home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Programming Win32 Under the API
/
ProgrammingWin32UnderTheApiPatVillani.iso
/
pedasm.zip
/
readme.txt
< prev
next >
Wrap
Text File
|
1998-10-23
|
6KB
|
205 lines
---------------------------------*-text-*---------------------------------
PEDasm -- win32 executable file disassember ver 0.31 october 1998
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Copyright (C) 1997 - 1998 Nicolas Witczak <witczak@geocities.com>
Home page : http://www.geocities.com/SiliconValley/Lab/6307
--------------------------------------------------------------------------
remarks concerning the source code
==================================
Don't mail me in order to ask the following kind of questions :
- how do I recompile the sources ?
- I can't compile, my xxxcc generate xxx errors ?
- Where can I find the headers xxx ? Didn't you forget .h extensions ?
- I recompiled the sources and the generated bin hangs ?
...
overview
========
PEDasm is a Win32 command line tool wich disassemble binary files targeted
for win32 X86 plateforms. It produces on output an asm source file that can
in several case be successefully recompiled with an masm compatible assembler .
This executable may be downloaded and used freeely.
list of files from this archive
===============================
* CPP source files
+ DasmBase.cpp .h , DasmCode.cpp .h , DasmData.cpp .h
core disassembly code
+ symbol.cpp .h :
symbols type ( var function ... ) categorization
+ DasmCte.h : x86 machine code and assembly related constants
+ ExeRep.cpp .h :
ms PE file exe and dll loader specific code .
+ globals.cpp globals.h :
generic helpers
+ config.h :
plateform and compiler specific stuff
+ main.cpp :
entry point, cmd line analysis
* build file
+ Makefile : generic standard make file
* binary file :
+ PEDasm.exe : win32 executable
* text file
+ readme.txt
+ licence.txt
Command line options and output format
======================================
Given an executable inputFile.exe it produces the following files
- inputFile.asm : disassembled file
- (opt) inputFile.def : if inputFile.exe export section is not empty
this file gathers exported symbols
- various xxx.def files : one for each imported dll used by inputFile.exe
Command line options are :
-h : echos help message
-o name : override default asm output with name
-r : feed each assembly line with raw hexa content within a comment
-l : add to each assembly line its virtual address
-p integerVal : override number of pass ( default 3 )
increasing this number may help distinguish code from data when both are deeply mixed
-s : specify additional synchro point config file
file must have the following form :
[# comment]
adress data | funct | ptr [symbolName]
ex:
# override default PEDasm beheavior to consider 0x0040a478 address as data
# and name it progConstant
0x0040a478 Data progConstant
-b [+|-]bank_name : use instruction set bank_name . Not using an instruction bank prevent from
recognizing some kind of instructions. Accessible banks are : user , system , fpu , mmx
Usage -b [+]bank_name : force use of bank_name instruction set
Usage -b -bank_name : prevent use of bank_name instruction set
default -b +userX86 +fpuX86
rq : using minimal banks can help detect garbage code !
new in ver 0.31
===============
- removed some oddity in code
- moved plateform and compiler specific code to a single file "config.h"
NOTE : at this time Giuseppe Guerrini is working on a port of PEDasm for Linux
here is his mail adresse : <giusguerrini@racine.ra.it>
new in ver 0.3
==============
- added assembly instruction banks choice
- now distributed as a GNU software
new in ver 0.2
==============
- improved speed
- bug correction : better output and robustness
- explicit support for dll input
- added command line options
- user overrides file for code data mixing interpretation
example of use
===============
One must have an masm compatible assembler and a resource extractor
Provided environment variables and path are set following sequence
disassembles and reproduces calc.exe :
pedasm calc.exe -s calcConf.txt
lib -machine:I386 /out:kernel32.lib /def:kernel32.def
lib -machine:I386 /out:user32.lib /def:user32.def
lib -machine:I386 /out:shell32.lib /def:shell32.def
lib -machine:I386 /out:gdi32.lib /def:gdi32.def
ml /c /coff calc.asm
link -entry:main -out:calcdasm.exe calc.res -subsystem:windows -machine:I386 \
calc.obj kernel32.lib user32.lib shell32.lib gdi32.lib
remarks
=======
- asm generated source contains line that produces error at compilation
some examples encountered while testing :
call 0x00405c21
: pedasm missed that address -> try increase -p switch
mov al , byte ptr Unknown3800dc
: pedasm marked this symbol as Unknown because it was outside the legal adress space
of the exe while present in .reloc section
call Data4174a0
: address 0x004174a0 was wrongly interpreted as data
-> try config file with "0x004174a0 Funct" line
add byte ptr gs:[eax] , al
: obviously garbage code, only selector pointed by fs may be used
for structured exception handling and thread structures
-> try a conf file line with a "data" keyword
- text segment begin with many line like the following :
extern _imp__RegQueryValueExA : dword
RegQueryValueExA equ _imp__RegQueryValueExA
dword 0BFEC15C4h
: import dll data are usually placed in idata section but can be placed anywhere
