home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
OS/2 Shareware BBS: 10 Tools
/
10-Tools.zip
/
dosdisas.zip
/
dispsrch.zip
/
DISPSRCH.TXT
< prev
next >
Wrap
Text File
|
1994-03-28
|
8KB
|
222 lines
DISPSIG and SRCHSIG
===================
1 What are DispSig and SrchSig?
2 How do I use DispSig?
3 How do I use SrchSig?
4 What can I do with the binary pattern file from DispSig?
5 How can I create a binary pattern file for SrchSig?
1 What are DispSig and SrchSig?
-------------------------------
SrchSig is a program to display the name of a function, given a
signature (pattern).
DispSig is a program to display a signature, given a function name.
Dispsig also writes the signature to a binary file, so you can
disassemble it, or use it in Srchsig to see if some other signature
file has the same pattern.
2 How do I use DispSig?
-----------------------
Just type
DispSig <SignatureFileName> <FunctionName> <BinaryFileName>
For example:
dispsig dccb2s.sig strcmp strcmp.bin
Function index 58
55 8B EC 56 57 8C D8 8E C0 FC 33 C0 8B D8 8B 7E 06 8B F7 32 C0 B9 F4
This tells us that the function was the 59th function in the
signature file (and that the signature above will hash to 58
(decimal)). We can see that it is a standard C function, since it
starts with "55 8B EC", which is the standard C function prologue.
The rest of it is a bit hard to follow, but fortunately we have also
written the pattern to a binary file, strcmp.bin. See section 4 on
how to disassemble this pattern.
If I type
dispsig dcct4p.sig writeln wl.bin
I get
Function writeln not found!
In fact, there is no one function that performs the writeln function;
there are functions like WriteString, WriteInt, CrLf (Carriage
return, linefeed), and so on. Dispsig is case insensitive, so:
dispsig dcct4p.sig writestring wl.bin
produces
Function WriteString index 53
55 8B EC C4 7E 0C E8 F4 F4 75 25 C5 76 08 8B 4E 06 FC AC F4 F4 2B C8
3 How do I use SrchSig?
-----------------------
Just type
srchsig <SignatureFileName> <BinaryFileName>
dispsig dcct4p.sig writeln wl.bin
where BinaryFileName contains a pattern. See section 5 for how to
create one of these. For now, we can use the pattern file from the
first example:
srchsig dccb2s.sig strcmp.bin
Pattern:
55 8B EC 56 57 8C D8 8E C0 FC 33 C0 8B D8 8B 7E 06 8B F7 32 C0 B9 F4
Pattern hashed to 58 (0x3A), symbol strcmp
Pattern matched
Note that the pattern reported above need not be exactly the same as
the one we provided in <BinaryFileName>. The pattern displayed is the
wildcarded and chopped version of the pattern provided; it will have
F4s (wildcards) and possibly zeroes at the end; see the file
makedstp.txt for a simple explanation of wildcarding and chopping.
If we type
srchsig dccb2s.sig ws.bin
we get
Pattern:
55 8B EC C4 7E 0C E8 F4 F4 75 25 C5 76 08 8B 4E 06 FC AC F4 F4 2B C8
Pattern hashed to 0 (0x0), symbol _IOERROR
Pattern mismatch: found following pattern
55 8B EC 56 8B 76 04 0B F6 7C 14 83 FE 58 76 03 BE F4 F4 89 36 F4 F4
300
The pattern often hashes to zero when the pattern is unknown, due to
the sparse nature of the tables used in the hash function. The first
pattern in dccb2s.sig happens to be _IOERROR, and its pattern is
completely different, apart from the first three bytes. The "300" at
the end is actually a running count of signatures searched linearly,
in case there is a problem with the hash function.
4 What can I do with the binary pattern file from DispSig?
----------------------------------------------------------
You can feed it into SrchSig; this might make sense if you wanted to
know if, e.g. the signature for printf was the same for version 2 as
it is for version 3. In this case, you would use DispSig on the
version 2 signature file, and SrchSig on the version 3 file.
You can also disassemble it, using debug (it comes with MS-DOS). For
example
debug strcmp.bin
-u100 l 17
1754:0100 55 PUSH BP
1754:0101 8BEC MOV BP,SP
1754:0103 56 PUSH SI
1754:0104 57 PUSH DI
1754:0105 8CD8 MOV AX,DS
1754:0107 8EC0 MOV ES,AX
1754:0109 FC CLD
1754:010A 33C0 XOR AX,AX
1754:010C 8BD8 MOV BX,AX
1754:010E 8B7E06 MOV DI,[BP+06]
1754:0111 8BF7 MOV SI,DI
1754:0113 32C0 XOR AL,AL
1754:0115 B9F42B MOV CX,2BF4
-q
Note that the "2B" at the end is actually past the end of the
signature. (Signatures are 23 bytes (17 in hex) long, so only
addresses 100-116 are valid). Remember that most 16 bit operands will
be "wildcarded", so don't believe the resultant addresses.
5 How can I create a binary pattern file for SrchSig?
-----------------------------------------------------
Again, you can use debug. Suppose you have found an interesing piece
of code at address 05BE (this example comes from a hello world
program):
-u 5be
15FF:05BE 55 PUSH BP
15FF:05BF 8BEC MOV BP,SP
15FF:05C1 83EC08 SUB SP,+08
15FF:05C4 57 PUSH DI
15FF:05C5 56 PUSH SI
15FF:05C6 BE1E01 MOV SI,011E
15FF:05C9 8D4606 LEA AX,[BP+06]
15FF:05CC 8946FC MOV [BP-04],AX
15FF:05CF 56 PUSH SI
15FF:05D0 E8E901 CALL 07BC
15FF:05D3 83C402 ADD SP,+02
15FF:05D6 8BF8 MOV DI,AX
15FF:05D8 8D4606 LEA AX,[BP+06]
15FF:05DB 50 PUSH AX
15FF:05DC FF7604 PUSH [BP+04]
-mcs:5be l 17 cs:100
-u100 l 17
15FF:0100 55 PUSH BP
15FF:0101 8BEC MOV BP,SP
15FF:0103 83EC08 SUB SP,+08
15FF:0106 57 PUSH DI
15FF:0107 56 PUSH SI
15FF:0108 BE1E01 MOV SI,011E
15FF:010B 8D4606 LEA AX,[BP+06]
15FF:010E 8946FC MOV [BP-04],AX
15FF:0111 56 PUSH SI
15FF:0112 E8E901 CALL 02FE
15FF:0115 83C41F ADD SP,+1F
-nfoo.bin
-rcx
CS 268A
:17
-w
Writing 0017 bytes
-q
c>dir foo.bin
foo.bin 23 3-25-94 12:04
c>
The binary file has to be exactly 23 bytes long; that's why we
changed cx to the value 17 (hex 17 = decimal 23). If you are studying
a large file (> 64K) remember to set bx to 0 as well. The m (block
move) command moves the code of interest to cs:100, which is where
debug will write the file from. The "rcx" changes the length of the
save, and the "nfoo.bin" sets the name of the file to be saved. Now
we can feed this into srchsig:
srchsig dccb2s.sig foo.bin
Pattern:
55 8B EC 83 EC 08 57 56 BE F4 F4 8D 46 06 89 46 FC 56 E8 F4 F4 83 C4
Pattern hashed to 278 (0x116), symbol sleep
Pattern mismatch: found following pattern
55 8B EC 83 EC 04 56 57 8D 46 FC 50 E8 F4 F4 59 80 7E FE 5A 76 05 BF
300
Hmmm. Not a Borland C version 2 small model signature. Perhaps its a
Microsoft Version 5 signature:
Pattern:
55 8B EC 83 EC 08 57 56 BE F4 F4 8D 46 06 89 46 FC 56 E8 F4 F4 83 C4
Pattern hashed to 31 (0x1F), symbol printf
Pattern matched
Yes, it was good old printf. Of course, no need for you to guess, DCC
will figure out the vendor, version number, and model for you.