flat assembler
Message board for the users of flat assembler.
Index
> Windows > Vc++ exe -> ida -> fasm |
Author |
|
KevinN 27 Feb 2013, 20:46
Anybody familiar with taking an exe around the size of 2MB or so and disassembling then reformatting so it can be reassembled? Any thoughts?
|
|||
27 Feb 2013, 20:46 |
|
f0dder 02 Mar 2013, 10:16
KevinN wrote: Anybody familiar with taking an exe around the size of 2MB or so and disassembling then reformatting so it can be reassembled? Any thoughts? Only do it if you're really serious about it - something like that is a big task. It can be done, but it's no trivial task _________________ - carpe noctem |
|||
02 Mar 2013, 10:16 |
|
f0dder 03 Mar 2013, 11:58
Well, IDA does a better job than "dumb" disassemblers, but still - it's not "click and play", especially once you start changing things. Be prepared to do a fair amount of manual work . Btw, in case you didn't find it yourself, also see this with regards to the syndicate wars project.
In case your goals are a bit less ambitious, perhaps you don't need to do a re-assemblable listing? If you're fixing bugs you can probably get away with patch-injection |
|||
03 Mar 2013, 11:58 |
|
ACP 03 Mar 2013, 20:27
Depends what is your objective. First of all if you mean disassembly of 2mb binary and understanding every single instruction (unless it's 2mb of NOPs) it is in most cases impossible task (unless you have 5 years like guys from SWARS project). This is one reason why Hex-Rays offers Decompiler package. If you just want to locate interesting part analyze it and later change it IDA could be your best friend but only to some extend.
First of all IDA does not support FASM as ASM listing output. Probably the most closes you can get is TASM Ideal Mode since FASM has been loosely structured around Ideal mode syntax. Obviously better choice would be select MASM as target assembler. While IDA has "Patch" option it patches database and not the disassembled file on disk. You can obviously use debugger to patch the process in memory while running but you still need to dump the process memory. IDA option "Generate EXE file" does not work for most file formats. There were some publicly available IDC scripts that tried to achieve similar functionality for PE format. The most simple approach is to actually find with IDA interesting code fragment and patch it (IDA provides limited assembly for some architectures and x86 is on that list) at the database. Next create DIF file and use some kind of patcher. As for the disassembly process IDA does in most cases good job in discovering VC functions and structures however as pointed already you will still need to do some manual work. Tell us more about the binary since VC++ can generate few different types. Also in case of using C++ the ECX register for example is as "this" pointer. OOP and pure C EXEs are quite different internally. Also there are differences between Debug and Release type binaries. When recompling be sure to keep sections aligned properly. PE generally requires 512 byte alignment if memory serves me well. |
|||
03 Mar 2013, 20:27 |
|
f0dder 04 Mar 2013, 18:43
ACP wrote: When recompling be sure to keep sections aligned properly. PE generally requires 512 byte alignment if memory serves me well. PE doesn't, but various versions of Windows has various alignment requirements - 512- and 4096-byte should work everywhere, 4k could theoretically have an advantage wrt. demand-paging (dunno if there's any real-life effect today, but there was something about win98... there used to be a /opt:nowin98 linker option to go from 4k->512byte alignment). For a 2meg exe, I'd probably stick to 4k anyway, since the amount of bytes you're wasting is inconsequential. And who has a cluster size smaller than 4k anyway? _________________ - carpe noctem |
|||
04 Mar 2013, 18:43 |
|
KevinN 05 Mar 2013, 18:39
It's the client from http://freeinfantry.org/ infantry.exe 1.73 MB (1,814,528 bytes). one of the guys involved with the project is trying to get soccer going in one of the zones and needs better understanding of packets/data concerning the ball. I thought it would be nice to just reformat ida disassembly for fasm/masm or whatever.. annotated it etc
|
|||
05 Mar 2013, 18:39 |
|
f0dder 05 Mar 2013, 19:22
Well, if that's your goal, you're in for a lot of work
So, has the source code been lost? Or owned and not-likely-to-be-released by a commercial entity? Or something else? Before considering undertaking such a massive job, you really should consider whether anybody might object to it, and if it could get you in legal trouble (and even with no legal trouble, it'd suck spending several months on something you'll later have to pull off the intarwebz). |
|||
05 Mar 2013, 19:22 |
|
KevinN 05 Mar 2013, 22:10
I think sony owns the rights now. Not sure of legalities..fair points.
http://forum.nasm.us/index.php?topic=1224.0 Found this^ |
|||
05 Mar 2013, 22:10 |
|
KevinN 05 Mar 2013, 22:56
time to break out borg. lets see what it can do with a hello world..
|
|||
05 Mar 2013, 22:56 |
|
ACP 05 Mar 2013, 23:56
KevinN wrote: time to break out borg. lets see what it can do with a hello world.. Trust me - IDA is probably the only reasonable way of dissasembling such PE file and meeting your targets. You will need debugging capabilities as it will be probably a lot easier to just put breakpoints on certain events and proceed from there with analysis. |
|||
05 Mar 2013, 23:56 |
|
f0dder 06 Mar 2013, 22:44
ACP wrote:
Definitely! - unless you're a masochist and/or want to write tools of your own. Staring at dead listings is the way madness lies. _________________ - carpe noctem |
|||
06 Mar 2013, 22:44 |
|
KevinN 07 Mar 2013, 02:18
Yes, madness.. I agree
|
|||
07 Mar 2013, 02:18 |
|
KevinN 13 Mar 2013, 01:27
Just found out IDA has a TASM option for target assembler
|
|||
13 Mar 2013, 01:27 |
|
ACP 13 Mar 2013, 13:04
KevinN wrote: Just found out IDA has a TASM option for target assembler It supports other assemblers including MASM as well but FASM is not on the supported assembler list. However just producing a listing in correct format doesn't really mean that: 1) assembler will assemble the file 2) assembler will assemble the file correctly 3) the linker will link file(s) correctly 4) the resulting executable will work IDA will only insert some simple directives like "assume" into the listing - forget about more advanced constructions and you might still need to do some work to figure out correct switches for assembler and linker in more complex cases. |
|||
13 Mar 2013, 13:04 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.