Disassembler

[Farabi]

Anyone here know what disassembler that produce a .txt as an output?

[realtyu]

MASM can do that

Tools -> DisAssemble exe file
but not clean source

[rea]

If the dissassembler can output to stdin can be redirected If Im not wrong like

ndisasmw x.exe >disassembly.txt

You also can try ndisasm you should introduce a command in the invocation at cmd for "skip" the first bytes that are not instructions...

ndisasmw is the other tool that come with nasm it output to stdin.

[pbrennick]

Farabi,

rea is correct here.  The default method employed by DOS is to input from the default input device (keyboard) and outputs text to the standard output device (monitor).  Eith one (or both) can be re-directed.  In this case, if you add >trash.can to the end of the string you are typing; DOS (when it executes that particular command) will send the text output to a file called trash.can

If you want to add that text to the end of an existing file while preserving its previous contents use >>trash.can instead.

Paul

[Farabi]

http://www.geocities.com/~sangcho/disasm.html

Here. Complete with source.

[wizzra]

my lovely project:

http://pvdasm.reverse-engineering.net/index.php?Section=3

[Vortex]

IDA and Ollydbg

[Farabi]

Hai. I saw all the 32 bit application is always start at 0x400000 with an entry point on the end. Why it always like that? Is anybody have the structure information?

[roticv]

Most exe (this is not apply to dll) are loaded into the address 400000h (Base address/hinstance value). The location of the entry is dependent on how your code is like.

[Robert Collins]

Most exe (this is not apply to dll) are loaded into the address 400000h (Base address/hinstance value). The location of the entry is dependent on how your code is like.

If an .EXE is loaded into address 400000h then what happens when a second .EXE is brought into memory? Is there a conflict of load addresses?

[hutch--]

Robert,

the OS assigns each process its own memory space so every process that is started as an exe file is started at 400000h. The mechanism is part of the OS design for a hardware multitasking operating system. An address within one process memory space is not a valid address within another so for example if you pass the adress of something through interprocess communication, that address will refer to the same data from another process.

[roticv]

If an .EXE is loaded into address 400000h then what happens when a second .EXE is brought into memory? Is there a conflict of load addresses?

Conflict of load address only occurs in dll. In such cases, reloc sections come in handy.

[Robert Collins]

Robert,

the OS assigns each process its own memory space so every process that is started as an exe file is started at 400000h. The mechanism is part of the OS design for a hardware multitasking operating system. An address within one process memory space is not a valid address within another so for example if you pass the adress of something through interprocess communication, that address will refer to the same data from another process.

That kind of tells me that if each process has it's own memory space then each memory space also has it's own 400000h load address which sounds like virtual memory. Am I on the right track? 

[thomasantony]

Right!! :U

[ecube]

WOW wizzra that's incredible, excellent job!  :thumbu