DESASSEMBLER W32Dasm(english)

programing

DESASSEMBLER W32Dasm(english)

Postby RAD on Fri Sep 01, 2006 3:51 am

1 - WAT A DESASSEMBLER?

A dsassembler is used for seeing this quil has there lintrior dun program (EXE, DLL). When you dsassemblerez one of them, you will have right a listing translated into code assembler.

Lorsquun programmer makes a program, it uses spcific instructions its language (C++, Visual BASIC). It records then its source code in a file then it compiles it. The compiler will transform the spcific source code with the language into assembler which cannot tre read that by Mrs. environment O he has T compil. If the program has T compil under Windows, it will go only under Windows.

When you have a EXE on your disc, this one is thus out of assembler? If you will louvrez with a ditor hexadcimal, you will not see dinstructions assembler but the value hexadcimale of the instructions (ex: NOP quivaut 90h)

To see these instruction assembler, you thus need a dsassemblor and thus it is necessary W32Dasm for you. (there is the IDA software - the best of in the matire of dsassemblage - but he is much more difficult dutilisation).

Lavantage of Wdasm, cest quil possde also the function of debugging (dexcuter allows not not the instructions assembler) and so that can to us pargner lutilisation of SoftIce (matre incontest of the debugging).



2 - PRESENTATION: Menus

MENUS


With - DISASSEMBLER:

Open File to Disassemble:
Louverture of the file dsassembler allows.

Disassembler Options notch: Enable JUMP CONDITIONAL, JUMP INCONDITIONNAL + CALL (X rfrence) [ options by dfaut ].
These choices are made to post or not the CALL and JUMP which have calls the routines which follow.

In this example, you see that the address 00401A00 can tre call by a JUMP with the addresses 004019B3, 004019CC and 004019EC "Referenced by has (U) nconditionnal... Jump... "
Idem for 00401A03 with the CALL the address 004020A7 "Referenced by has Call..."
Thus trs important (to follow in the listing dsassembl droulement of the program or the ventuels ways which it could take)
Make:
If you see only illegible caractres, it is ncessaire of "rgler" the "Font".


B - PROJECT:

Open Project Slips by:
Allows to douvrir a project file sauvegard prcdemment. The project files are automatically sauvegards when you safeguard the file dsassembl. They are useful for the dbugging.
C - DEBUG:

Load Process:
Charge lexcutable in mmoire.

(For infos: nonthe excutables, such as files DLL can tre dbuggs.)

Attach to year Activates Process:
This function allows dbugger a software which turns dj (cest sometimes trs useful).

Attention it can sagir only dun program 32 bits.

BreakPoint Toggle:
Effective Nest that when the program is charg in mmoire (load process).

Pose a point darrt on the line of the code slectionne (blue line sky). A yellow point pageantry when the point darrt is active and blue fonc when it is dsactiv. The F2 key allows the installation of the point darrt.

Run Process:
Excute the process if this one has T pralablement charg in mmoire. The process will sexcutera jusqu this quil finds a point darrt, quon requires a pause of him, or that lon activates the function of step not.

Process Pauses:
Stop the process (stand by) in progress.

Goto Clean EIP:
Ladress O directly the process will point is in hand and thus on its instruction.

Individual Step Thru:
Traage line by line while not nentrant in the subroutines. (Call)

Individual Step Into:
Traage line by line while entering the subroutines. (Call)

Individual Car Step Thru:
Automatic Traage while not nentrant in the subroutines. (Call)

Individual Car Step Into:
Automatic Traage while entering the subroutines. (Call)

Terminate Process:
Finish the process in the course of debuggage.

Debugger Options:
Do not let activate (for the instant)"Debug only this process" and "Display program generated exeptions".

Summary return...

D - SEARCH:

Find Text:
Useful for research dune continuation of caractres of all kinds. (F3 for a following research)

E - GOTO:

Goto codes start Aller the premire line of the code dsassembl (Ctrl S)
Goto program entry Not to go the premire line of the dmarrage of programme.(F10)
Goto Aller page the page dsire (all the indications are in bottom of the notch at the time of your dplacements in programme).(F11) - function trs little uses!
Goto codes Aller hiring the address mmoire dsire. (In 32 bits: address Code offset) (In 16 bits: Code segment + Code offset) (F12 Shift)


F - EXECUTE TEXT:

At the time of a tude of the program with the listing dsassembl, when you are on a CALL or a JUMP (overscoring in green yellow): to simulate a CALL or a JUMP, it is enough to be placed on linstruction, and to make RIGHT ARROW and you will go automatically the address indicates (it exists galement the buttons Jump to and Call. To simulate the RET, you will use LEFT ARROW ().
G - FUNCTIONS:

- the imports are the functions or procdures appartiennant with the file currently dsassembl which can tre call by a program or modulates external. Are primarily the API ones of Windows (affichs in blue in the listing): trs useful you can also pose BPX above. View for each program: they will be able to you tre trs useful if you want dbugger with SOFTICE.
- Cest exports exactly linverse, are the functions or procdures which belong dautres files (either of the DLL or VXD or DRV..) which are currently calls by the file dsassembl.Vous have here all the files which it program sends (exports) infos.



H - HEX DATED:

The reprsentation of the program in Hexadcimal
I - REFS:

- Finely references Posting of the menus of the program.
- Dialog references Posting of the Dialogues of the program.

String dated Affichage references from the comments concerning droulement of the program. Repres poss by the crator of the program to find itself there and which are quite useful for us. And it is with these repres that W32dasm is gnial Le principle is to raise all the contents of limp dialogue at the time of droulement normal of the program (ex: Your priode of valuation east finishes; Please be recorded. etc) and then to find in these "String Dat..." sentences Mrs. or all at least what approaches in order to be found in the routine which cre these limp of dialogue.
The double fact to click on an unspecified line you amne directly on the line concerns in the listing (vrifier if there is several). I prcise that certain of these menus can tre absent according to the type of program.



3 - USE:

Opening of the file to treat:

A session will always start with a dsassemblage followed aussitt by a safeguard of the text with cration of a project file, which will vitera us any waste of time ultrieure. Because ltape of the dsassemblage can sometimes take a few minutes. Thereafter, the project sauvegard prcdemment will be reloaded (the file names by dfaut are trs well).



With - The DESASSEMBLAGE

To open "Disassembler" "Open File To Disassemble" slectionnez your program...
Double click above or "To open".
The process of dsassemblage starts
If you see in bottom the dsassemblage being carried out line by line: it is probably a program 16 W32dsm bits will thus be able only the dsassembler but not the dbugger.
On the other hand if you see procdure being carried out: "Pre processing. Processing Call. Processing Jmp. Disassemble. Program 32 bits + debugging possible (according to the size of the program: that can tre long: 15 min. sometimes but cest rare).

You see apparatre the listing of the program.
Cavity it should be safeguarded Save Disassembly Text File and Create Project File
It will be Cr a file of the program dsassembl with extension ALF in a rpertoire nomm Wpjfiles which you will be able to read with an unspecified ditor text and a project file with the extension WPJ which will be to you ncessaire to launch the dbugger (also prsent in the rpertoire Wpjfiles).
Dj with the "string dated ref.", you can try to locate some important routines according to the goal which you seek.
Aprs to have to click on the button ' stn ref' one can thus double-click on a soldering iron and find the code which made rfrence there (at least in the majorit of the cases). Do not forget a dbl-click several times because soldering iron east can tre rfrence of other places.
To open "Goto" "Goto Program Entry Point" you are able the line of dbut of the program.
At the time of your dplacements, you can any moment double-to click on a line of code, which makes apparatre a blue line with in bottom of the notch the offset of the code in the file dsassembl (trs useful for patcher later).

You can see that the offset to give by WinDasm is 00002F65h
Small H (for hexa) cot of the offset, has serves anything to you, you forget it
And all the zros before the first figure, you can forget them too
One thus finds oneself with an offset which is 2F65.



Here this level you can,si you your a "pro" of the assembler or have much patience, to manually trace the program (with the flches high and low keyboard): Mthode of the "Dead Listing". Fortunately there is the debugging.
The text gnr, is not directly modifiable under w32dsm. The function copier/coller so much not directly accessible.
To copy a part of the text, it is necessary to click in the left margin premire line then SHIFT CLICK strokes left dernire line to make apparatre a srie red points in front of the lines slectionnes. Then, to click on the icne ' copier' or to make CTRL-C. This slection is also printable (icne printing).

B - The DEBUGGING

If you want dbugger a program dsassembl that you have dj enregistr:
To open "Project" "Open Project File" you must see "your program wpj"
Double Click above.
To open "Debug" "Load Process"
Wadsm can require of you to return a line of initial order (useful for the passage of paramtres). If you do not have paramtres to transmit (the majorit cases), click simply on load (or dcochez the option in the menu debugger option, enable command line).
Two fentres supplmentaires open: the fentre of the traage and the fentre which posts "information, give, paramtres... etc" which passes by the registers of the microprocessor.
Summary return...

a) The fentre of traage.

AutoStep Into (F5) Traage automatic while entering Call.
AutoStep Over (F6) Traage automatic while not returning in Call.
Step Into (F7) Traage line by line while entering Call.
Step Over (F Traage line by line while not returning in Call.
Arrt of the traage pauses (useful to stop the traage Auto...).
The key ' api' of the fentre of order serves dclencher the appearance of the fentre ' api details' (with the paramtres passs and all and all...) when one is on a call and that one does not have coch la/les box ' enable undoc api' and/or ' enable local func details'.
It is thus necessary, when one are on the call, coachman the ad hoc box and slecter ' api'.
You will note that when you trace line by line (or in "car") the lines traversed in the listing become red what will be able to you tre trs useful.
When one takes step does not have, one can see all the paramtres passs a subroutine by notching the boxes ' enable undoc api details' and ' enable local functions details' of the control panel.
This possibilit is trs important and of share its praticit, dpasse softice, and by far, in convivialit. Thus, when one arrives on a call, a fentre opens making apparatre the paramtres passs.
One can also directly read the paramtres return while clicking on ' API Get Result', which excute the call (step over).

Run (F9) normal Launching of the program (always under the contrle of Wdsm) Les modifs that you will have carry out will be taken into account as well as BPX.(mais not rellement in the program).
Goto Adresse Go directly an address dsire.
The installation of BPX (station-wagon not) is carried out with the F2 key (appearance of small a carr yellow on the left of the line concerns in the listing and of a fabric in the fentre of traage).
To place a bkpt one can also seek (icon ' imp fn') the calls a function dsire (for example messageboxa...) and place a bkpt (ctrl-click left margin) on all these calls.
Patch Codes Opening of a fentre to modify an instruction fictitiously.
To modify the software, it is necessary to make ' patch code' on the control panel.
Pageantry then the fentre allowing to return the code assembler of your modification, then it will be enough to make ' apply patch' to see modifying your program (control panel). Well on in the principal fentre containing the initial dsassemblage, modif the pageantry not because the text is fig.
The patch will thus function on the software excut in mmoire.

At the exit is of wadsm or of the debugger mode (' terminate' panel control), the patch is lost.



b) Modification of instruction in fentre "PATCH CODES"

EIP the address O you your and his instruction.
Note by viewing in the fentre traage the following instruction address.
Enter New Instruction Below Enter your new Enter instruction.
An error message will be posted if the new code is not valid.
Your new instruction will apparatra in large the fentre below entitles Code Patch Listing (in ASM and Hexa).
The following address (and the instruction) in EIP Important pageantry: there are strong chances so that the new instruction which you have returns does not have Mrs. cuts mmoire only that which you have replaces. You must imprativement compensate by NOP if it is infrieure in order to find Mrs. following instruction. Not to put an instruction of size suprieure. And emptying if scale: OK.
Note the Hexa.(Cela code will be useful to you for modif truth under ditor HEXA)
Continue your modifs if you have other lines to modify. They will incrmenterons ourselves with the fur and measures in large the fentre.
Clear Patch To erase all your to modifs.(revenir the initial tat).
Remove Last Line Effacer the dernire line enters.
Apply Patch To apply your modifs (+ confirmation).
Closed Closing of the fentre (+ confirmation).
(END OF THE PATCH.)

Terminate Arrt of the debuggor (passes "Closed" when the program is arrt).
I point out qu to you this moment you will lose your patch.


c) the fentre contained registers.

In the center you see all what "pass" by the registers of the processor: "for Source Dated Disp 1", (EAX, EBX, ECX, EDX, ESI, EDI, EBP and EIP so much the address mmoire O you your). As in the box in top gauche.Vous will see them voluer with the fur and measures traage.
Thus to view at the important times of the traage in particular at the time of comparison.
- a calculator for Hex:Dec conversions is useful (prsente like utility in Hworks32).

You have also the key "Oper" (almost in bottom on the left) which when it is active indicates you the contents of the oprandes: important, for example, to know if the conditional jumps go tre effectus or not.
The two lines of bottom indicate the tat to you processus.(Dans the case of figure: "Nonfatal Access Violation" = Seedling...)
The box "Bpts" points out the BPX to you which you have poss. "Clear" to remove them.
In the fentre of tat, one sees the list of the addresses of the bkpt with a ' * ' to announce that bkpt says it is active. One thus can the dsactiver while clicking (right click) above and the ' * ' disparat. One can also erase all the bkpts by ' clear', activate them all by ' AA' or the dsactiver all by ' DA'. The key ' copy' is used for copying all the bkpts in the press paper (the opposite had T thundering...
Below "Active Dlls": the DLL active during droulement of the program.
It will be noted however that one can examine the contents of 2 boxes mmoire (UA1 and UA2).
The disp 2 is used for posting the contents of the contents. It is to say that if EAX=400000, with the disp 1 one can look at what the zone mem 400000 contains by slectionnant EAX and if 400000 contains an address by ex 420000 then disp 2 poster the contents of 420000 (if ' disp 1 = source of disp2 ' is slectionn). Some useful times to see the contents of pointers towards index or the reverse.
By slectionnant ' oper' like source disp 2, one sees apparatre the values of the diffrentes oprandes points by the EIP (trs useful).

Under the disp 2, one notices 2 lines copiables (Copy) which contain for the premire, droulement of your ' cracking session' not not and the deuxime the activit of the software (cration of process, loading DLL...) (Nb: by making ' copy' on these lines, one copies well from all the contents of the session and not only one line).

To modify a flag or a box mmoire, it is necessary to pass by the button ' modify data' of the panel of tat.
The fentre ad hoc pageantry with in top all modifiable flags by simple click, and in the center the list of the diffrents registers (EIP included/understood) as well as a box mmoire.
To modify a register or a box mmoire, the procdure is Mrs.:

- to choose the format (dword, Word or byte)

- to type the value (there is a bug in version 8.93 which does not make it possible to type only 7 caractres)

- to apply the value while clicking to the selected register (if one is mistaken one returns the initial position by clicking ' r').

The address of the box mmoire to modify is in bottom of the fentre.
Not to forget while leaving to make ' modify' to apply the modif one.
To return at the point of dpart one will use the key ' goto current eip' of the fentre of tat.
With version 8.93, there exists another bug which makes that aprs to have modifi a register or a flag, one cannot set out again in mode not does not have (F7). Wdasm excute F9 (run).
It is as possible as your version of Wdasm do not make it possible to read to them Data String from programs VB, in this case get you a patch on the Net making it possible to do it!






Recall: Here a small recall of the registers and flags which will be to you trs useful in linterprtation of the fentres of Wdasm.

Flags:

- O D I T S Z A P C -

OF: Dbordement = It makes it possible to find and correct certain errors produced by mathmatic instructions. Useful Trs for viter plantings. If OF=1 then we deal Overflow.

DF: Direction = It is this Flag which gives to the indication on the manire of dplacer the pointers (rfrences) at the time of the soldering iron instructions (either positiviment, or ngativement).

IF: Interruption = Enlve the possibilit with the processor of contrler interruptions.

If IF=0, the processor do not order and if IF=1 then it is the opposite.

TF: Excution not not

SF: Sign = Simplement, its value passes 1 if we have a rsultat sign (ngatif or positive).

ZF: Zro = It acts of Zero Flag which is put one when a rsultat is gal 0. Often utilis for the various oprations, it is useful for viter problmes divisions (I remind to you that to divide by zro is impossible).

AF: Auxiliary reserve = AF is the auxiliary curry which resembles CF.

PF: Parit = the value of this flag is 1 if the number of bits of a oprande (paramtre of an instruction) is even.

CF: Reserve = In the mathmatic oprations, it arrives that the rsultat of the opration is cod on a suprior number of bits. The bit in excess is plac in CF.


Registers of segments:

CS: Segment of Code (Code Segment) = This register indicates the address of the dbut instruction of a program or a sub-routine.

DS: Segment of Gives (Segment Dated) = This register contains the address of the dbut give your programs. If your program uses several segments of gives, this value will owe tre modifies during its excution.

ES: Extra Segment = This register is utilis, by dfaut, certain instructions of copy of block. Apart from these instructions, the programmer is free to use it as it hears it.

SS: Segment of Pile (Stack Segment) = It points on a zone appele the pile.

FS: Segment supplmentaire
GS: Segment supplmentaire = These two registers have a rle extremely similar that of the segment ES.

Gnraux registers:

EIP: Pointer dinstruction: associ with the register of segment CS (CS:IP) to indicate the next instruction excuter. This register will never be able tre modifi directly; it will be modifi indirectly by the instructions of jump, the subroutines and the interruptions.

EAX: Accumulator = utilis at the time of the arithmtic oprations.

EBX: Base = utilis fawn diffrente according to modes' of addressing but usually utilis at the time of the arithmtic oprations.

ECX: Meter = utilis in the loops (LOOP).

EDX: Give = utilis at the time of arithmtic oprations.

ESI: Index of Source = utilis at the time doprations on soldering irons of caractres; it is associ with the register of segment DS.

EDI: Index of Destination = utilis at the time doprations on soldering irons of caractres; it is normally associ with the register of segment DS; in the case of soldering iron handling of caractres, it will be associ ES.

Esp: Pointer of Pile = associ to the register of segment SS (SS:SP) to indicate the last lment pile.

EBP: Basic pointer = associ with the register of segment SS (SS:BP) for accder with give pile at the time dappels of subroutines (CALL).



with the register of segment DS.

EDI: Index of Destination = utilis at the time doprations on soldering irons of caractres; it is normally associ with the register of segment DS; in the case of soldering iron handling of caractres, it will be associ ES.

Esp: Pointer of Pile = associ to the register of segment SS (SS:SP) to indicate the last lment pile.

EBP: Basic pointer = associ with the register of segment SS (SS:BP) for accder with give pile at the time dappels of subroutines (CALL).

rad With YOU TO PLAY :twisted: :twisted: 8)


♠ - ω Comment is CLOSED for This POST ω - ♠
RAD

Image La plus grande erreur que puisse faire un homme est d'avoir peur d'en faire une.
User avatar
RAD
Administrateur - Site Admin
 
Posts: 532
Joined: Thu Aug 31, 2006 12:02 am

Return to PROGRAMING

Who is online

Users browsing this forum: No registered users and 1 guest

cron