flat assembler
Message board for the users of flat assembler.

Index > Heap > Best free Win32 Disassembler?

Author
Thread Post new topic Reply to topic
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Hello! While browsing Orkut ( www.orkut.com ) I found that many people are getting infected by a worm that spreads itself by sending links to a website where people download it.
People actually are dumb to download it and EXECUTE the .exe.
So, I was thinking about analysing it to see why it's so succesfull at spreading.

I need a good disassembler. Do you know a free one?

Maybe I'll code a little removal tool to send to my friends too. Very Happy

Thanks
Post 28 Dec 2007, 20:51
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
Post 28 Dec 2007, 22:33
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
use freeware IDA
Post 28 Dec 2007, 22:43
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Available here among many other places (except the official site because Ilfak can't afford the bandwidth costs).
Post 28 Dec 2007, 22:53
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
ida is not free.
only a free limited version is proposed.

i know that hacking is forbidden by the law, but, windasm is a very good debugger, and you can download it from this link


^
|
Post 28 Dec 2007, 22:55
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
I think that IDA is a lot better than your proposal. It lacks of debugger (this freeware non time limited nor any limits like can't save your work version), but since we are talking about a virus is better to not execute anything
Post 28 Dec 2007, 23:01
View user's profile Send private message Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
DataRescue released v4.9 for free few weeks ago:

http://www.datarescue.com/idabase/idadownfreeware.htm
Post 29 Dec 2007, 00:33
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Awesome MazeGen, thanks for telling Very Happy
Post 29 Dec 2007, 01:35
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Thanks! The Freeware IDA Pro is very good!

But I don't understand this disassembly:
Code:
.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ; ¦     This file is generated by The Interactive Disassembler (IDA)        ¦
.text:00401000 ; ¦     Copyright (c) 2006 by DataRescue sa/nv, <ida@datarescue.com>        ¦
.text:00401000 ; ¦                      Licensed to: Freeware version                      ¦
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;
.text:00401000 ; File Name   : C:\Documents and Settings\Frederico\Desktop\HELLO.EXE
.text:00401000 ; Format      : Portable executable for 80386 (PE)
.text:00401000 ; Imagebase   : 400000
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size                  : 00000048 (     72.)
.text:00401000 ; Section size in file          : 00000200 (    512.)
.text:00401000 ; Offset to raw data for section: 00000200
.text:00401000 ; Flags 60000020: Text Executable Readable
.text:00401000 ; Alignment     : default
.text:00401000
.text:00401000                 .686p
.text:00401000                 .mmx
.text:00401000                 .model flat
.text:00401000
.text:00401000 ; ---------------------------------------------------------------------------
.text:00401000
.text:00401000 ; Segment type: Pure code
.text:00401000 ; Segment permissions: Read/Execute
.text:00401000 _text           segment para public 'CODE' use32
.text:00401000                 assume cs:_text
.text:00401000                 ;org 401000h
.text:00401000                 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
.text:00401000
.text:00401000 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00401000
.text:00401000
.text:00401000                 public start
.text:00401000 start           proc near
.text:00401000                 push    0
.text:00401002                 call    sub_401016
.text:00401007                 push    edi
.text:00401008                 imul    ebp, [esi+33h], 73412032h
.text:0040100F                 jnb     short near ptr word_401076
.text:00401011                 insd
.text:00401012                 bound   ebp, [ecx+edi*2+0]
.text:00401012 start           endp
.text:00401012
.text:00401016
.text:00401016 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00401016
.text:00401016
.text:00401016 sub_401016      proc near               ; CODE XREF: start+2p
.text:00401016                 call    loc_401038
.text:0040101B                 dec     eax
.text:0040101C                 imul    esp, [ecx], 6D274920h
.text:00401022                 and     [eax+ebp*2+65h], dh
.text:00401026                 and     [ebp+78h], ah
.text:00401029                 popa
.text:0040102A                 insd
.text:0040102B                 jo      short near ptr byte_401099
.text:0040102D                 and     gs:[eax+72h], dh
.text:00401031                 outsd
.text:00401032                 db      67h
.text:00401032                 jb      near ptr 1096h
.text:00401035                 insd
.text:00401036                 and     [eax], eax
.text:00401036 sub_401016      endp
.text:00401036
.text:00401038
.text:00401038 loc_401038:                             ; CODE XREF: sub_401016p
.text:00401038                 push    0
.text:0040103A                 call    ds:MessageBoxA
.text:00401040                 push    0
.text:00401042                 call    ds:ExitProcess
.text:00401042 ; ---------------------------------------------------------------------------
.text:00401048                 dd 0Bh dup(0)
.text:00401074                 db 2 dup(0)
.text:00401076 word_401076     dw 0                    ; CODE XREF: start+Fj
.text:00401078                 dd 8 dup(0)
.text:00401098                 db 0
.text:00401099 byte_401099     db 3 dup(0)             ; CODE XREF: sub_401016+15j
.text:0040109C                 align 200h
.text:0040109C _text           ends
.text:0040109C
.idata:0040205E ;
.idata:0040205E ; Imports from KERNEL32.DLL
.idata:0040205E ;
.idata:0040205E ; Section 2. (virtual address 00002000)
.idata:0040205E ; Virtual size                  : 00000092 (    146.)
.idata:0040205E ; Section size in file          : 00000200 (    512.)
.idata:0040205E ; Offset to raw data for section: 00000400
.idata:0040205E ; Flags C0000040: Data Readable Writable
.idata:0040205E ; Alignment     : default
.idata:0040205E ; ---------------------------------------------------------------------------
.idata:0040205E
.idata:0040205E ; Segment type: Externs
.idata:0040205E ; _idata
.idata:0040205E ; void __stdcall ExitProcess(UINT uExitCode)
.idata:0040205E                 extrn ExitProcess:dword ; DATA XREF: .text:00401042r
.idata:00402062
.idata:00402066
.idata:0040207C ;
.idata:0040207C ; Imports from USER32.DLL
.idata:0040207C ;
.idata:0040207C ; int __stdcall MessageBoxA(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType)
.idata:0040207C                 extrn MessageBoxA:dword ; DATA XREF: .text:0040103Ar
.idata:00402080
.idata:00402080
.idata:00402080
.idata:00402080                 end start
    


This is the disassembly of the hello example that comes with FASM.
WHy it doesn't look like the source code? Am I missing something?
Post 29 Dec 2007, 01:58
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
if you try with windasm, you'll see that it's quite different...
i can compile some disassembled code with windasm...after many modifications of course
Post 29 Dec 2007, 02:02
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Tried with W32Dasm 8.93, same output...

Ozzy, in the source I see that the strings are passed directly to the invoke macro rather than a pointer to them so the macro writes the strings in the code and call to the end of them to push the address on the stack

Here after selecting the junk instruction and presing 'a' on them:
Code:
.text:00401000 ; Segment type: Pure code
.text:00401000 ; Segment permissions: Read/Execute
.text:00401000 _text           segment para public 'CODE' use32
.text:00401000                 assume cs:_text
.text:00401000                 ;org 401000h
.text:00401000                 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
.text:00401000
.text:00401000 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00401000
.text:00401000
.text:00401000                 public start
.text:00401000 start           proc near
.text:00401000                 push    0
.text:00401002                 call    sub_401016
.text:00401002 ; ---------------------------------------------------------------------------
.text:00401007 aWin32Assembly  db 'Win32 Assembly',0
.text:00401007 start           endp
.text:00401007
.text:00401016
.text:00401016 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00401016
.text:00401016
.text:00401016 sub_401016      proc near               ; CODE XREF: start+2p
.text:00401016                 call    loc_401038
.text:00401016 ; ---------------------------------------------------------------------------
.text:0040101B aHiIMTheExample db 'Hi! I',27h,'m the example program!',0
.text:0040101B sub_401016      endp
.text:0040101B
.text:00401038 ; ---------------------------------------------------------------------------
.text:00401038
.text:00401038 loc_401038:                             ; CODE XREF: sub_401016p
.text:00401038                 push    0
.text:0040103A                 call    ds:MessageBoxA
.text:00401040                 push    0
.text:00401042                 call    ds:ExitProcess
.text:00401042 ; ---------------------------------------------------------------------------
.text:00401048                 dd 0Bh dup(0)
.text:00401074                 db 2 dup(0)
.text:00401076                 dw 0
.text:00401078                 dd 8 dup(0)
.text:00401098                 db 0
.text:00401099                 db 3 dup(0)
.text:0040109C                 align 200h
.text:0040109C _text           ends
    
Post 29 Dec 2007, 02:16
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Ahh... I didn't know invoke used call to push the string address on the stack.
Nice! I'm starting to understand IDA!
Post 29 Dec 2007, 02:23
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
If I want to write a patch to change one instruction, how do I get its address?
Post 29 Dec 2007, 02:27
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4237
Location: 2018
edfed
simple
offset in segment
segment base
give at end, the real offset in file...
Post 29 Dec 2007, 03:00
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Translated: file_offset = virtual_offset - Imagebase - section_virtual_address + offset_to_raw_data_for_section

Or simplifyed for this case: file_offset = virtual_offset - ORG + offset_to_raw_data_for_section
Post 29 Dec 2007, 03:43
View user's profile Send private message Reply with quote
Ehtyar



Joined: 26 Sep 2006
Posts: 51
Ehtyar
PVDasm is relatively basic when compared to IDA or Olly's analysis engine but it will do the job. Probably the best hobbyists disassembler I've seen so far.

Ehtyar.
Post 29 Dec 2007, 15:03
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
I've found a very good open source disassembler in early stages: http://programmerstools.org/node/688#comment

Looks really good! Outputs NASM compilable source.
Post 21 Jan 2008, 05:37
View user's profile Send private message Reply with quote
OzzY



Joined: 19 Sep 2003
Posts: 1029
Location: Everywhere
OzzY
Here is an online disassembler: http://pvdasm.reverse-engineering.net/PVPHP.php

Very cool for when you're at school or work computer.
Post 19 Feb 2008, 04:20
View user's profile Send private message Reply with quote
dap



Joined: 01 Dec 2007
Posts: 61
Location: Belgium
dap
I use DumpPE but it's a simple command-line tool, not as useful as IDA for reverse ingeering.
Post 19 Feb 2008, 09:39
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.