hi everybody,
I know assembly .... I am intersted in writing a dissembler ....................
Can anybody tell me what should i learn and what should i possess in order write a dissembler.....
I have the course Compiler Design in this semester
can anybody please help mee.......
please reply me .....
thanks inadvance...
you need to (intelligently) reverse the binary data to mnemonic asm
like 0xc3 = ret
xor eax, eax = 33 c0
and so on
it is NOT a simple task, especially when you might have to disassemble obfuscated code, compressed code
and so on, as well as determining data areas, size of those areas and so on...
that, and you'll most likely need to have pretty strong asm knowledge, and pretty strong understanding
of the PE file format (assuming your disassembler will be made for windows executables) etc..
thank you sir for your reply...
Hi vineel,
Though I would rarely wish this guy on any one, Betov has written a fairly decent, though primitive, disassembly engine to accompany RosAsm. You might want to look at it as it is distributed with source code albeit in that rather meandering version of assembly. Just don't tell him I referred you, it will get you in trouble and probably labeled as a puppy kicking fascist ;)
Donkey
Vineel,
Here is an interesting project :
Proview (PVDasm) Interactive Program Disassembler
http://pvdasm.reverse-engineering.net/
thanks for your replies
I did a program which will dump the headers and sections of a PE file ......................
I am now struggling to retrieve the imports and exports of a PE file. I studied various tutorials on the PE format
but all of them confused me in explaining about Imports(.idata) and exports...................
so can any body please help me in how to understand about imports and exports .......
I strongly believe that understanding the structure of an PE file will give a strong knowlegde on how compilers and disassemblers
work.....
the program and its code is included in the attachment and please correct my mistakes (if any)........
please help me......
[attachment deleted by admin]
I think Iczelion has a tutorial covering PE files though my memory is a bit foggy as it has been quite a long time since I looked at his tutorials, I have also included a section in WinExplorer (http://www.masm32.com/board/index.php?topic=3803.0) that decodes the PE header and maps the imports and exports, it includes the entry point and file offsets for exports. For a really good explanation of the PE format you should go to the source...
http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx
http://msdn.microsoft.com/msdnmag/issues/02/03/PE2/
I find these two pages indispensable and refer to them frequently when I need information about the PE format.
Donkey
about disassembler...
the toughest part is decoding the Mod/RM and converting all info to string...
you should definitely have Intel manuals and sandpile.org archive.
you should also have some some sources of other engines..
i suggest the Bass Demon's asm code
http://home.no.net/tkos/src/debug/ia32dis.asm
http://home.no.net/tkos/src/debug/ia32dis.inc
if you are going to write it in asm, or Oleh's Ollydbg dasm engine if you are C/C++ inclined
about PE...
there are many (really a lot) PE tutorials on the net...
i suggest you find Luevelsmeyer's tut
about your little C project...
you should not compare section names EVER.., all the info can be gathered through Directories
you can browse through imports like this (fix any typecasting if required):
PIMAGE_IMPORT_DESCRIPTOR pImp=(DWORD)dosHeader +ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
while (pImp->Name!=0)
{
printf("%s\n",(DWORD)dosHeader + pImp->Name);
PIMAGE_THUNK_DATA pth=(DWORD)dosHeader +pImp->FirstThunk;
while (pth->u1.AddressOfData)
{
if (pth->u1.Ordinal&IMAGE_ORDINAL_FLAG32)
printf("\t#%d\n",pth->u1.Ordinal);
else
{
PIMAGE_IMPORT_BY_NAME pim=(DWORD)dosHeader + pth->u1.AddressOfData;
printf("\t%s\n",pim->Name);
}
pth++;
}
pImp++;
}
i have some code that i've written, you can use it and change to your liking.
both in ASM and in C/C++ (not hard to convert to plain C).
its for manipulating PE files
[attachment deleted by admin]