|
VB Decompiler Hosted by TheAutomaters.com
|
Author |
Message |
Dr Memory Expert
Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK
|
Posted: Wed Sep 15, 2004 2:25 pm
Post subject: Auto Code/Data Sensing in Borg Disassembler
|
|
My msvbvm60 listing was produced by the BORG freeeware disassembler. Here's a short section showing the tail of one sub, and the header of the next:
Code: | 1000:6605881e 1bc0 sbb eax, eax
1000:66058820 2575010a80 and eax, 800a0175h
1000:66058825 c20800 ret 08h
1000:66058828 83 db 83h
1000:66058829 6c db 6ch ;'l'
1000:6605882a 24 db 24h ;'$'
1000:6605882b 04 db 04h
1000:6605882c 04 db 04h
1000:6605882d 55 push ebp
1000:6605882e 8bec mov ebp, esp
1000:66058830 8b450c mov eax, (ebp+0ch)
|
But that 5-byte "data" block is really an instruction. If I embed it in a little test ASM routine, build a DLL and use BORG to dump that, it shows correctly:
Code: | 1000:10001015 55 push ebp
1000:10001016 8bec mov ebp, esp
1000:10001018 836c240404 sub dword ptr (esp+04h), 04h
1000:1000101d 5d pop ebp
1000:1000101e c3 ret
|
It seems to regard the same 5 bytes as data in one case, code in the other. But how can it do that? I thought only complete segments could be marked that way, not individual bits like that!
If you have an msvbvm60 listing of any sort, what does it show? _________________ [size=75:2sg2dqh1]At first, I was irridescent. Then, I became transparent. Finally, I was absent ...
Last edited by Dr Memory on Wed Sep 15, 2004 7:17 pm; edited 2 times in total
|
|
Back to top |
|
|
|
MrUnleaded Site Admin
Joined: 21 Sep 2002 Posts: 385 Location: California
|
Posted: Wed Sep 15, 2004 3:21 pm
Post subject:
|
|
That is an interesting thing.
Have you ever used Hiew? it is a quick-dissasembler..../hex editor/ascii editor....
its my favorite for these purposes. _________________ -MrU
Last edited by MrUnleaded on Wed Sep 15, 2004 4:13 pm; edited 1 time in total
|
|
Back to top |
|
|
|
Dr Memory Expert
Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK
|
Posted: Wed Sep 15, 2004 4:05 pm
Post subject:
|
|
I think the other post was deleted - it's apparently unwise to wrap code tags around ASM code wih square brackets, the BB software gets a fault trying to process it ... couldn't edit it for same reason...
I've got 3 disassemblers already, I can make another listing it just takes a while to do msvbvm60 and wondered if anybody could tell me....
The fact that it surprises you too is enough for me to do that now, though - maybe it's a glitch in BORG but it's weird because it's so systematic - not random ....
I'll try W32dasm and see how it goes ....
Cheers! _________________ [size=75:2sg2dqh1]At first, I was irridescent. Then, I became transparent. Finally, I was absent ...
|
|
Back to top |
|
|
|
MrUnleaded Site Admin
Joined: 21 Sep 2002 Posts: 385 Location: California
|
Posted: Wed Sep 15, 2004 4:12 pm
Post subject:
|
|
have you tried with the other versions of msvbvm60? there are about 4. _________________ -MrU
|
|
Back to top |
|
|
|
Dr Memory Expert
Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK
|
Posted: Wed Sep 15, 2004 4:41 pm
Post subject:
|
|
Yes, I've got an XP listing somewhere, I was using 2000 in that example..
W32dasm was a dead-end, it makes a dog's breakfast of the whole thing ... Borg is still my only successful disassembler for this ... that HIEW is it a disassembler or just an editor? _________________ [size=75:2sg2dqh1]At first, I was irridescent. Then, I became transparent. Finally, I was absent ...
|
|
Back to top |
|
|
|
MrUnleaded Site Admin
Joined: 21 Sep 2002 Posts: 385 Location: California
|
Posted: Wed Sep 15, 2004 4:52 pm
Post subject:
|
|
both. its a "quick" disassembler....ie i dont think it does any in depth processing...if it does it is extremely fast at it _________________ -MrU
|
|
Back to top |
|
|
|
Dr Memory Expert
Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK
|
Posted: Wed Sep 15, 2004 5:47 pm
Post subject:
|
|
That's W32dasm's problem - fast but non-specific, not suitable for Win32 system dll's .....
I'll see if I can find a BORG bulletin board, try and answer the qn that way .... it's bugging me because I can just see enough to know that I want that area listed properly, I think I know what's in there!
I can always adapt my own quick-disassemble API function to do it ... now I've thought about it that's not going to be hard ...
So it's not crucial.... there just remains that question, is this an artifact of BORG, or is it a memory management feature I was not aware of ....
Remember that BORG correctly reported the same code in my DLL....
... and penny is spinning, spinning, falling now ... ker-PLUNK
OK, how about this theory? BORG thinks it is doing me a favour maybe... between the RET and the next PUSH EBP/MOV ESP, EBP pair, maybe it's saying "well that must be just DATA then, so I'll not translate it!"
That would explain everything .... _________________ [size=75:2sg2dqh1]At first, I was irridescent. Then, I became transparent. Finally, I was absent ...
|
|
Back to top |
|
|
|
Dr Memory Expert
Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK
|
Posted: Wed Sep 15, 2004 5:55 pm
Post subject:
|
|
Code: | * I MUST LOOK AT THE MENU OPTIONS MORE OFTEN * I
MUST LOOK AT THE MENU OPTIONS MORE OFTEN ** I M
UST LOOK AT THE MENU OPTIONS MORE OFTEN ** I MU
ST LOOK AT THE MENU OPTIONS MORE OFTEN ** I MUS
T LOOK AT THE MENU OPTIONS MORE OFTEN ** I MUST
LOOK AT THE MENU OPTIONS MORE OFTEN * |
At least I've found Borg's "Advanced options" menu now!
It's exactly that, and it's the default option ...
mea culpa! _________________ [size=75:2sg2dqh1]At first, I was irridescent. Then, I became transparent. Finally, I was absent ...
|
|
Back to top |
|
|
|
MrUnleaded Site Admin
Joined: 21 Sep 2002 Posts: 385 Location: California
|
Posted: Wed Sep 15, 2004 6:07 pm
Post subject:
|
|
Is BORG freeware? where could it be found? _________________ -MrU
|
|
Back to top |
|
|
|
Dr Memory Expert
Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK
|
Posted: Wed Sep 15, 2004 7:00 pm
Post subject:
|
|
Indeed it is, and very impressive! Even with my ignorance of the options it has given me excellent full listings of MSVBVM60, KERNEL32, USER32, VBA6, etc..
I'll find the link I used and post it...
It'll do VBM60 in about 10 minutes on a P3 - a reassuringly lengthy process, it is performing good cross-referencing work, is aware of win32 dbginfo where available, etc... _________________ [size=75:2sg2dqh1]At first, I was irridescent. Then, I became transparent. Finally, I was absent ...
|
|
Back to top |
|
|
|
Dr Memory Expert
Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK
|
Posted: Wed Sep 15, 2004 7:10 pm
Post subject: Summary: Borg is Beautiful
|
|
Download site for Borg 2.37 Disassembler...
One of the best freeware programs I've seen ..
http://www.softpedia.com/public/cat/5/1/5-1-1.shtml
To wrap this up, and to clear BORG entirely from any blame, I was ignorant of its CODE/DATA sensing options.
Some compilers do insert chunks of data between procs, even though it's nominally in a "code section" - there is no such thing to a Win32 linker, of course, it's merely a convention to call one data section ".code"
So, you may or may not want to have those possibly lengthy and mostly zero - chunks interpreted as code....
There are options for aggressive (parse everything) or passive mode ... passive mode uses PUSH EBP/RET (and other similar options) instructions to turn code interpretation off and on
And my confusion was caused by a combination of having code that looked like a data insert between procs plus the fact that passive mode is on by default ...
Hats off to Borg!
I'll be back with an interesting location in MSVBVM60 to look at ... _________________ [size=75:2sg2dqh1]At first, I was irridescent. Then, I became transparent. Finally, I was absent ...
|
|
Back to top |
|
|
|
Dr Memory Expert
Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK
|
Posted: Wed Sep 15, 2004 7:35 pm
Post subject:
|
|
When you open a new DLL file with it, you get a "File Open Options" dialog.
Press the "Code Options" button for the code/data sensing options dialog.
Check "aggressive" to force code-interpretation
I'm just re-running MSVBVM60 on another box, the same Pentium 3 (733Mhz), it should result in a reduced listing (currently 780K lines), we'll see ...
If 780K seems excessive to some, that's because it doesn't do linear strings (or I haven't found the option, who knows??)
I run the listing through a VB proggie that collapses the strings nicely, saving myself $75 (I almost bought a disassembler just to do that!)
And I have some more specific cross-referencing to add, in any case (maybe, one day, a "who-calls-who" cross-referencing tree might result) _________________ [size=75:2sg2dqh1]At first, I was irridescent. Then, I became transparent. Finally, I was absent ...
|
|
Back to top |
|
|
|
Dr Memory Expert
Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK
|
Posted: Wed Sep 15, 2004 8:55 pm
Post subject:
|
|
That's better! Down to under 500K lines, and the original section, shown in the first post, now looks like this
Code: | 1000:6605881e 1bc0 sbb eax, eax
1000:66058820 2575010a80 and eax, 800a0175h
1000:66058825 c20800 ret 08h
1000:66058828 836c240404 sub dword ptr [esp+04h], 04h
1000:6605882d 55 push ebp
1000:6605882e 8bec mov ebp, esp |
Now isn't that a very interesting instruction?
[font=Courier New]836c240404 sub dword ptr [esp+04h], 04h[/font]
not on its own, it only becomes interesting when in a position like that ... _________________ [size=75:2sg2dqh1]At first, I was irridescent. Then, I became transparent. Finally, I was absent ...
|
|
Back to top |
|
|
|
|
|
|
You can post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|