Index
> Windows > How to unassemble function in WinDbg? |
| Author |
|
|
Mat Qua sar 20 Jun 2025, 08:21
Further discussion from https://board.flatassembler.net/topic.php?p=244745#244745 ,
here is the new topic for it. Core i7 wrote: ..yes, in WinDBG you only need to open *.exe files Win10 22H2, WinDbg 10.0.22621.3233 X86. The "!lmi kernel32" displays successfully. And I got these folders in C:\Symbols: Code: Volume in drive C has no label. Volume Serial Number is C2E5-895D Directory of C:\Symbols 20/06/2025 03:12 PM <DIR> . 20/06/2025 03:12 PM <DIR> .. 20/06/2025 03:12 PM <DIR> msvcp_win.pdb 20/06/2025 03:09 PM 0 pingme.txt 20/06/2025 03:12 PM <DIR> ucrtbase.pdb 20/06/2025 03:12 PM <DIR> wgdi32.pdb 20/06/2025 03:12 PM <DIR> wgdi32full.pdb 20/06/2025 03:12 PM <DIR> wkernel32.pdb 20/06/2025 03:12 PM <DIR> wkernelbase.pdb 20/06/2025 03:09 PM <DIR> wntdll.pdb 20/06/2025 03:12 PM <DIR> wuser32.pdb 20/06/2025 03:12 PM <DIR> wwin32u.pdb But "uf GetTickCount" still doesn't work. Same error. |
|||
20 Jun 2025, 08:21 |
|
|
Core i7 20 Jun 2025, 08:46
No, you don't need to repeat it - this is only for the first time.
Well, there seem to be symbols for standard dll User/Kernel32. Maybe you're entering the name incorrectly? Code: 0:000> g ;<---- Run debug 0:000> bp @$exentry ;<---- Set BP on EntryPoint 0:000:x86> g ;<---- Run debug Breakpoint 0 hit image00000000_00400000+0x5000: 00405000 ff1564714000 call dword ptr [image00000000_00400000+0x7164 (00407164)] ds:002b:00407164={shell32!IsUserAnAdmin (75ae445d)} 0:000:x86> x kernel32!*GetTickCount* ;<----- Find API in library 769a111c kernel32!GetTickCountStub = <no type information> 769a0c40 kernel32!_imp__GetTickCount = <no type information> 769bd72f kernel32!GetTickCount64Stub = <no type information> 769a0c00 kernel32!_imp__GetTickCount64 = <no type information> 769bd736 kernel32!GetTickCount64 = <no type information> 769a1123 kernel32!GetTickCount = <no type information> 0:000:x86> uf GetTickCount64 ;<----- Unassemble KERNELBASE!GetTickCount64: 750f906d eb02 jmp KERNELBASE!GetTickCount64+0x4 (750f9071) KERNELBASE!GetTickCount64+0x2: 750f906f f390 pause KERNELBASE!GetTickCount64+0x4: 750f9071 8b0d2403fe7f mov ecx,dword ptr [SharedUserData+0x324 (7ffe0324)] 750f9077 8b152003fe7f mov edx,dword ptr [SharedUserData+0x320 (7ffe0320)] 750f907d a12803fe7f mov eax,dword ptr [SharedUserData+0x328 (7ffe0328)] 750f9082 3bc8 cmp ecx,eax 750f9084 75e9 jne KERNELBASE!GetTickCount64+0x2 (750f906f) KERNELBASE!GetTickCount64+0x19: 750f9086 a10400fe7f mov eax,dword ptr [SharedUserData+0x4 (7ffe0004)] 750f908b f7e2 mul eax,edx 750f908d 0facd018 shrd eax,edx,18h 750f9091 56 push esi 750f9092 57 push edi 750f9093 c1ea18 shr edx,18h 750f9096 8bf0 mov esi,eax 750f9098 a10400fe7f mov eax,dword ptr [SharedUserData+0x4 (7ffe0004)] 750f909d 8bfa mov edi,edx 750f909f f7e1 mul eax,ecx 750f90a1 6a00 push 0 750f90a3 6800010000 push 100h 750f90a8 52 push edx 750f90a9 50 push eax 750f90aa e80be50200 call KERNELBASE!_allmul (751275ba) 750f90af 03f0 add esi,eax 750f90b1 13fa adc edi,edx 750f90b3 8bd7 mov edx,edi 750f90b5 5f pop edi 750f90b6 8bc6 mov eax,esi 750f90b8 5e pop esi 750f90b9 c3 ret |
|||
|
20 Jun 2025, 08:46 |
|
|
Mat Qua sar 20 Jun 2025, 09:02
Thanks for helping me so far, I almost giving up.
I got "No runnable debuggees error in 'g'" even if I set the breakpoint to entrypoint or 0x401000 (in i.exe). The "x" command seems work, but "uf" doesn't work.
|
||||||||||
|
20 Jun 2025, 09:02 |
|
|||||||||
|
Mat Qua sar 20 Jun 2025, 09:12
Actually I used your "bp @$exentry", also same, "g" can run for the first time only.
Code: 0:000> g ModLoad: 75790000 757b5000 C:\Windows\SysWOW64\IMM32.DLL ModLoad: 747d0000 74844000 C:\Windows\SysWOW64\uxtheme.dll ModLoad: 75820000 758df000 C:\Windows\SysWOW64\msvcrt.dll ModLoad: 75b80000 75e00000 C:\Windows\SysWOW64\combase.dll ModLoad: 76310000 763cc000 C:\Windows\SysWOW64\RPCRT4.dll ModLoad: 76700000 767d4000 C:\Windows\SysWOW64\MSCTF.dll ModLoad: 765d0000 76666000 C:\Windows\SysWOW64\OLEAUT32.dll ModLoad: 75e00000 75e77000 C:\Windows\SysWOW64\sechost.dll ModLoad: 76270000 76289000 C:\Windows\SysWOW64\bcrypt.dll ModLoad: 74850000 7485f000 C:\Windows\SysWOW64\kernel.appcore.dll ModLoad: 75a20000 75a7f000 C:\Windows\SysWOW64\bcryptPrimitives.dll ModLoad: 743c0000 74479000 C:\Windows\SysWOW64\textinputframework.dll ModLoad: 74140000 743bf000 C:\Windows\SysWOW64\CoreUIComponents.dll ModLoad: 74070000 74099000 C:\Windows\SysWOW64\ntmarta.dll ModLoad: 76670000 766f7000 C:\Windows\SysWOW64\SHCORE.dll ModLoad: 76290000 7630d000 C:\Windows\SysWOW64\advapi32.dll ModLoad: 740a0000 7413b000 C:\Windows\SysWOW64\CoreMessaging.dll ModLoad: 761f0000 76253000 C:\Windows\SysWOW64\WS2_32.dll ModLoad: 73f90000 7406d000 C:\Windows\SysWOW64\wintypes.dll ModLoad: 74480000 74515000 C:\Windows\SysWOW64\TextShaping.dll ModLoad: 760e0000 761c3000 C:\Windows\SysWOW64\ole32.dll eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=77665b40 eip=775b34ac esp=000dfe7c ebp=000dff54 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!NtTerminateProcess+0xc: 775b34ac c20800 ret 8 0:000> g ^ No runnable debuggees error in 'g' 0:000> g ^ No runnable debuggees error in 'g' 0:000> bp @$exentry 0:000> g ^ No runnable debuggees error in 'g' |
|||
|
20 Jun 2025, 09:12 |
|
|
Mat Qua sar 20 Jun 2025, 09:20
But this works:
Code: 0:000> uf GetTickCount64Kernel32 KERNEL32!GetTickCount64Kernel32: 75aacc60 8bff mov edi,edi 75aacc62 55 push ebp 75aacc63 8bec mov ebp,esp 75aacc65 51 push ecx 75aacc66 53 push ebx 75aacc67 56 push esi 75aacc68 57 push edi 75aacc69 8b3d0400fe7f mov edi,dword ptr [SharedUserData+0x4 (7ffe0004)] 75aacc6f ba2403fe7f mov edx,offset SharedUserData+0x324 (7ffe0324) 75aacc74 897dfc mov dword ptr [ebp-4],edi 75aacc77 be2003fe7f mov esi,offset SharedUserData!SystemCallStub+0x20 (7ffe0320) 75aacc7c bf2803fe7f mov edi,offset SharedUserData+0x328 (7ffe0328) KERNEL32!GetTickCount64Kernel32+0x21: 75aacc81 8b02 mov eax,dword ptr [edx] 75aacc83 8b1e mov ebx,dword ptr [esi] 75aacc85 8b0f mov ecx,dword ptr [edi] 75aacc87 3bc1 cmp eax,ecx 75aacc89 7525 jne KERNEL32!GetTickCount64Kernel32+0x50 (75aaccb0) Branch KERNEL32!GetTickCount64Kernel32+0x2b: 75aacc8b f765fc mul eax,dword ptr [ebp-4] 75aacc8e 5f pop edi 75aacc8f 8bc8 mov ecx,eax 75aacc91 8bf2 mov esi,edx 75aacc93 8bc3 mov eax,ebx 75aacc95 f765fc mul eax,dword ptr [ebp-4] 75aacc98 0fa4ce08 shld esi,ecx,8 75aacc9c 0facd018 shrd eax,edx,18h 75aacca0 c1e108 shl ecx,8 75aacca3 c1ea18 shr edx,18h 75aacca6 03c1 add eax,ecx 75aacca8 13d6 adc edx,esi 75aaccaa 5e pop esi 75aaccab 5b pop ebx 75aaccac 8be5 mov esp,ebp 75aaccae 5d pop ebp 75aaccaf c3 ret KERNEL32!GetTickCount64Kernel32+0x50: 75aaccb0 f390 pause 75aaccb2 ebcd jmp KERNEL32!GetTickCount64Kernel32+0x21 (75aacc81) Branch Strange, it is different name. |
|||
|
20 Jun 2025, 09:20 |
|
|
Core i7 20 Jun 2025, 09:23
try this guide, will there be errors or not.
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg |
|||
|
20 Jun 2025, 09:23 |
|
|
Mat Qua sar 20 Jun 2025, 09:33
Core i7 wrote: try this guide, will there be errors or not. Thanks once again for your help so far, I think I will just stop here. The "uf" is working for "ReadFile" and "GetStdHandle", just that for GetTickCount, I must enter "uf /i GetTickCount64Kernel32". Only one Google search result returned for "GetTickCount64Kernel32", I mean the whole Internet don't document this anywhere. |
|||
|
20 Jun 2025, 09:33 |
|
|
revolution 20 Jun 2025, 09:37
The public API name is GetTickCount. All the other names are internal functions. Those names can/will/do change for different versions of Windows. Don't reply on them. Using non-public APIs is fraught with problems.
|
|||
|
20 Jun 2025, 09:37 |
|
|
Mat Qua sar 20 Jun 2025, 09:41
Thank you @Core i7, now I can unassemble function of Win32 API by first using "x" to examine the symbols.
Nice to read Win32 API function code.... |
|||
|
20 Jun 2025, 09:41 |
|
|
Mat Qua sar 20 Jun 2025, 09:42
revolution wrote: The public API name is GetTickCount. All the other names are internal functions. Those names can/will/do change for different versions of Windows. Don't rely on them. Using non-public APIs is fraught with problems. Thanks for your reminder., @revolution... Still wonder why no "GetTickCount" in my WinDbg session when examining symbols ("x" command). |
|||
|
20 Jun 2025, 09:42 |
|
|
Mat Qua sar 20 Jun 2025, 10:12
Good news! Now works, in both x86 and x64.
Last edited by Mat Qua sar on 20 Jun 2025, 10:16; edited 1 time in total |
|||||||||||||||||||
|
20 Jun 2025, 10:12 |
|
||||||||||||||||||
|
Core i7 20 Jun 2025, 10:15
For "uf" there are 2 useful keys - this is /i (instruction counter), and /c (only call).
The latter helps to determine the nesting of calls, for example: Code: 0:000:x86> uf /i /c CreateFileA KERNELBASE!CreateFileA (7510c90b), 30 instructions ;<--------- KERNELBASE!CreateFileA+0xe (7510c919): call to KERNELBASE!Basep8BitStringToDynamicUnicodeString (75127cbf) KERNELBASE!CreateFileA+0x32 (7510c93d): call to KERNELBASE!CreateFileW (7510c470) KERNELBASE!CreateFileA+0x3d (7510c948): call to ntdll32!RtlFreeAnsiString (76ebe266) |
|||
|
20 Jun 2025, 10:15 |
|
|
Mat Qua sar 20 Jun 2025, 10:17
Noted with thanks.
|
|||
|
20 Jun 2025, 10:17 |
|
|
Mat Qua sar 20 Jun 2025, 10:23
Let me summarize how to unassemble Win32 API function.
(Build symbols first, as suggested by @Core i7, then the below follows....) 1) Open an executable 2) Run "g" 3) Type "x kernel32!" (or "x user32!") 4) Type "uf XXXXXX" , with XXXXX being the kernel32 API function you want |
|||
|
20 Jun 2025, 10:23 |
|
|
a 21 Jun 2025, 08:20
Mat, how many accounts do you have?
• https://board.flatassembler.net/search.php?search_author=Mat_Quasar • https://board.flatassembler.net/search.php?search_author=Mat-Quasar • https://board.flatassembler.net/search.php?search_author=Mat+Quasar • https://board.flatassembler.net/search.php?search_author=Mat+Qua+sar • https://board.flatassembler.net/search.php?search_author=Mat%20Quasar • https://board.flatassembler.net/search.php?search_author=MatQuasar2 • https://board.flatassembler.net/search.php?search_author=MatQuasar3 • https://board.flatassembler.net/search.php?search_author=Quasar |
|||
|
21 Jun 2025, 08:20 |
|
|
Mat Qua sar 21 Jun 2025, 09:34
a wrote: Mat, how many accounts do you have? That's terrific (except last one, Quasar is not me) 
This is due to some said I have account deletion OCD, sort of mental hygiene. I am sorry if that disrupts the forum's operation and leaving lasting impression on members' mental notes. This also happens in at least other two forums I joined. But there is more to just Mat*Quasar*, when I first joined, I used FlierMate, there are many variations in user name surrounding F?ier*Mate* too. |
|||
|
21 Jun 2025, 09:34 |
|
|
a 21 Jun 2025, 16:18
Apperantly thoose 2 pages show the same user
https://board.flatassembler.net/search.php?search_author=Mat%20Quasar https://board.flatassembler.net/search.php?search_author=Mat+Quasar And Mat_Quasar doesn't exist, it just shows those 2 different users: - Mat+Quasar - Mat-Quasar https://board.flatassembler.net/search.php?search_author=Mat_Quasar |
|||
|
21 Jun 2025, 16:18 |
|
|
a 21 Jun 2025, 16:18
Here is the complete list:
• https://board.flatassembler.net/search.php?search_author=MatQuasar • https://board.flatassembler.net/search.php?search_author=MatQuasar2 • https://board.flatassembler.net/search.php?search_author=MatQuasar3 • https://board.flatassembler.net/search.php?search_author=Mat+Quasar • https://board.flatassembler.net/search.php?search_author=Mat-Quasar • https://board.flatassembler.net/search.php?search_author=Mat+Qua+sar • https://board.flatassembler.net/search.php?search_author=FlierMate1 • https://board.flatassembler.net/search.php?search_author=FlierMate2 • https://board.flatassembler.net/search.php?search_author=FlierMate7 • https://board.flatassembler.net/search.php?search_author=FlierMate11 • https://board.flatassembler.net/search.php?search_author=FlierMateI • https://board.flatassembler.net/search.php?search_author=flier+mate • https://board.flatassembler.net/search.php?search_author=Flier-Mate • https://board.flatassembler.net/search.php?search_author=FlierMate • https://board.flatassembler.net/search.php?search_author=FIierMate I have successfuly wasted my time If you got any more usernames tell me, I collect those. will exchange this one with anyone for a legendary https://board.flatassembler.net/search.php?search_author=FlierMate11 this one is a rare edition: https://board.flatassembler.net/search.php?search_author=FIierMate I will sell it for 50$ |
|||
|
21 Jun 2025, 16:18 |
|
|
a 22 Jun 2025, 12:43
Mat Qua sar wrote:
Also, I made a browser bookmark that logins you automatically, you just click on it.
2. Paste this text into URL feild : Code: javascript:A=document.querySelectorAll("[name=username],[name=password],[name=login]");A[0].value="PUT_USERNAME_HERE";A[1].value="PUT_PASSWORD_HERE";A[2].click()
4. Replace text "PUT_PASSWORD_HERE" with password 5. Save 6. Click the Bookmark to run the script I use it all the time 
If anyone wants me to create a chrome / firefox extension where you have to press a key instead, then ask me (it wont have any spyware) |
|||
|
22 Jun 2025, 12:43 |
|
< Last Thread | Next Thread > |
Forum Rules:
|