You Tell Me

[Robert Collins]

In the \masm32\bin\ directory is a program called 'dumppe.exe'. Since it is in that directory one would assume that it is OK to use it. It will produce an assembly dump of whatever PE you are dumping. If I take that dump and use it to learn how something is done then that is exactly what I will do. I will use any means that I can to learn things I need to learn or want to learn. I will strip a TV, automobile, VCR, PC or a program down piece by piece, bit by bit, if that is what it takes to learn how and what makes it tick. If this is a problem at this forum then I will honer that and not post anything about how I learned something but just post what I learned if the occassion arises.

[pbrennick]

Robert,
As soon as you officially said you would be decompiling someone elses dll, you crossed the line.  If you choose to do this thing, that is your business.  Just do not talk about it in this forum because whether you believe it or not, it is breaking the law.

Paul

PS:  Robert, no more talk, I will delete this thread if you do.  I chose to allow you to say your piece, now it is done.

[Bieb]

Well, if he reused the code, then obviously it would be illegal, but if all he does is analyze a program and it's output to determine how it does what it does, how could it be illegal?

[hutch--]

Let me address what the issues are here. Clive Turvey's DumpPE has been included in MASM32 since it was started years ago and it is a useful tool for both PE headers and simple disassembly. It is like any other tool, it can be both used and abused and the rough distinctions are as follows.

Having a look at the guts of a system DLL or similar is not a problem as it has informational uses that do not involve any form of cracking or its euphamism reverse engineering. It is common to check them out to see what function calls another. WinExec() for example calls CreateProcess() and there are many others. Then there is testing of other EXE and DLL files to make sure they don't contain any malicious content which is a reasonable security issue to deal with.

The line gets drawn on what the intent is when looking at the content of a file. If it is done for protection system workarounds or alternatively is done to steal someone elses code design, it become an illegal action that we will not allow to be posted in this forum.

DumpPE was included in MASM32 with Clive's permission but it authorises no-on to do anything that is illegal, its a useful fully legal tools for normal low level programming tasks and it is supplied for that reason, not for any other reason and its inclusion does not entail the right to violate someone elses property.

I primarily use it to disassemble my own code to see what a macro or internal pseudo high level construct looks like which is one of its many valid uses.

[Robert Collins]

The line gets drawn on what the intent is.......

The magic word here is 'intent'. It's not so much 'what' you are doing but what your intentions are. It is not illegal to stand on your head in a public mall
but if you are doing that in order to look up girls skirts then you are in violating the law.   

[pbrennick]

Robert,
You stated your 'intent' twice.  This is not a discussion.  I will not allow someone to try to justify an illegal action.  Just because Hutch decided to defent the use of dumppe does not mean he is condning your actions.

Paul

[P1]

Robert,

Please describe fully what you are trying to do with your winsock replacement.  I am sure you understand that there are a variety of do's and don't's in replacing / extending / subclassing system files.

M$ has several white papers out on it's winsock implementation.  A little googling would have gotten you more material that you thought was available without the RE.

Once we understand the scope, goals and purpose, we can help you.

Regards,  P1  :8)

PS:  I was out to FutureEdge, what is your role there?  And is it related to this?

[Robert Collins]

I am trying to rebuild company DLLs because they are old but still in use and the company no longer has the source code. Hense, my topic.
The winsock dll is nothing I really care about but I used it as an example of what I want to do (here is where I think things started to go sour) and I am very familar with the winsock dll that it would be a good testing point other than the simple DLL I wrote.

Futureedge is a private web site that I use for Internet testing when I am doing my own thing.
There I use mostly use Java applets and Perl. But I write my user application that may be in VB or
assembly or C.

Alot of the questions I ask here are work related, like this topic, and some are for my free time projects at home.   

[hutch--]

Robert,

Thanks, thats all we neded to know, you company OWNS the code and the resulting binary from it so yu have the legal right to do whatever the owner requires with those binaries. Just as a hint in the future, we must be careful with these types of topics so if you are doing stuff like this and you own the code, let us knowas it makes our admin tasks simpler and easier to manage.

[Robert Collins]

Got you. Will do.

[Bieb]

All this seems very intriguing.  Could someone tell me how exactly you use this program?  I'd like to take a look at just how MASM is compiling my high level constructs.

[Robert Collins]

All this seems very intriguing.  Could someone tell me how exactly you use this program?  I'd like to take a look at just how MASM is compiling my high level constructs.

I'm not sure what program you are refering to unless it is DUMPPE.EXE. If this be the case then I do not know all the in's and out's of that program other than I know it produces a machine language coded (or assembly if that is what it is called) output. I am just thinking how would I go about using this output, be it from DUMPPE.EXE or some other similar program, to figure out how to rebuild some old DLLs that I no longer have access to their source codes. As far as using DUMPPE.EXE I am definitly not the one to demonstrate it's usage. All I know is that if I load a .DLL or a .EXE it will dump it out showing you the assembly op-codes that make up the inner workings and also dump out other important pieces of the binary file.

[hutch--]

Bieb,

You can either use the disassembly option on the tools menu in QE or run DumpPE from the command line.


dumppe -disasm yourfile.ext > output.txt


Just a hint to make the code you want to look at easier to find, I use 3 nops to locate the code as its very rare to have this done by either an assembler or compiler.

Code Select Expand


nop
nop
nop

.if this == that
  do_this
.endif


Dump the results to a file, open the file and search for NOP.

The code following it is the pseudo HLL code that you want to have a look at.

DumpPE is designed for dumping code and it does not handle embedded data properly. If you need to do this, you will need a debugger or a more sophisticated disassembler.

The option on the MASM32 menu does exactly this, it dumps the EXE or DLL to a file then displays the file in another instance of QE.

[P1]

If your writing your own code and want to look at how it was assembled.  With MASM, I use a debug build batch file option ( included ) to generate a listing and a debug file which is real easy to debug in Visual Studio. 

Just edit your Menus in QEditor to add it as an option.

Regards,  P1  :8)

[attachment deleted by admin]

[Scorpie]

if you want to see how your constructs are compiled or want to debug your own program i'd advise using Ollydbg (only works on 32bit executables), its freeware and its a debugger, you can follow the code as it runs, watch registers, datasection etc its a very nice application to debug your own app's (link is easy to find on google)

Scorpie