News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Trouble understanding Linker

Started by turnbui, April 30, 2006, 02:02:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

turnbui

April 30, 2006, 02:02:58 PM
hi folks,
I'm hoping someone can help me to understand what is going on here.
Using W32DASM to look at the Wininet.dll [it gets disassembled] the actual  call sys_func is shown in-line of the code:-

* reference to KERNEL32.lstrlenA, Ord:03B3h

    call dword ptr [771B1260]

After i build  this DLL a disassem then shows lots of jmp sys_func at beginning of the code section and not in-line
as with the original DLL? Even though the actual op-code is the same.

Has this something to do with mreging sections?

As ever any help / info will be much appreciated

Thanks
Ian t

sluggy

#1
May 01, 2006, 02:31:32 AM
Quote from: turnbui on April 30, 2006, 02:02:58 PM
After i buildĀ  this DLL a disassem then shows lots of jmp sys_func at beginning of the code section and not in-line
as with the original DLL? Even though the actual op-code is the same.
1: we do not support or condone the reverse engineering of any third party dlls - even if it is just for education. Virtually all EULA's prohibit it, and while it may be legal in some countries this forum is hosted in the US where it is illegal.

2: You are comparing apples and oranges. You are comparing the output of a linker with the output of a disassembler. Both dlls are the same - the jmps at the start are the function import table, which all relocatable modules have. All calls to a specific external dll function are routed through this table, so when a module is relocated in memory then only one place in any referencing module has to be fixed up to point to the new location.

turnbui

#2
May 01, 2006, 09:05:52 AM
First I should thank you for bringing the reverse engineering point to my attention. I certainly had not even thought that this should be a problem. [Otherwise I'd have disguised its name].

I do thank you for the information though. Therefore it must be the debuggers method of gleaning the info.
Perhaps this is due to the fact that the original DLL was written in C/C++ and the resultant reversal was then assembled with MASM - confusing W32DASM. Apples vs oranges.

And yes, this exercise is just for my purposes.

P1

#3
May 01, 2006, 01:47:49 PM
Quote from: turnbui on May 01, 2006, 09:05:52 AM[Otherwise I'd have disguised its name]
Deception is neither welcomed or accepted here.  Professionals need never to practise Deception.

Regards,  P1  :8)
Print
Go Up Pages1
User actions