News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

How to write a disassembler

Started by Vineel Kumar Reddy Kovvuri, June 23, 2007, 05:31:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Vineel Kumar Reddy Kovvuri

June 23, 2007, 05:31:46 PM


hi everybody,

     I know assembly .... I am intersted in writing a dissembler ....................
     Can anybody tell me what should i learn and what should i possess in order write a dissembler.....
     I have the course Compiler Design  in this semester


can anybody please help mee.......
please reply me .....

thanks inadvance...

   

evlncrn8

#1
June 24, 2007, 01:54:35 AM
you need to (intelligently) reverse the binary data to mnemonic asm
like 0xc3 = ret
xor eax, eax = 33 c0
and so on

it is NOT a simple task, especially when you might have to disassemble obfuscated code, compressed code
and so on, as well as determining data areas, size of those areas and so on...

that, and you'll most likely need to have pretty strong asm knowledge, and pretty strong understanding
of the PE file format (assuming your disassembler will be made for windows executables) etc..

Vineel Kumar Reddy Kovvuri

#2
June 24, 2007, 03:32:06 AM


thank you sir for your reply...

donkey

#3
June 24, 2007, 07:50:40 AM
Hi vineel,

Though I would rarely wish this guy on any one, Betov has written a fairly decent, though primitive, disassembly engine to accompany RosAsm. You might want to look at it as it is distributed with source code albeit in that rather meandering version of assembly. Just don't tell him I referred you, it will get you in trouble and probably labeled as a puppy kicking fascist ;)

Donkey
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

Vortex

#4
June 24, 2007, 08:16:12 AM
Vineel,

Here is an interesting project :

Proview (PVDasm) Interactive Program Disassembler

http://pvdasm.reverse-engineering.net/

Vineel Kumar Reddy Kovvuri

#5
June 24, 2007, 10:59:59 AM

thanks for your replies

        I did a program which will dump the headers and sections of a PE file ......................
I am now struggling to retrieve the imports and exports of a PE file. I studied various tutorials on the PE format
but all of them confused me  in explaining about Imports(.idata) and exports...................
so can any body please help me in how to understand about imports and exports .......
I strongly believe that understanding the structure of an PE file will give a strong knowlegde on how compilers and disassemblers
work.....

the program and its code is included in the attachment and please correct my mistakes (if any)........

please help me......




[attachment deleted by admin]

donkey

#6
June 24, 2007, 07:05:16 PM
I think Iczelion has a tutorial covering PE files though my memory is a bit foggy as it has been quite a long time since I looked at his tutorials, I have also included a section in WinExplorer that decodes the PE header and maps the imports and exports, it includes the entry point and file offsets for exports. For a really good explanation of the PE format you should go to the source...

http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx
http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/

I find these two pages indispensable and refer to them frequently when I need information about the PE format.

Donkey
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

drizz

#7
June 24, 2007, 10:58:43 PM
about disassembler...
the toughest part is decoding the Mod/RM and converting all info to string...
you should definitely have Intel manuals and sandpile.org archive.
you should also have some some sources of other engines..
i suggest the Bass Demon's asm code
Code Select
http://home.no.net/tkos/src/debug/ia32dis.asm
http://home.no.net/tkos/src/debug/ia32dis.inc
if you are going to write it in asm, or Oleh's Ollydbg dasm engine if you are C/C++ inclined

about PE...
there are many (really a lot) PE tutorials on the net...
i suggest you find Luevelsmeyer's tut

about your little C project...
you should not compare section names EVER.., all the info can be gathered through Directories

you can browse through imports like this (fix any typecasting if required):
Code Select
PIMAGE_IMPORT_DESCRIPTOR pImp=(DWORD)dosHeader +ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
while (pImp->Name!=0)
{
printf("%s\n",(DWORD)dosHeader + pImp->Name);
PIMAGE_THUNK_DATA pth=(DWORD)dosHeader +pImp->FirstThunk;
while (pth->u1.AddressOfData)
{
if (pth->u1.Ordinal&IMAGE_ORDINAL_FLAG32)
printf("\t#%d\n",pth->u1.Ordinal);
else
{
PIMAGE_IMPORT_BY_NAME pim=(DWORD)dosHeader + pth->u1.AddressOfData;
printf("\t%s\n",pim->Name);
}
pth++;
}
pImp++;
}
The truth cannot be learned ... it can only be recognized.

drizz

#8
June 24, 2007, 11:05:42 PM
i have some code that i've written, you can use it and change to your liking.
both in ASM and in C/C++ (not hard to convert to plain C).

its for manipulating PE files

[attachment deleted by admin]
The truth cannot be learned ... it can only be recognized.
Print
Go Up Pages1
User actions