Beta Version of Disassembler Finished

[MusicalMike]

I finished my first "working" copy of my disassembler, (See post Writting a Disassembler), and am now proud to show off what I have done.

Due to the size of the sourcecode, if you wish to see the source code, you must request a copy dirrectly from me.

_{Ps. The disassembler uses the ProView core functions. (Compliance with the aggreement to provide credit to the author of the ProView API functions).}

[attachment deleted by admin]

[LL]

Hi MusicalMike,

I've tried your program without any luck.  I tried to dissasemble a small .exe following your instruction. My small program was *01.exe*, and these are the 3 files that I got: 01.exe.idata.bin, 01.execode.bin, 01.exedata.bin. The file to translate: in my example, 01.exe.txt.bin, wasn't created. So the output.asm was 0 bytes. Sorry !  :(

LL

[LL]

Hi again,

Ok! My mistake, the 01.exe.txt.bin are all of those files that need to be translated. So I tried again and so far things seem to work well !  :U I'll let you know if things aren't as they should.  :bg

LL

[MusicalMike]

I am planning on writing a UI front end to the program. Thanks for the comments.

[LL]

Hi MusicalMike,

The "filename.execode.bin" was almost correct: with the exception of a final "RET 0010". It simply forgot one at the end of my program. With "OLLYDBG", I'm getting 101 lines of code and only 100 lines of code with your disassembler. Secondly, I can't find any reference to my Calls to the Kernel32.dll and the user32.dll. They are all in your disassembly of my program: for example, "CALL 00403042" is my "CALL <JMP.&KERNEL32.GetModuleHandleA>", but I can't find any references to address: "00403042". Everything else, again, seems OK! within the "filename.execode.bin".

However, I simply can't make any sense of the other two files: "filename.exedata.bin" and "filename.exe.idata.bin". The first line of "filename.exe.idata.bin" is similar to the .idata section of "PEBrowse":  0x403000: FF2590304000   JMP      DWORD PTR [USER32.DLL!LoadIconA]; (0x403090), and yours is  00401000:   JMP DWORD PTR DS:[00403090]   ;. I can't understand the rest of your "filename.exe.idata.bin". I also can't understand what I'm getting from your "filename.exedata.bin". I'm sending an attachment of those 3 files, plus my .exe (with sources) to see if your getting the same results.

Just to make sure that I did follow your instructions properly, this is how I created those 3 files: (translate 01.execode.bin; translate 01.exedata.bin and translate 01.exe.idata.bin). 01 being the name of my file ! I've renamed them since the output file is always output.asm (which would be overwritten each time). Let me know if I properly followed you directives ?

LL







[attachment deleted by admin]

[MusicalMike]

you did it properly...With one exception. Based on your files, you appear to have used translate.exe on the 01.exe.data.bin file. Translate.exe simply "translates" the byte stream of executable data (which the extracter will fetch for you. The file should have .text somewhere in its name) into assembly language. It can't be used on the other files. If you look at the .idata file, towards the end of the file, are the names of all the dlls neatly spelled out. The preceeding data is just a symbol table. If you open your data file, you should also notice that it consists of one line "SimpleWinClass Une fenêtre par Léonard". What happens when an exe is run is the loader simply reads each byte in the .data section and copys it to the processes allocation of memory in the order it appears. Don't forget this is the beta release and the thing is still riden with bugs. I have been testing it on my machine since I put it out. There is still question as to weather it can properly disassemble dll's for instance.

If you want, If you want, I can send you the source code to extract.exe and/or translate.exe.

[LL]

Hi again,

In all honesty, by following your readme.txt: I'm within the same folder as your 3 programs, I start by "extract 01.exe", which simply created those 3 bin files. That's all I did ! Would it matter if I created my program by using: GOASM and GOLINK ? Other than that, I can't shed any more info on what I did to get those 3 bin files.  Sorry for Now!  :(

Ps. I'm still new to assembly, so I'm not sure that I would be much help by looking at your soucres !

LL

[MusicalMike]

You should be getting 3 files. It appears that goasm uses a different naming convention for naming the pe sections. It took me a bit of time to figure that out when looking at the files you sent me. As I said before though, translate.exe is only supposed to be used on the file that contains the extracted executable data. The .data and idata sections are not that hard to read as they are.

[LL]

Hi again,

Ok ! Yes the *.exedata.bin can be looked at with a simple Notepad. However, the beginning of the *.exe.idata.bin can't be understood with Notepad. However, after a bit, I find the text for all of my calls. But again, I'm looking at a bin file via notepad. At this point in time, I have no other ways to see what a bin files has to offer.   :red I'm still very green behind the ears when it comes to programming in general. I may even have reached my limits to what I can offer: try, look, compare and share. But like you said, this is a Beta version and your first attempt to sharing it with others for some feedback.  It will come !  :U

LL

[MusicalMike]

As far as I know, besides the library file refferences that appear at the end of the .idata section, other disassemblers also will not decifer the binary code at the beginning of the file. Its just a symbol table. You really don't need to know what it says. Insidently, I am only 17 years old and have only been programming in assembly language for a few months. More over, ive only known c++ (the programmling language in which the app is writen) for a little over a year. The moral of the story, you have only reached your limits if you think you have. The quality of the information you have given me indicates that you are a very inteligent person with lots of promice in the programming world. As I said, I would be happy to give you a copy of the source code for your study.

Ps. Please stop using GoAsm, Masm32 is loads better and is more suitable for win32 programming.

[LL]

Hi MusicalMike,

I've tried your program with another one which wasn't assembled with Goasm and Golink. 4 files were created: 02.exe.txt.bin; 02.exe.rsrc.bin; 02.exe.idata.bin and 02.exe.data.bin. However, "translate 02.exe.txt.bin" gave me an empty "output.asm" file. The "02.exe.data.bin" looks OK, the "02.exe.idata.bin" is similar than the other one that I sent you and the "02.exe.rsrc.bin" is filled with a variety of different symbols which is not readable text.

Ps. Same result as above with my third attempt with a different program not assembled with Goasm and Golink. So, in conclusion, I had better finding with my first disassembly of 01.exe (which I used Goasm and Golink). I will consider Masm32, and yes I'm a smart dude.  :bg  I also was many years ago only 17, and I remember when my brain cells where able to retain better info back then.  :lol  :lol

LL

[LL]

Hi again,

Found what I was doing wrong: was "translate 02.exe.text.bin" and not "translate 02.exe.txt.bin". That is why I was getting an empty "output.asm".  :eek  Again, now seems to work quite Ok!   :U

LL

[MusicalMike]

rsrc is a compiled resource file. I have not figured out yet how to disassemble these as different resource compilers use different syntaxes and there is no aggreed upon standard.

[LL]

Hi MusicalMike,

Just to let you know, I tried your disassembler on a program that was created with "RosAsm" and I got the same result as if I had used "Goasm/Golink". There was one line of code missing at the end (had 004011C7 lines instead of 004011C8). However, don't know much about "RosAsm".  Good work so far for your "Beta" version!

LL

[MusicalMike]

Yes I know, its a bug in the software. I am still trying to figure out why this happens, and will fix it asap. In the mean time, I am still willing to send you the source code if you want it.