (Microsoft papers etc.), and it was tough going at first. I was wondering if there was any source code showing how to do it from scratch? I've found some code that will enable the entrypoint to be found, but I'm having some difficulty finding out an easy way (!) to determine the data in thunk tables. Perhaps the Bastard source files might be able to help...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Just one more question: how on earth does Olly manage to determine the exported dll function prototypes (even down to the name of the argument in MSDN!) ??
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    olly creates its own custom tables and stores its analysis data in those tables and then utilises them to label the functions with args
    take a look at Analyse Function in ollydbg take a look at all those NM_ labels take a look at custom function description in ollydbg help file

  10. #10
    Thanks for your help. Oleh informs that there is a 900k internal database of windows API (their prototypes). Gosh. I'd better start typing then....
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    and oleh if he informed hasnt exaggerated anything

    005D739C  WinMain..AL=hCurrInstance,L=hPrevInstance,A=CmdLine,SW_X:ShowSta
    005D73DC  te.DllEntryPoint..AL=hDLLInstance,DLL_X:CallReason,P=pReserved.W
    005D741C  inProc..Aw=hWnd,WM_X:Message,H=wParam,H=lParam.DllInstall..AB=In
    005D745C  stall,A=CmdLine.Format..@M=format,....Sformat..@P=ptr,M=format,.
    005D749C  ...StdFunc0..@.StdFunc1..@u=Arg1.StdFunc2..@u=Arg1,u=Arg2.StdFun
    005D74DC  c3..@u=Arg1,u=Arg2,u=Arg3.StdFunc4..@u=Arg1,u=Arg2,u=Arg3,u=Arg4
    005D751C  .StdFunc5..@u=Arg1,u=Arg2,u=Arg3,u=Arg4,u=Arg5.StdFunc6..@u=Arg1
    005D755C  ,u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6.StdFunc7..@u=Arg1,u=Arg2,u=A
    005D759C  rg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7.StdFunc8..@u=Arg1,u=Arg2,u=Arg3,
    005D75DC  u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8.StdFunc9..@u=Arg1,u=Arg2,u=Ar
    005D761C  g3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9.StdFunc10..@u=Arg1,
    005D765C  u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9,u=Arg10.
    005D769C  StdFunc11..@u=Arg1,u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=A
    005D76DC  rg8,u=Arg9,u=Arg10,u=Arg11.StdFunc12..@u=Arg1,u=Arg2,u=Arg3,u=Ar
    005D771C  g4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9,u=Arg10,u=Arg11,u=Arg12.St
    005D775C  dFunc13..@u=Arg1,u=Arg2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg
    005D779C  8,u=Arg9,u=Arg10,u=Arg11,u=Arg12,u=Arg13.StdFunc14..@u=Arg1,u=Ar
    005D77DC  g2,u=Arg3,u=Arg4,u=Arg5,u=Arg6,u=Arg7,u=Arg8,u=Arg9,u=Arg10,u=Ar
    005D781C  g11,u=Arg12,u=Arg13,u=Arg14.StdFunc15..@u=Arg1,u=Arg2,u=Arg3,u=A
    005F1E1E  DOS_MaxMem,B2@H= DOS_ReloSS,B2@H= DOS_ExeSP,B2@H= DOS_ChkSum,B2@
    005F1E5E  H= DOS_ExeIP,B2@H= DOS_ReloCS,B2@H= DOS_TablOff,B2@H= DOS_Overla
    005F1E9E  y.COFFheader..HB2@COFF_MACHINE:Machine,B2@I= NumberOfSections,D4
    005F1EDE  @H= TimeDateStamp,D4@H= PointerToSymbolTable,D4@I= NumberOfSymbo
    005F1F1E  ls,B2@I= SizeOfOptionalHeader,B2@COFF_CHARACT: Characteristics.C
    005F1F5E  OFFoptstdheader..HB2@COFF_OPTMAGIC:MagicNumber,A1@I= MajorLinker
    005F1F9E  Version,A1@I= MinorLinkerVersion,D4@I= SizeOfCode,D4@I= SizeOfIn
    005F1FDE  itializedData,D4@I= SizeOfUninitializedData,D4@H= AddressOfEntry
    005F201E  Point,D4@H= BaseOfCode,D4@H= BaseOfData.COFFspecificheader..HD4@
    005F205E  H=ImageBase,D4@H= SectionAlignment,D4@H= FileAlignment,B2@I= Maj
    005F209E  orOSVersion,B2@I= MinorOSVersion,B2@I= MajorImageVersion,B2@I= M
    005F20DE  inorImageVersion,B2@I= MajorSubsystemVersion,B2@I= MinorSubsyste
    005F211E  mVersion,D4@D= Reserved,D4@I= SizeOfImage,D4@I= SizeOfHeaders,D4
    005F215E  @H= CheckSum,B2@COFF_SUBSYSTEM: Subsystem,B2@H= DLLCharacteristi
    005F219E  cs,D4@I= SizeOfStackReserve,D4@I= SizeOfStackCommit,D4@I= SizeOf
    005F21DE  HeapReserve,D4@I= SizeOfHeapCommit,D4@H= LoaderFlags,D4@I= Numbe
    005F221E  rOfRvaAndSizes.COFFdirectory..HD4@H= Export Table address,D4@I=
    005F225E  Export Table size,D4@H= Import Table address,D4@I= Import Table
    005F229E  size,D4@H= Resource Table address,D4@I= Resource Table size,D4@H
    005F22DE  = Exception Table address,D4@I= Exception Table size,D4@H= Certi
    005F231E  ficate File pointer,D4@I= Certificate Table size,D4@H= Relocatio
    005F235E  n Table address,D4@I= Relocation Table size,D4@H= Debug Data add
    005F239E  ress,D4@I= Debug Data size,D4@H= Architecture Data address,D4@I=
    005F23DE   Architecture Data size,D4@H= Global Ptr address,D4@D= Must be 0
    005F241E  ,D4@H= TLS Table address,D4@I= TLS Table size,D4@H= Load Config
    005F245E  Table address,D4@I= Load Config Table size,D4@H= Bound Import Ta
    005F249E  ble address,D4@I= Bound Import Table size,D4@H= Import Address T
    005F24DE  able address,D4@I= Import Address Table size,D4@H= Delay Import
    005F251E  Descriptor address,D4@I= Delay Import Descriptor size,D4@H= COM+
    005F255E   Runtime Header address,D4@I= Import Address Table size,D4@D= Re
    005F259E  served,D4@D= Reserved.COFFsection..HA8@D=SECTION,D4@I= VirtualSi
    005F25DE  ze,D4@H= VirtualAddress,D4@I= SizeOfRawData,D4@H= PointerToRawDa
    005F261E  ta,D4@H= PointerToRelocations,D4@H= PointerToLineNumbers,B2@I= N
    005F265E  umberOfRelocations,B2@I= NumberOfLineNumbers,D4@COFF_SECTCHAR: C
    005F269E  haracteristics.
    if you want to have some help then you can check out jstormes stollyplugin and its source and or its ini file he uses almost the same syntax of size defined mechanism to show the structures


  12. #12
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Ring -1
    Blog Entries
    A bunch of disasm libraries in the CRCETL, for you to study and learn from:
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  13. #13
    I use disasm in my Armageddon tool. While some may consider it old, how much has really changed? Yes, it does have some weaknesses, but is fairly straightforward and easy to integrate and use for basic things (i.e. disassemble / assemble a few instructions on the fly). I wouldn't recommend it though for full blown disassembling or assembling many, many instructions or a whole program.

    If at first you don't succeed, you're just about average

  14. #14
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    i've been using distorm since it's one of the few that supports x64. it's not the easiest code to work with, but you can get it to do what you need with just a few hours of tinkering.

  15. #15
    Registered User
    Join Date
    Mar 2003
    Hacker Disassembler Engine

    I've always thought this was a nice tidy piece of code

Similar Threads

  1. Dll source code
    By w_a_r_1 in forum The Newbie Forum
    Replies: 6
    Last Post: July 1st, 2009, 15:07
  2. Tracing source code
    By warg in forum OllyDbg Support Forums
    Replies: 8
    Last Post: July 13th, 2007, 12:57
  3. I want to look at source code
    By mdhakk in forum The Newbie Forum
    Replies: 7
    Last Post: March 19th, 2005, 22:52
  4. C source code for an assembler
    By IcyDee in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: July 10th, 2002, 02:14


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts