Two Click disassembly/reassembly
in [ASM]
|
Prev: Check out POASM
Next: Bad habits
From: randyhyde@earthlink.net on 20 Jan 2006 13:01 Rene has been making a big deal about how the RosAsm system can disassemble an executable file and then reassemble it with only two clicks. The implication is that the disassembler is completely automatic and produces syntactically correct code that assembles back into the original executable. The impression that this scheme works is *highly* misleading. I'll provide a simple example to demonstrate the misconceptions this claim creates. First, let me point out that "disassembling a file that compiles back to the original executable" is *not* that difficult. After all, we can easily "disassemble" a file into a sequence of DB, DW, and DD statements that, when reassembled, produce the original executable. However, when someone (such as Rene) advertises their disassembler as a tool that can be used to convert library code to source form so those library routines can be included in a RosAsm program, there is an implicit statement that you can *edit* the resulting files (e.g., extract the library routines of interest and possibly modify those routines) and still have working code. I'll demonstrate, quite easily, that the RosAsm disassembler is not capable of this. First, an example program. I do *not* want to choose a binary file that is difficult to disassemble (e.g., contains data in the code path, uses fancy anti-hacking techniques, or anything like that). I want to demonstrate this problem with a *simple* assembly language source file that is written in a very straight-forward manner. Looking in my HLA directory, I came across a simple "99 Bottles of Beer" application that I wrote a few weeks back in request for my input to this HLA app that's been floating around. For those who missed the code, here it is: program bottles; #include( "stdlib.hhf" ) // HLA version of the "99 Bottles of Beer" song // Cross-platform: Linux console or Windows console // Get HLA here: http://webster.cs.ucr.edu/AsmTools/HLA/index.html // // // Macro compile-time function that does a limited "unsigned to English" // conversion: const Tens :string[10] := [ "", // zero "", // one, handled as a special case "Twenty", "Thirty", "Forty", "Fifty", "Sixty", "Seventy", "Eighty", "Ninety" ]; Ones :string[20] := [ "", // zero is not used "One", "Two", "Three", "Four", "Five", "Six", "Seven", "Eight", "Nine", "Ten", "Eleven", "Twelve", "Thirteen", "Fourteen", "Fifteen", "Sixteen", "Seventeen", "Eighteen", "Nineteen" ]; #macro uToEnglish( unsVal, NumberCase ); #if( unsVal >= 20 ) #if( unsVal mod 10 <> 0 ) #if( NumberCase ) Tens[unsVal div 10] + "-" + @lowercase( Ones[unsVal mod 10], 0) #else @lowercase( Tens[unsVal div 10] + "-" + Ones[unsVal mod 10], 0 ) #endif #else #if( NumberCase ) Tens[ unsVal div 10] #else @lowercase( Tens[ unsVal div 10], 0 ) #endif #endif #else #if( NumberCase ) Ones[ unsVal ] #else @lowercase( Ones[ unsVal ], 0) #endif #endif #endmacro static sOrNot :string[100] := [ "s", "", 98 dup ["s"] ]; Numbers :string[100] := [ "No more", #for( i := 1 to 98) uToEnglish( i, true ), #endfor uToEnglish( 99, true ) ]; lcNumbers :string[100] := [ "no more", #for( i := 1 to 98) uToEnglish( i, false ), #endfor uToEnglish( 99, false ) ]; begin bottles; mov( 99, ecx ); repeat stdout.put ( Numbers[ecx*4], " bottle", sOrNot[ecx*4], " of beer on the wall, ", lcNumbers[ecx*4], " bottle", sOrNot[ecx*4], " of beer." nl "Take one down and pass it around, ", lcNumbers[ecx*4-4], " bottle", sOrNot[ecx*4-4], " of beer on the wall" nl nl ); dec( ecx ); until( @z ); stdout.puts( "No more bottles of beer on the wall. No more bottles of beer..." nl ); stdout.puts( "Go to the store and buy some more... 99 bottles of beer for the wall." nl); end bottles; Most of the code is actually a compile-time program that generates strings for the stdout.put routine to emit. The actual code in this program is the few lines above (between the begin and end). For those who don't read HLA code or know what the stdout.put macro emits, here's the MASM code that HLA generates for the above main program body: mov ecx, 99 L1111_false__hla_: L1111_repeat__hla_: push dword ptr [L909_Numbers__hla_+ecx*4+0] ; (type string Numbers) call STDOUT_PUTS ; puts push offset32 L1131_str__hla_ call STDOUT_PUTS ; puts push dword ptr [L808_sOrNot__hla_+ecx*4+0] ; (type string sOrNot) call STDOUT_PUTS ; puts push offset32 L1142_str__hla_ call STDOUT_PUTS ; puts push dword ptr [L1010_lcNumbers__hla_+ecx*4+0] ; (type string lcNumbers) call STDOUT_PUTS ; puts push offset32 L1153_str__hla_ call STDOUT_PUTS ; puts push dword ptr [L808_sOrNot__hla_+ecx*4+0] ; (type string sOrNot) call STDOUT_PUTS ; puts push offset32 L1164_str__hla_ call STDOUT_PUTS ; puts push dword ptr [L1010_lcNumbers__hla_+ecx*4-4] ; (type string lcNumbers) call STDOUT_PUTS ; puts push offset32 L1175_str__hla_ call STDOUT_PUTS ; puts push dword ptr [L808_sOrNot__hla_+ecx*4-4] ; (type string sOrNot) call STDOUT_PUTS ; puts push offset32 L1186_str__hla_ call STDOUT_PUTS ; puts dec ecx L1111_continue__hla_: jnz L1111_repeat__hla_ L1111_exitloop__hla_: push offset32 L1187_str__hla_ call STDOUT_PUTS ; puts push offset32 L1188_str__hla_ call STDOUT_PUTS ; puts This is very straight-forward code. Nothing special that will trip up a disassembler at all. Beyond this code, of course, there is the HLA standard library code that gets linked in (in particular, the STDOUT_PUTS routine which prints a string to the console device). Now I don't recall every line of HLA stdlib code that I've written, but none of it has been written explicitly to confuse a disassembler. Most of it is rather straight-forward stuff that a disassembler ought to be able to breeze through. Okay, we run the RosAsm disassembler on this executable (full listing appears at the end of this post for those who are interested). RosAsm does a reasonable job of disassembling the file. As advertised, one click to disassemble it and one click to reassemble it with no errors. The result even runs correctly. So far, Rene's claims seem true. Here's the disassembled main program corresponding to the code above: mov ecx 063 Code040020B1: L3: push D$ecx*4+Data04005190 call Code04002D20 push Data04001F78 call Code04002D20 push D$ecx*4+Data04005000 call Code04002D20 push Data04001F88 call Code04002D20 push D$ecx*4+Data04005320 call Code04002D20 push Data04001F78 call Code04002D20 push D$ecx*4+Data04005000 call Code04002D20 push Data04001FA8 call Code04002D20 push D$ecx*4+Data0400531C call Code04002D20 push Data04001F78 call Code04002D20 push D$ecx*4+Data04005000-4 call Code04002D20 push Data04001FE0 call Code04002D20 dec ecx | jne Code040020B1 push Data04002004 call Code04002D20 push Data04002050 call Code04002D20 So far, so good. But does RosAsm live up to the hype? Unfortunately, no. Let's make one *trivial* modification to the program and try it again. My trivial modification consists of adding a single NOP to the program: NOP ;Added instruction mov ecx 063 Code040020B1: L3: push D$ecx*4+Data04005190 call Code04002D20 push Data04001F78 call Code04002D20 push D$ecx*4+Data04005000 call Code04002D20 push Data04001F88 call Code04002D20 push D$ecx*4+Data04005320 call Code04002D20 push Data04001F78 call Code04002D20 push D$ecx*4+Data04005000 call Code04002D20 push Data04001FA8 call Code04002D20 push D$ecx*4+Data0400531C call Code04002D20 push Data04001F78 call Code04002D20 push D$ecx*4+Data04005000-4 call Code04002D20 push Data04001FE0 call Code04002D20 dec ecx | jne Code040020B1 push Data04002004 call Code04002D20 push Data04002050 call Code04002D20 Okay, one click later it still recompiles (no surprise, NOP is a syntactically correct RosAsm statement). But when you run the program, it goes wild printing junk. Clearly, there are some pointer or other problems with the disassembled code. That is to say, it was not disassembled properly. The mere fact that an automatic disassembler produces a syntactically correct output file that can be recompiled does *not* mean that the result is *semantically* correct. I want to point out that this problem isn't particular to the RosAsm disassembler. Disassembly is an undecideable problem (in particular, differentiating code and data, as well as different data types is an undecideable problem). The real issue is the hyperbolic claims that RosAsm can disassemble and reassemble a file with only two clicks. While technically, this claim is correct for many files, the claim falls apart when you make the *tiniest* modifications to the file. Cheers, Randy Hyde TITLE Part01 [Data04001000: D$ 01, 01] [Data04001008: B$ "s", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] [Data04001014: D$ 0, 07, 07] [Data04001020: D$ 06D206F4E, 065726F, 03, 03] [Data04001030: D$ 0656E4F, 03, 03] [Data0400103C: D$ 06F7754, 05, 05] [Data04001048: D$ 065726854, 065, 04, 04] [Data04001058: D$ 072756F46, 0, 04, 04] [Data04001068: D$ 065766946, 0, 03, 03] [Data04001078: D$ 0786953, 05, 05] [Data04001084: D$ 065766553, 06E, 05, 05] [Data04001094: D$ 068676945, 074, 04, 04] [Data040010A4: D$ 0656E694E, 0, 03, 03] [Data040010B4: D$ 06E6554, 06, 06] [Data040010C0: D$ 076656C45, 06E65, 06, 06] [Data040010D0: D$ 06C657754, 06576, 08, 08] [Data040010E0: D$ 072696854, 06E656574, 0, 08, 08] [Data040010F4: D$ 072756F46, 06E656574, 0, 07, 07] [Data04001108: D$ 074666946, 06E6565, 07, 07] [Data04001118: D$ 074786953, 06E6565, 09, 09] [Data04001128: D$ 065766553, 06565746E, 06E, 08, 08] [Data0400113C: D$ 068676945, 06E656574, 0, 08, 08] [Data04001150: D$ 0656E694E, 06E656574, 0, 06, 06] [Data04001164: D$ 06E657754, 07974, 0A, B$ " ", 0, 0, 0] [Data04001174: D$ 06E657754, 06F2D7974, 0656E, 0A, B$ " ", 0, 0, 0] [Data04001188: D$ 06E657754, 0742D7974, 06F77, 0C, 0C] [Data0400119C: D$ 06E657754, 0742D7974, 065657268, 0, 0B, 0B] [Data040011B4: D$ 06E657754, 0662D7974, 072756F, 0B, 0B] [Data040011C8: D$ 06E657754, 0662D7974, 0657669, 0A, B$ " ", 0, 0, 0] [Data040011DC: D$ 06E657754, 0732D7974, 07869, 0C, 0C] [Data040011F0: D$ 06E657754, 0732D7974, 06E657665, 0, 0C, 0C] [Data04001208: D$ 06E657754, 0652D7974, 074686769, 0, 0B, 0B] [Data04001220: D$ 06E657754, 06E2D7974, 0656E69, 06, 06] [Data04001234: D$ 072696854, 07974, 0A, B$ " ", 0, 0, 0] [Data04001244: D$ 072696854, 06F2D7974, 0656E, 0A, B$ " ", 0, 0, 0] [Data04001258: D$ 072696854, 0742D7974, 06F77, 0C, 0C] [Data0400126C: D$ 072696854, 0742D7974, 065657268, 0, 0B, 0B] [Data04001284: D$ 072696854, 0662D7974, 072756F, 0B, 0B] [Data04001298: D$ 072696854, 0662D7974, 0657669, 0A, B$ " ", 0, 0, 0] [Data040012AC: D$ 072696854, 0732D7974, 07869, 0C, 0C] [Data040012C0: D$ 072696854, 0732D7974, 06E657665, 0, 0C, 0C] [Data040012D8: D$ 072696854, 0652D7974, 074686769, 0, 0B, 0B] [Data040012F0: D$ 072696854, 06E2D7974, 0656E69, 05, 05] [Data04001304: D$ 074726F46, 079, 09, 09] [Data04001314: D$ 074726F46, 06E6F2D79, 065, 09, 09] [Data04001328: D$ 074726F46, 077742D79, 06F, 0B, 0B] [Data0400133C: D$ 074726F46, 068742D79, 0656572, 0A, B$ " ", 0, 0, 0] [Data04001350: D$ 074726F46, 06F662D79, 07275, 0A, B$ " ", 0, 0, 0] [Data04001364: D$ 074726F46, 069662D79, 06576, 09, 09] [Data04001378: D$ 074726F46, 069732D79, 078, 0B, 0B] [Data0400138C: D$ 074726F46, 065732D79, 06E6576, 0B, 0B] [Data040013A0: D$ 074726F46, 069652D79, 0746867, 0A, B$ " ", 0, 0, 0] [Data040013B4: D$ 074726F46, 0696E2D79, 0656E, 05, 05] [Data040013C8: D$ 074666946, 079, 09, 09] [Data040013D8: D$ 074666946, 06E6F2D79, 065, 09, 09] [Data040013EC: D$ 074666946, 077742D79, 06F, 0B, 0B] [Data04001400: D$ 074666946, 068742D79, 0656572, 0A, B$ " ", 0, 0, 0] [Data04001414: D$ 074666946, 06F662D79, 07275, 0A, B$ " ", 0, 0, 0] [Data04001428: D$ 074666946, 069662D79, 06576, 09, 09] [Data0400143C: D$ 074666946, 069732D79, 078, 0B, 0B] [Data04001450: D$ 074666946, 065732D79, 06E6576, 0B, 0B] [Data04001464: D$ 074666946, 069652D79, 0746867, 0A, B$ " ", 0, 0, 0] [Data04001478: D$ 074666946, 0696E2D79, 0656E, 05, 05] [Data0400148C: D$ 074786953, 079, 09, 09] [Data0400149C: D$ 074786953, 06E6F2D79, 065, 09, 09] [Data040014B0: D$ 074786953, 077742D79, 06F, 0B, 0B] [Data040014C4: D$ 074786953, 068742D79, 0656572, 0A, B$ " ", 0, 0, 0] [Data040014D8: D$ 074786953, 06F662D79, 07275, 0A, B$ " ", 0, 0, 0] [Data040014EC: D$ 074786953, 069662D79, 06576, 09, 09] [Data04001500: D$ 074786953, 069732D79, 078, 0B, 0B] [Data04001514: D$ 074786953, 065732D79, 06E6576, 0B, 0B] [Data04001528: D$ 074786953, 069652D79, 0746867, 0A, B$ " ", 0, 0, 0] [Data0400153C: D$ 074786953, 0696E2D79, 0656E, 07, 07] [Data04001550: D$ 065766553, 079746E, 0B, 0B] [Data04001560: D$ 065766553, 02D79746E, 0656E6F, 0B, 0B] [Data04001574: D$ 065766553, 02D79746E, 06F7774, 0D, B$ " ", 0, 0, 0] [Data04001588: D$ 065766553, 02D79746E, 065726874, 065, 0C, 0C] [Data040015A0: D$ 065766553, 02D79746E, 072756F66, 0, 0C, 0C] [Data040015B8: D$ 065766553, 02D79746E, 065766966, 0, 0B, 0B] [Data040015D0: D$ 065766553, 02D79746E, 0786973, 0D, B$ " ", 0, 0, 0] [Data040015E4: D$ 065766553, 02D79746E, 065766573, 06E, 0D, B$ " ", 0, 0, 0] [Data040015FC: D$ 065766553, 02D79746E, 068676965, 074, 0C, 0C] [Data04001614: D$ 065766553, 02D79746E, 0656E696E, 0, 06, 06] [Data0400162C: D$ 068676945, 07974, 0A, B$ " ", 0, 0, 0] [Data0400163C: D$ 068676945, 06F2D7974, 0656E, 0A, B$ " ", 0, 0, 0] [Data04001650: D$ 068676945, 0742D7974, 06F77, 0C, 0C] [Data04001664: D$ 068676945, 0742D7974, 065657268, 0, 0B, 0B] [Data0400167C: D$ 068676945, 0662D7974, 072756F, 0B, 0B] [Data04001690: D$ 068676945, 0662D7974, 0657669, 0A, B$ " ", 0, 0, 0] [Data040016A4: D$ 068676945, 0732D7974, 07869, 0C, 0C] [Data040016B8: D$ 068676945, 0732D7974, 06E657665, 0, 0C, 0C] [Data040016D0: D$ 068676945, 0652D7974, 074686769, 0, 0B, 0B] [Data040016E8: D$ 068676945, 06E2D7974, 0656E69, 06, 06] [Data040016FC: D$ 0656E694E, 07974, 0A, B$ " ", 0, 0, 0] [Data0400170C: D$ 0656E694E, 06F2D7974, 0656E, 0A, B$ " ", 0, 0, 0] [Data04001720: D$ 0656E694E, 0742D7974, 06F77, 0C, 0C] [Data04001734: D$ 0656E694E, 0742D7974, 065657268, 0, 0B, 0B] [Data0400174C: D$ 0656E694E, 0662D7974, 072756F, 0B, 0B] [Data04001760: D$ 0656E694E, 0662D7974, 0657669, 0A, B$ " ", 0, 0, 0] [Data04001774: D$ 0656E694E, 0732D7974, 07869, 0C, 0C] [Data04001788: D$ 0656E694E, 0732D7974, 06E657665, 0, 0C, 0C] [Data040017A0: D$ 0656E694E, 0652D7974, 074686769, 0, 0B, 0B] [Data040017B8: D$ 0656E694E, 06E2D7974, 0656E69, 07, 07] [Data040017CC: D$ 06D206F6E, 065726F, 03, 03] [Data040017DC: D$ 0656E6F, 03, 03] [Data040017E8: D$ 06F7774, 05, 05] [Data040017F4: D$ 065726874, 065, 04, 04] [Data04001804: D$ 072756F66, 0, 04, 04] [Data04001814: D$ 065766966, 0, 03, 03] [Data04001824: D$ 0786973, 05, 05] [Data04001830: D$ 065766573, 06E, 05, 05] [Data04001840: D$ 068676965, 074, 04, 04] [Data04001850: D$ 0656E696E, 0, 03, 03] [Data04001860: D$ 06E6574, 06, 06] [Data0400186C: D$ 076656C65, 06E65, 06, 06] [Data0400187C: D$ 06C657774, 06576, 08, 08] [Data0400188C: D$ 072696874, 06E656574, 0, 08, 08] [Data040018A0: D$ 072756F66, 06E656574, 0, 07, 07] [Data040018B4: D$ 074666966, 06E6565, 07, 07] [Data040018C4: D$ 074786973, 06E6565, 09, 09] [Data040018D4: D$ 065766573, 06565746E, 06E, 08, 08] [Data040018E8: D$ 068676965, 06E656574, 0, 08, 08] [Data040018FC: D$ 0656E696E, 06E656574, 0, 06, 06] [Data04001910: D$ 06E657774, 07974, 0A, B$ " ", 0, 0, 0] [Data04001920: D$ 06E657774, 06F2D7974, 0656E, 0A, B$ " ", 0, 0, 0] [Data04001934: D$ 06E657774, 0742D7974, 06F77, 0C, 0C] [Data04001948: D$ 06E657774, 0742D7974, 065657268, 0, 0B, 0B] [Data04001960: D$ 06E657774, 0662D7974, 072756F, 0B, 0B] [Data04001974: D$ 06E657774, 0662D7974, 0657669, 0A, B$ " ", 0, 0, 0] [Data04001988: D$ 06E657774, 0732D7974, 07869, 0C, 0C] [Data0400199C: D$ 06E657774, 0732D7974, 06E657665, 0, 0C, 0C] [Data040019B4: D$ 06E657774, 0652D7974, 074686769, 0, 0B, 0B] [Data040019CC: D$ 06E657774, 06E2D7974, 0656E69, 06, 06] [Data040019E0: D$ 072696874, 07974, 0A, B$ " ", 0, 0, 0] [Data040019F0: D$ 072696874, 06F2D7974, 0656E, 0A, B$ " ", 0, 0, 0] [Data04001A04: D$ 072696874, 0742D7974, 06F77, 0C, 0C] [Data04001A18: D$ 072696874, 0742D7974, 065657268, 0, 0B, 0B] [Data04001A30: D$ 072696874, 0662D7974, 072756F, 0B, 0B] [Data04001A44: D$ 072696874, 0662D7974, 0657669, 0A, B$ " ", 0, 0, 0] [Data04001A58: D$ 072696874, 0732D7974, 07869, 0C, 0C] [Data04001A6C: D$ 072696874, 0732D7974, 06E657665, 0, 0C, 0C] [Data04001A84: D$ 072696874, 0652D7974, 074686769, 0, 0B, 0B] [Data04001A9C: D$ 072696874, 06E2D7974, 0656E69, 05, 05] [Data04001AB0: D$ 074726F66, 079, 09, 09] [Data04001AC0: D$ 074726F66, 06E6F2D79, 065, 09, 09] [Data04001AD4: D$ 074726F66, 077742D79, 06F, 0B, 0B] [Data04001AE8: D$ 074726F66, 068742D79, 0656572, 0A, B$ " ", 0, 0, 0] [Data04001AFC: D$ 074726F66, 06F662D79, 07275, 0A, B$ " ", 0, 0, 0] [Data04001B10: D$ 074726F66, 069662D79, 06576, 09, 09] [Data04001B24: D$ 074726F66, 069732D79, 078, 0B, 0B] [Data04001B38: D$ 074726F66, 065732D79, 06E6576, 0B, 0B] [Data04001B4C: D$ 074726F66, 069652D79, 0746867, 0A, B$ " ", 0, 0, 0] [Data04001B60: D$ 074726F66, 0696E2D79, 0656E, 05, 05] [Data04001B74: D$ 074666966, 079, 09, 09] [Data04001B84: D$ 074666966, 06E6F2D79, 065, 09, 09] [Data04001B98: D$ 074666966, 077742D79, 06F, 0B, 0B] [Data04001BAC: D$ 074666966, 068742D79, 0656572, 0A, B$ " ", 0, 0, 0] [Data04001BC0: D$ 074666966, 06F662D79, 07275, 0A, B$ " ", 0, 0, 0] [Data04001BD4: D$ 074666966, 069662D79, 06576, 09, 09] [Data04001BE8: D$ 074666966, 069732D79, 078, 0B, 0B] [Data04001BFC: D$ 074666966, 065732D79, 06E6576, 0B, 0B] [Data04001C10: D$ 074666966, 069652D79, 0746867, 0A, B$ " ", 0, 0, 0] [Data04001C24: D$ 074666966, 0696E2D79, 0656E, 05, 05] [Data04001C38: D$ 074786973, 079, 09, 09] [Data04001C48: D$ 074786973, 06E6F2D79, 065, 09, 09] [Data04001C5C: D$ 074786973, 077742D79, 06F, 0B, 0B] [Data04001C70: D$ 074786973, 068742D79, 0656572, 0A, B$ " ", 0, 0, 0] [Data04001C84: D$ 074786973, 06F662D79, 07275, 0A, B$ " ", 0, 0, 0] [Data04001C98: D$ 074786973, 069662D79, 06576, 09, 09] [Data04001CAC: D$ 074786973, 069732D79, 078, 0B, 0B] [Data04001CC0: D$ 074786973, 065732D79, 06E6576, 0B, 0B] [Data04001CD4: D$ 074786973, 069652D79, 0746867, 0A, B$ " ", 0, 0, 0] [Data04001CE8: D$ 074786973, 0696E2D79, 0656E, 07, 07] [Data04001CFC: D$ 065766573, 079746E, 0B, 0B] [Data04001D0C: D$ 065766573, 02D79746E, 0656E6F, 0B, 0B] [Data04001D20: D$ 065766573, 02D79746E, 06F7774, 0D, B$ " ", 0, 0, 0] [Data04001D34: D$ 065766573, 02D79746E, 065726874, 065, 0C, 0C] [Data04001D4C: D$ 065766573, 02D79746E, 072756F66, 0, 0C, 0C] [Data04001D64: D$ 065766573, 02D79746E, 065766966, 0, 0B, 0B] [Data04001D7C: D$ 065766573, 02D79746E, 0786973, 0D, B$ " ", 0, 0, 0] [Data04001D90: D$ 065766573, 02D79746E, 065766573, 06E, 0D, B$ " ", 0, 0, 0] [Data04001DA8: D$ 065766573, 02D79746E, 068676965, 074, 0C, 0C] [Data04001DC0: D$ 065766573, 02D79746E, 0656E696E, 0, 06, 06] [Data04001DD8: D$ 068676965, 07974, 0A, B$ " ", 0, 0, 0] [Data04001DE8: D$ 068676965, 06F2D7974, 0656E, 0A, B$ " ", 0, 0, 0] [Data04001DFC: D$ 068676965, 0742D7974, 06F77, 0C, 0C] [Data04001E10: D$ 068676965, 0742D7974, 065657268, 0, 0B, 0B] [Data04001E28: D$ 068676965, 0662D7974, 072756F, 0B, 0B] [Data04001E3C: D$ 068676965, 0662D7974, 0657669, 0A, B$ " ", 0, 0, 0] [Data04001E50: D$ 068676965, 0732D7974, 07869, 0C, 0C] [Data04001E64: D$ 068676965, 0732D7974, 06E657665, 0, 0C, 0C] [Data04001E7C: D$ 068676965, 0652D7974, 074686769, 0, 0B, 0B] [Data04001E94: D$ 068676965, 06E2D7974, 0656E69, 06, 06] [Data04001EA8: D$ 0656E696E, 07974, 0A, B$ " ", 0, 0, 0] [Data04001EB8: D$ 0656E696E, 06F2D7974, 0656E, 0A, B$ " ", 0, 0, 0] [Data04001ECC: D$ 0656E696E, 0742D7974, 06F77, 0C, 0C] [Data04001EE0: D$ 0656E696E, 0742D7974, 065657268, 0, 0B, 0B] [Data04001EF8: D$ 0656E696E, 0662D7974, 072756F, 0B, 0B] [Data04001F0C: D$ 0656E696E, 0662D7974, 0657669, 0A, B$ " ", 0, 0, 0] [Data04001F20: D$ 0656E696E, 0732D7974, 07869, 0C, 0C] [Data04001F34: D$ 0656E696E, 0732D7974, 06E657665, 0, 0C, 0C] [Data04001F4C: D$ 0656E696E, 0652D7974, 074686769, 0, 0B, 0B] [Data04001F64: D$ 0656E696E, 06E2D7974, 0656E69, 07, 07] [Data04001F78: D$ 0746F6220, 0656C74, 016, 016] [Data04001F88: D$ 020666F20, 072656562, 0206E6F20, 020656874, 06C6C6177 0202C, 02D, B$ "-", 0, 0, 0] [Data04001FA8: B$ " of beer. Take one down and pass it around, ", 0, 0, 0] [Data04001FD8: D$ 018, 018] [Data04001FE0: B$ " of beer on the wall ", 0, 0, 0, 0 B$ 041, 0] [<Data04001FFE: W$ 0, 041, 0] [Data04002004: B$ "No more bottles of beer on the wall. No more bottles of beer... ", 0, 0, 0] [Data04002048: D$ 047, B$ "G", 0, 0, 0] [Data04002050: B$ "Go to the store and buy some more... 99 bottles of beer for the wall. ", 0] [Data04002160: D$ 0F, 0F] [Data04002168: D$ 020414C48, 065637845, 06F697470, 028206E, 01, 01] [Data04002180: D$ 024, 01, 01] [Data0400218C: D$ 029, 0F, 0F] [Data04002198: D$ 069727453, 04F20676E, 066726576, 0776F6C, 021, B$ "!", 0, 0, 0] [Data040021B0: B$ "Index into string is out of range", 0, 0, 0] [Data040021D4: D$ 012, 012] [Data040021DC: D$ 0756C6156, 0756F2065, 0666F2074, 06E617220, 06567, 011 011] [Data040021F8: D$ 0656C6C49, 0206C6167, 072616863, 065746361, 072, 010, 010] [Data04002214: D$ 0766E6F43, 069737265, 065206E6F, 0726F7272, 0, 013, 013] [Data04002230: D$ 0656C6C49, 0206C6167, 0656C6966, 06E616820, 0656C64, 011 011] [Data0400224C: D$ 0656C6946, 065706F20, 06166206E, 072756C69, 065, 012, 012] [Data04002268: D$ 0656C6946, 06F6C6320, 066206573, 0756C6961, 06572, 010 010] [Data04002284: D$ 0656C6946, 069727720, 065206574, 0726F7272, 0, 0F, 0F] [Data040022A0: D$ 0656C6946, 061657220, 072652064, 0726F72, 0F, 0F] [Data040022B8: D$ 0656C6946, 065657320, 07265206B, 0726F72, 0F, 0F] [Data040022D0: D$ 06B736944, 06C756620, 07265206C, 0726F72, 011, 011] [Data040022E8: D$ 020646E45, 06620666F, 020656C69, 06F727265, 072, 019, 019] [Data04002304: D$ 06F6D654D, 061207972, 0636F6C6C, 06F697461, 06166206E 072756C69, 065, 01F, 01F] [Data04002328: B$ "Error attempting to free memory", 0] [Data04002348: D$ 01D, 01D] [Data04002350: B$ "Heap corruption (during FREE)", 0, 0, 0] [Data04002370: D$ 01E, 01E] [Data04002378: B$ "Attempt to FREE a NULL pointer", 0] [<Data04002397: B$ 0, 021, 0, 0, 0, 021, 0, 0, 0] [Data040023A0: B$ "Pointer is not valid heap pointer", 0, 0, 0] [Data040023C4: D$ 026, B$ "&", 0, 0, 0] [Data040023CC: B$ "Attempted to free an unallocated block", 0] [<Data040023F3: B$ 0, 025, 0, 0, 0, 025, 0, 0, 0] [Data040023FC: B$ "Attempt to dereference a NULL pointer", 0, 0, 0] [Data04002424: D$ 01D, 01D] [Data0400242C: B$ "Cannot free specified storage", 0, 0, 0] [Data0400244C: D$ 026, B$ "&", 0, 0, 0] [Data04002454: B$ "Field width specification is too large", 0] [<Data0400247B: B$ 0, 020, 0, 0, 0, 020, 0, 0, 0] [Data04002484: B$ "Too many command line parameters", 0, 0, 0] [<Data040024A7: B$ , 0, 015, 0, 0, 0, 015, 0, 0, 0] [Data040024B0: D$ 061727241, 068732079, 020657061, 06C6F6976, 06F697461 06E, 016, 016] [Data040024D0: D$ 061727241, 06F622079, 073646E75, 06F697620, 06974616C 06E6F, 0C, 0C] [Data040024F0: D$ 061766E49, 02064696C, 065746164, 0, 013, 013] [Data04002508: D$ 061766E49, 02064696C, 065746164, 0726F6620, 074616D, 022 B$ , 022, 0, 0, 0] [Data04002524: B$ "Time overflow (value out of range)", 0] [<Data04002547: B$ 0, 025, 0, 0, 0, 025, 0, 0, 0] [Data04002550: B$ "Attempted to execute abstract routine", 0, 0, 0] [Data04002578: D$ 012, 012] [Data04002580: D$ 065737341, 06F697472, 06146206E, 064656C69, 0203A, 017 017] [Data0400259C: D$ 06F6D654D, 041207972, 073656363, 069562073, 074616C6F 06E6F69, 016, 016] [Data040025BC: D$ 061657242, 0696F706B, 06520746E, 0756F636E, 07265746E 06465, 015, 015] [Data040025DC: D$ 0676E6953, 07320656C, 020706574, 065637865, 06F697470 06E, 02E, B$ ".", 0, 0, 0] [Data040025FC: B$ "Attempted to execute a priviledged instruction", 0] [<Data0400262B: B$ 0, 02B, 0, 0, 0, 02B, 0, 0, 0] [Data04002634: B$ "Attempted to execute an illegal instruction", 0, "!", 0, 0] [<Data04002663: B$ , 0, "!", 0, 0, 0] [Data04002668: B$ "BOUND instuction bounds violation", 0, 0, 0] [Data0400268C: D$ 017, 017] [Data04002694: D$ 065746E49, 020726567, 07265766F, 0776F6C66, 06E692820 0296F74, 0E, 0E] [Data040026B4: D$ 069766944, 06E6F6973, 072726520, 0726F, 02B, B$ "+", 0, 0, 0] [Data040026CC: B$ "Denormalized floating point value exception", 0] [Data040026F8: D$ 01F, 01F] [Data04002700: B$ "Floating point division by zero", 0, "'", 0, 0] [<Data04002723: B$ , 0, "'", 0, 0, 0] [Data04002728: B$ "Inexact floating point result exception", 0, " ", 0, 0] [<Data04002753: B$ , 0, " ", 0, 0, 0] [Data04002758: B$ "Invalid floating point operation", 0, 0, 0] [<Data0400277B: B$ , 0, 017, 0, 0, 0, 017, 0, 0, 0] [Data04002784: D$ 0616F6C46, 0676E6974, 0696F7020, 06F20746E, 066726576 0776F6C, 013, 013] [Data040027A4: D$ 020555046, 063617473, 07865206B, 074706563, 06E6F69, 018 018] [Data040027C0: D$ 0616F6C46, 0676E6974, 0696F7020, 07520746E, 07265646E 0776F6C66, 0, 016, 016] [Data040027E4: D$ 061766E49, 02064696C, 0646E6977, 02073776F, 0646E6168 0656C, 0E, 0E] [Data04002804: D$ 063617453, 0766F206B, 06C667265, 0776F, 013, 013] [Data0400281C: D$ 0746E6F43, 02D6C6F72, 078652043, 074706563, 06E6F69, 018 018] [Data04002838: B$ "Unknown (user) exception"] [Data04002850: D$ 0] [Data04002854: D$ Code04002975, Code04002980, Code0400298B, Code04002996 Code040029A1, Code040029AC, Code040029B7, Code040029C2 Code040029CD, Code040029D8, Code040029E3, Code040029EE Code040029F9, Code04002A04, Code04002A0F, Code04002A1A Code04002A25, Code04002A3B, Code04002A51, Code04002A30 Code04002A46, Code04002A5C, Code04002A67, Code04002A72 Code04002A7D, Code04002A88, Code04002A93, Code04002A9E Code04002AB4, Code04002AA9, Code04002AD7] [Data04005000: D$ Data04001008, Data04001014, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008 Data04001008, Data04001008, Data04001008, Data04001008] [Data04005190: D$ Data04001020, Data04001030, Data0400103C, Data04001048 Data04001058, Data04001068, Data04001078, Data04001084 Data04001094, Data040010A4, Data040010B4, Data040010C0 Data040010D0, Data040010E0, Data040010F4, Data04001108 Data04001118, Data04001128, Data0400113C, Data04001150 Data04001164, Data04001174, Data04001188, Data0400119C Data040011B4, Data040011C8, Data040011DC, Data040011F0 Data04001208, Data04001220, Data04001234, Data04001244 Data04001258, Data0400126C, Data04001284, Data04001298 Data040012AC, Data040012C0, Data040012D8, Data040012F0 Data04001304, Data04001314, Data04001328, Data0400133C Data04001350, Data04001364, Data04001378, Data0400138C Data040013A0, Data040013B4, Data040013C8, Data040013D8 Data040013EC, Data04001400, Data04001414, Data04001428 Data0400143C, Data04001450, Data04001464, Data04001478 Data0400148C, Data0400149C, Data040014B0, Data040014C4 Data040014D8, Data040014EC, Data04001500, Data04001514 Data04001528, Data0400153C, Data04001550, Data04001560 Data04001574, Data04001588, Data040015A0, Data040015B8 Data040015D0, Data040015E4, Data040015FC, Data04001614 Data0400162C, Data0400163C, Data04001650, Data04001664 Data0400167C, Data04001690, Data040016A4, Data040016B8 Data040016D0, Data040016E8, Data040016FC, Data0400170C Data04001720, Data04001734, Data0400174C, Data04001760 Data04001774, Data04001788, Data040017A0] [Data0400531C: D$ Data040017B8] [Data04005320: D$ Data040017CC, Data040017DC, Data040017E8, Data040017F4 Data04001804, Data04001814, Data04001824, Data04001830 Data04001840, Data04001850, Data04001860, Data0400186C Data0400187C, Data0400188C, Data040018A0, Data040018B4 Data040018C4, Data040018D4, Data040018E8, Data040018FC Data04001910, Data04001920, Data04001934, Data04001948 Data04001960, Data04001974, Data04001988, Data0400199C Data040019B4, Data040019CC, Data040019E0, Data040019F0 Data04001A04, Data04001A18, Data04001A30, Data04001A44 Data04001A58, Data04001A6C, Data04001A84, Data04001A9C Data04001AB0, Data04001AC0, Data04001AD4, Data04001AE8 Data04001AFC, Data04001B10, Data04001B24, Data04001B38 Data04001B4C, Data04001B60, Data04001B74, Data04001B84 Data04001B98, Data04001BAC, Data04001BC0, Data04001BD4 Data04001BE8, Data04001BFC, Data04001C10, Data04001C24 Data04001C38, Data04001C48, Data04001C5C, Data04001C70 Data04001C84, Data04001C98, Data04001CAC, Data04001CC0 Data04001CD4, Data04001CE8, Data04001CFC, Data04001D0C Data04001D20, Data04001D34, Data04001D4C, Data04001D64 Data04001D7C, Data04001D90, Data04001DA8, Data04001DC0 Data04001DD8, Data04001DE8, Data04001DFC, Data04001E10 Data04001E28, Data04001E3C, Data04001E50, Data04001E64 Data04001E7C, Data04001E94, Data04001EA8, Data04001EB8 Data04001ECC, Data04001EE0, Data04001EF8, Data04001F0C Data04001F20, Data04001F34, Data04001F4C, Data04001F64] [Data040054B0: D$ Data040054C4] [Data040054B4: D$ 0 #02] [Data040054BC: D$ 0 #02] [Data040054C4: D$ Code04002150] [Data040054C8: D$ 0 #02] [Data040054D0: D$ 0 #04] [Data040054E0: D$ 01] [Data040054E4: D$ 0 #03] [Data040054F0: B$ 01, 0, 0, 0] [Data040054F4: D$ 0 #03] [Virtual04005500: D$ ? #040] Code04002098: I8: jmp Code04002C50 Code0400209D: J3: jmp Code040028D0 Main: Code040020A2: J8: call Code04002CF0 push 00 mov ebp esp push ebp mov ecx 063 NOP Code040020B1: L3: push D$ecx*4+Data04005190 call Code04002D20 push Data04001F78 call Code04002D20 push D$ecx*4+Data04005000 call Code04002D20 push Data04001F88 call Code04002D20 push D$ecx*4+Data04005320 call Code04002D20 push Data04001F78 call Code04002D20 push D$ecx*4+Data04005000 call Code04002D20 push Data04001FA8 call Code04002D20 push D$ecx*4+Data0400531C call Code04002D20 push Data04001F78 call Code04002D20 push D$ecx*4+Data04005000-4 call Code04002D20 push Data04001FE0 call Code04002D20 dec ecx | jne Code040020B1 push Data04002004 call Code04002D20 push Data04002050 call Code04002D20 Code04002150: L2: push 00 call 'KERNEL32.ExitProcess' Code04002158: M0: int 3 Code04002159: M1: int 3 Code0400215A: M2: int 3 Code0400215B: M3: int 3 Code0400215C: M4: int 3 Code0400215D: M5: int 3 Code0400215E: M6: int 3 Code0400215F: M7: int 3 Code040028D0: L2: call Code040028DD push 00 call 'KERNEL32.ExitProcess' Code040028DD: M5: push ebp mov ebp esp sub esp 0158 and esp 0-04 mov ecx eax lea ebx D$ebp-058 mov D$ebx 040 mov D$ebx+04 0 add ebx 08 mov D$ebp-04 ebx lea ebx D$ebp+0FFFFFEA8 mov D$ebx 0F0 mov D$ebx+04 0 add ebx 08 mov D$ebp-08 ebx push Data04002168 push D$ebp-04 call Code04002DB0 cmp ecx 0FFFF | jbe H5> ; Code0400294B push Data04002180 push D$ebp-04 call Code04002D60 push ecx push 08 push 030 push D$ebp-08 call Code04002E20 jmp I8> ; Code04002958 Code0400294B: H5: push ecx push 00 push 020 push D$ebp-08 call Code04002E00 Code04002958: I8: push D$ebp-08 push D$ebp-04 call Code04002D60 push Data0400218C push D$ebp-04 call Code04002D60 jmp Code04002C1D Code04002975: L7: lea eax D$Data04002198 jmp Code04002C36 Code04002980: M8: lea eax D$Data040021B0 jmp Code04002C36 Code0400298B: N9: lea eax D$Data040021DC jmp Code04002C36 Code04002996: P0: lea eax D$Data040021F8 jmp Code04002C36 Code040029A1: A1: lea eax D$Data04002214 jmp Code04002C36 Code040029AC: B2: lea eax D$Data04002230 jmp Code04002C36 Code040029B7: C3: lea eax D$Data0400224C jmp Code04002C36 Code040029C2: D4: lea eax D$Data04002268 jmp Code04002C36 Code040029CD: E5: lea eax D$Data04002284 jmp Code04002C36 Code040029D8: F6: lea eax D$Data040022A0 jmp Code04002C36 Code040029E3: G7: lea eax D$Data040022B8 jmp Code04002C36 Code040029EE: H8: lea eax D$Data040022D0 jmp Code04002C36 Code040029F9: I9: lea eax D$Data040022E8 jmp Code04002C36 Code04002A04: K0: lea eax D$Data04002304 jmp Code04002C36 Code04002A0F: L1: lea eax D$Data04002328 jmp Code04002C36 Code04002A1A: M2: lea eax D$Data04002350 jmp Code04002C36 Code04002A25: N3: lea eax D$Data04002378 jmp Code04002C36 Code04002A30: O4: lea eax D$Data040023A0 jmp Code04002C36 Code04002A3B: P5: lea eax D$Data040023CC jmp Code04002C36 Code04002A46: A6: lea eax D$Data040023FC jmp Code04002C36 Code04002A51: B7: lea eax D$Data0400242C jmp Code04002C36 Code04002A5C: C8: lea eax D$Data04002454 jmp Code04002C36 Code04002A67: D9: lea eax D$Data04002484 jmp Code04002C36 Code04002A72: F0: lea eax D$Data040024B0 jmp Code04002C36 Code04002A7D: G1: lea eax D$Data040024D0 jmp Code04002C36 Code04002A88: H2: lea eax D$Data040024F0 jmp Code04002C36 Code04002A93: I3: lea eax D$Data04002508 jmp Code04002C36 Code04002A9E: J4: lea eax D$Data04002524 jmp Code04002C36 Code04002AA9: K5: lea eax D$Data04002550 jmp Code04002C36 Code04002AB4: L6: push Data04002580 push D$ebp-08 call Code04002DB0 push D$Data040054D0 push D$ebp-08 call Code04002D60 mov eax D$ebp-08 jmp Code04002C36 Code04002AD7: P1: cmp ecx 0C0000005 | jne B0> ; Code04002AEA lea eax D$Data0400259C jmp Code04002C1B Code04002AEA: B0: cmp ecx 080000003 | jne C9> ; Code04002AFD lea eax D$Data040025BC jmp Code04002C1B Code04002AFD: C9: cmp ecx 080000004 | jne E8> ; Code04002B10 lea eax D$Data040025DC jmp Code04002C1B Code04002B10: E8: cmp ecx 0C0000096 | jne G7> ; Code04002B23 lea eax D$Data040025FC jmp Code04002C1B Code04002B23: G7: cmp ecx 0C000001D | jne I6> ; Code04002B36 lea eax D$Data04002634 jmp Code04002C1B Code04002B36: I6: cmp ecx 0C000008C | jne K5> ; Code04002B49 lea eax D$Data04002668 jmp Code04002C1B Code04002B49: K5: cmp ecx 0C0000095 | jne M4> ; Code04002B5C lea eax D$Data04002694 jmp Code04002C1B Code04002B5C: M4: cmp ecx 0C0000094 | jne O3> ; Code04002B6F lea eax D$Data040026B4 jmp Code04002C1B Code04002B6F: O3: cmp ecx 0C000008D | jne A2> ; Code04002B82 lea eax D$Data040026CC jmp Code04002C1B Code04002B82: A2: cmp ecx 0C000008E | jne C1> ; Code04002B95 lea eax D$Data04002700 jmp Code04002C1B Code04002B95: C1: cmp ecx 0C000008F | jne D7> ; Code04002BA5 lea eax D$Data04002728 jmp P5> ; Code04002C1B Code04002BA5: D7: cmp ecx 0C0000090 | jne F3> ; Code04002BB5 lea eax D$Data04002758 jmp P5> ; Code04002C1B Code04002BB5: F3: cmp ecx 0C0000091 | jne G9> ; Code04002BC5 lea eax D$Data04002784 jmp P5> ; Code04002C1B Code04002BC5: G9: cmp ecx 0C0000092 | jne I5> ; Code04002BD5 lea eax D$Data040027A4 jmp P5> ; Code04002C1B Code04002BD5: I5: cmp ecx 0C0000093 | jne K1> ; Code04002BE5 lea eax D$Data040027C0 jmp P5> ; Code04002C1B Code04002BE5: K1: cmp ecx 0C0000008 | jne L7> ; Code04002BF5 lea eax D$Data040027E4 jmp P5> ; Code04002C1B Code04002BF5: L7: cmp ecx 0C00000FD | jne N3> ; Code04002C05 lea eax D$Data04002804 jmp P5> ; Code04002C1B Code04002C05: N3: cmp ecx 0C000013A | jne O9> ; Code04002C15 lea eax D$Data0400281C jmp P5> ; Code04002C1B Code04002C15: O9: lea eax D$Data04002838 Code04002C1B: P5: jmp C2> ; Code04002C36 Code04002C1D: P7: cmp ecx 01 | jb Code04002AD7 cmp ecx 01E | ja Code04002AD7 jmp D$ecx*4+Data04002850 Code04002C36: C2: push 040030 push D$ebp-04 push eax push 00 call 'USER32.MessageBoxA' mov esp ebp pop ebp ret Code04002C4B: E3: int 3 Code04002C4C: E4: int 3 Code04002C4D: E5: int 3 Code04002C4E: E6: int 3 Code04002C4F: E7: int 3 Code04002C50: E8: mov edx D$esp+04 mov esi D$esp+08 mov ecx D$esp+0C mov edi D$esp+010 mov eax D$edx cmp eax 080000003 | je P0> ; Code04002CB6 cmp eax 080000004 | je P0> ; Code04002CB6 cmp eax 0C0000001 | je P0> ; Code04002CB6 cmp eax 0C0000005 | je P0> ; Code04002CB6 cmp eax 0C0000006 | je P0> ; Code04002CB6 cmp eax 0C0000008 | je P0> ; Code04002CB6 cmp eax 0C0000017 | je P0> ; Code04002CB6 cmp eax 0C000001D | je P0> ; Code04002CB6 cmp eax 0C00000FD | je P0> ; Code04002CB6 cmp eax 0C000013A | je P0> ; Code04002CB6 cmp eax 0C000008C | jb C4> ; Code04002CD8 cmp eax 0C0000096 | ja C4> ; Code04002CD8 Code04002CB6: P0: mov ebx D$fs:00 jmp A1> ; Code04002CC1 Code04002CBF: P9: mov ebx D$ebx Code04002CC1: A1: cmp D$ebx+04 Code04002098 | jne P9< ; Code04002CBF mov esp ebx pop D$fs:00 add esp 08 pop ebp ret Code04002CD8: C4: add esp 04 mov eax 01 ret Code04002CE1: D3: int 3 Code04002CE2: D4: int 3 Code04002CE3: D5: int 3 Code04002CE4: D6: int 3 Code04002CE5: D7: int 3 Code04002CE6: D8: int 3 Code04002CE7: D9: int 3 Code04002CE8: E0: int 3 Code04002CE9: E1: int 3 Code04002CEA: E2: int 3 Code04002CEB: E3: int 3 Code04002CEC: E4: int 3 Code04002CED: E5: int 3 Code04002CEE: E6: int 3 Code04002CEF: E7: int 3 Code04002CF0: E8: pop eax push Code0400209D push ebp push Data040054B0 push Code04002098 push D$fs:00 mov D$fs:00 esp mov D$Data040054BC esp jmp eax Code04002D17: I7: int 3 Code04002D18: I8: int 3 Code04002D19: I9: int 3 Code04002D1A: J0: int 3 Code04002D1B: J1: int 3 Code04002D1C: J2: int 3 Code04002D1D: J3: int 3 Code04002D1E: J4: int 3 Code04002D1F: J5: int 3 Code04002D20: J6: push ebp mov ebp esp sub esp 04 and esp 0-04 pushad pushf cld cmp B$Data040054E4 0 | jne N7> ; Code04002D49 push 0-0B call 'KERNEL32.GetStdHandle' mov D$Data040054E0 eax mov B$Data040054E4 01 Code04002D49: N7: push D$Data040054E0 push D$ebp+08 call Code04002EE0 popf popad mov esp ebp pop ebp ret 04 Code04002D5F: P9: Align 04 Code04002D60: A0: push ebp mov ebp esp pushf cld push eax push ecx push esi push edi mov esi D$ebp+0C mov edi D$ebp+08 cmp edi 00 | je C5> ; Code04002D79 cmp esi 00 | jne D5> ; Code04002D83 Code04002D79: C5: mov eax 015 jmp Code04002F20 Code04002D83: D5: mov ecx D$edi-04 mov eax ecx add ecx D$esi-04 cmp ecx D$edi-08 | jle F8> ; Code04002D9A mov eax 01 jmp Code04002F20 Code04002D9A: F8: mov D$edi-04 ecx mov ecx D$esi-04 inc ecx add edi eax rep movsb pop edi pop esi pop ecx pop eax popf mov esp ebp pop ebp ret 08 Code04002DB0: I0: push ebp mov ebp esp pushf cld push ecx push esi push edi mov edi D$ebp+08 mov esi D$ebp+0C test edi edi | je K2> ; Code04002DC6 test esi esi | jne L2> ; Code04002DD0 Code04002DC6: K2: mov eax 015 jmp Code04002F20 Code04002DD0: L2: mov ecx D$esi-04 cmp ecx D$edi-08 | jle N0> ; Code04002DE2 mov eax 01 jmp Code04002F20 Code04002DE2: N0: mov D$edi-04 ecx add ecx 04 shr ecx 02 rep movsd pop edi pop esi pop ecx popf mov eax D$ebp+08 mov esp ebp pop ebp ret 08 Code04002DFA: P4: int 3 Code04002DFB: P5: int 3 Code04002DFC: P6: int 3 Code04002DFD: P7: int 3 Code04002DFE: P8: int 3 Code04002DFF: P9: int 3 Code04002E00: A0: push ebp mov ebp esp push 00 push D$ebp+014 push D$ebp+010 push D$ebp+0C push D$ebp+08 call Code04002F50 mov esp ebp pop ebp ret 010 Code04002E1C: C8: int 3 Code04002E1D: C9: int 3 Code04002E1E: D0: int 3 Code04002E1F: D1: int 3 Code04002E20: D2: push ebp mov ebp esp push eax push edx push esi mov esi D$ebp+08 test esi esi | jne F5> ; Code04002E37 mov eax 015 jmp Code04002F20 Code04002E37: F5: mov eax D$ebp+014 call Code04003020 cmp B$Data040054F0 0 | je H8> ; Code04002E4E cmp eax 04 | jbe H8> ; Code04002E4E inc eax Code04002E4E: H8: cmp eax D$ebp+010 | jae I6> ; Code04002E56 mov eax D$ebp+010 Code04002E56: I6: cmp eax D$esi-08 | jle K1> ; Code04002E65 mov eax 01 jmp Code04002F20 Code04002E65: K1: mov D$esi-04 eax mov esi D$ebp+08 add esi eax mov B$esi 0 dec esi xor edx edx Code04002E73: L5: mov al B$ebp+014 and al 0F or al 030 cmp al 039 | jbe M8> ; Code04002E80 add al 07 Code04002E80: M8: mov B$esi al dec esi inc dl shr D$ebp+014 04 | je P7> ; Code04002E9D cmp B$Data040054F0 0 | je P7> ; Code04002E9D cmp dl 04 | jne P7> ; Code04002E9D mov B$esi 05F dec esi Code04002E9D: P7: cmp D$ebp+014 00 | jne L5< ; Code04002E73 jmp D8> ; Code04002EC6 Code04002EA5: A5: cmp B$Data040054F0 0 | je D0> ; Code04002EBE cmp dl 04 | jne D0> ; Code04002EBE cmp B$ebp+0C 030 | jne D0> ; Code04002EBE mov B$esi 05F jmp D5> ; Code04002EC3 Code04002EBE: D0: mov al B$ebp+0C mov B$esi al Code04002EC3: D5: dec esi inc dl Code04002EC6: D8: cmp esi D$ebp+08 | jae A5< ; Code04002EA5 pop esi pop edx pop eax mov esp ebp pop ebp ret 010 Code04002ED4: F2: int 3 Code04002ED5: F3: int 3 Code04002ED6: F4: int 3 Code04002ED7: F5: int 3 Code04002ED8: F6: int 3 Code04002ED9: F7: int 3 Code04002EDA: F8: int 3 Code04002EDB: F9: int 3 Code04002EDC: G0: int 3 Code04002EDD: G1: int 3 Code04002EDE: G2: int 3 Code04002EDF: G3: int 3 Code04002EE0: G4: push ebp mov ebp esp sub esp 04 pushad pushf cld mov esi D$ebp+08 push 00 push ebp add D$esp 0-04 push D$esi-04 push esi push D$ebp+0C call 'KERNEL32.WriteFile' test eax eax | jne L0> ; Code04002F0E mov eax 09 jmp Code04002F20 Code04002F0E: L0: popf popad mov esp ebp pop ebp ret 08 Code04002F16: L8: int 3 Code04002F17: L9: int 3 Code04002F18: M0: int 3 Code04002F19: M1: int 3 Code04002F1A: M2: int 3 Code04002F1B: M3: int 3 Code04002F1C: M4: int 3 Code04002F1D: M5: int 3 Code04002F1E: M6: int 3 Code04002F1F: M7: int 3 Code04002F20: M8: mov ebp D$fs:00 Code04002F27: N5: cmp D$ebp+04 Code04002098 | je O9> ; Code04002F35 mov ebp D$ebp jmp N5< ; Code04002F27 Code04002F35: O9: mov esp ebp pop D$fs:00 add esp 08 pop ebp ret Code04002F43: A3: int 3 Code04002F44: A4: int 3 Code04002F45: A5: int 3 Code04002F46: A6: int 3 Code04002F47: A7: int 3 Code04002F48: A8: int 3 Code04002F49: A9: int 3 Code04002F4A: B0: int 3 Code04002F4B: B1: int 3 Code04002F4C: B2: int 3 Code04002F4D: B3: int 3 Code04002F4E: B4: int 3 Code04002F4F: B5: int 3 Code04002F50: B6: push ebp mov ebp esp sub esp 020 pushad pushf cld lea edi D$ebp-020 push D$ebp+018 push D$ebp+014 call Code0400305F lea edx D$ebp-020 neg edx add edx edi mov ecx D$ebp+010 cmp ecx 00 | jge F6> ; Code04002F78 neg ecx Code04002F78: F6: mov eax edx cmp edx ecx | jae G4> ; Code04002F80 mov eax ecx Code04002F80: G4: mov edi D$ebp+08 cmp eax D$edi-08 | jb I2> ; Code04002F92 mov eax 01 jmp Code04002F20 Code04002F92: I2: mov D$edi-04 eax cmp D$ebp+010 00 | jl K4> ; Code04002FA8 cmp edx ecx | jae K4> ; Code04002FA8 mov al B$ebp+0C push ecx sub ecx edx rep stosb pop ecx Code04002FA8: K4: xchg ecx edx push ecx lea esi D$ebp-020 rep movsb pop ecx cmp D$ebp+010 00 | jge N4> ; Code04002FC6 xchg edx ecx cmp edx ecx | jae N4> ; Code04002FC6 mov al B$ebp+0C push ecx sub ecx edx rep stosb pop ecx Code04002FC6: N4: mov al 0 stosb popf popad mov esp ebp pop ebp ret 014 Code04002FD1: O5: int 3 Code04002FD2: O6: int 3 Code04002FD3: O7: int 3 Code04002FD4: O8: int 3 Code04002FD5: O9: int 3 Code04002FD6: P0: int 3 Code04002FD7: P1: int 3 Code04002FD8: P2: int 3 Code04002FD9: P3: int 3 Code04002FDA: P4: int 3 Code04002FDB: P5: int 3 Code04002FDC: P6: int 3 Code04002FDD: P7: int 3 Code04002FDE: P8: int 3 Code04002FDF: P9: int 3 Code04002FE0: A0: push ebp mov ebp esp push eax mov al B$ebp+08 mov B$Data040054F0 al pop eax mov esp ebp pop ebp ret 04 Code04002FF3: B9: movzx eax B$Data040054F0 ret Code04002FFB: C7: push ebp push D$ebp-04 lea ebp D$esp+04 push ebp and esp 0-04 cmp B$Data040054F0 0 | je F2> ; Code04003014 mov B$edi 05F inc edi Code04003014: F2: mov esp ebp pop ebp ret Code04003018: F6: int 3 Code04003019: F7: int 3 Code0400301A: F8: int 3 Code0400301B: F9: int 3 Code0400301C: G0: int 3 Code0400301D: G1: int 3 Code0400301E: G2: int 3 Code0400301F: G3: int 3 Code04003020: G4: test eax eax | je H4> ; Code0400302A bsr eax eax shr eax 02 Code0400302A: H4: inc eax ret Code0400302C: H6: int 3 Code0400302D: H7: int 3 Code0400302E: H8: int 3 Code0400302F: H9: int 3 Code04003030: I0: push eax mov eax edx xor edx edx mov ebx 0A div ebx mov ecx eax pop eax div ebx xchg edx ecx ret Code04003044: K0: test edx edx | jne K8> ; Code0400304C test eax eax | je M6> ; Code0400305E Code0400304C: K8: call Code04003030 push ecx call Code04003044 pop ecx or cl 030 mov B$edi cl inc edi Code0400305E: M6: ret Code0400305F: M7: push ebp mov ebp esp push eax push ebx push ecx push edx mov eax D$ebp+08 mov edx D$ebp+0C test eax eax | jne O8> ; Code04003074 test edx edx | je P5> ; Code0400307B Code04003074: O8: call Code04003044 jmp P9> ; Code0400307F Code0400307B: P5: mov B$edi 030 inc edi Code0400307F: P9: pop edx pop ecx pop ebx pop eax mov esp ebp pop ebp ret 08
From: Dragontamer on 20 Jan 2006 18:20 randyhyde(a)earthlink.net wrote: [snip everything] Well, I see what happens here, but do you think things like that will happen too often? It seems like a simple flaw of a disassembler to me; even what I would consider a perfect disassembler would fail in that regards. Although I do see the problem here: It is that the jumps are hardcoded. A simple solution (that may have already been done by Rene... I don't use RosAsm) would just be to add 1 to every jump. Does RosAsm add to the (absolute) jumps as it gets copy/pasted into the code? If it doesn't; then RosAsm is in a world of hurt; but I'm giving Rene the benifit of the doubt here... It is a simple solution to this trivial problem. As for if RosAsm doesn't; then what if two libraries have the same section of code for its subroutines? What if library 1 uses address 0x40000000 and library 2 uses that same address for its subroutine? Again, I'll give RosAsm the benifit of the doubt, but I'd still like a solid answer from Rene or Wannabie. --Dragontamer
From: hutch-- on 20 Jan 2006 18:51 I wonder why the RosAsm disassembler cannot disassembler / reassemble the tiny compressed editor I write called TheGun. The kids were able to do this on IRC 6 and 7 years ago because they knew how to grab a loaded file image using a couple of simple API calls yet RosAsm still cannot so something that simple. Start file. Read its loaded image. Perform the normal PE fixups. Write it back to disk !!!! Then !!!! disassemble it. This is being touted as the IDA Pro Slayer so it will need to improve some thousands of percent to get there. Regards, hutch at movsd dot com
From: Frank Kotler on 21 Jan 2006 02:56 randyhyde(a)earthlink.net wrote: > program bottles; .... Has anyone built this in Linux? I had in mind to run the Linux version of this through Jeff Owens' "asmsrc", just to see what it would do. A "comparison" of RosAsm with asmsrc is "apples and oranges" - that isn't what I had in mind... Just curious... But I didn't get that far... Here's my "error log": HLA (High Level Assembler) Parser Released to the public domain by Randall Hyde. Version Version 1.79 build 10132 (prototype) -t active File: rhbottle.hla Output Path: "" Compiling "rhbottle.hla" to "rhbottle.asm" Error in file "rhbottle.hla" at line 61 [errid:6641/hlaparse.bsn]: Macro called in file "rhbottle.hla" at line 115 Index size must be an unsigned value greater than or equal to zero. Near: << ] >> Error in file "rhbottle.hla" at line 61 [errid:6641/hlaparse.bsn]: Macro called in file "rhbottle.hla" at line 115 Index size must be an unsigned value greater than or equal to zero. Near: << ] >> Error in file "rhbottle.hla" at line 61 [errid:6641/hlaparse.bsn]: Macro called in file "rhbottle.hla" at line 115 Index size must be an unsigned value greater than or equal to zero. Near: << ] >> .... most of 27k snipped - it ends like this... note the second one! .... Error in file "rhbottle.hla" at line 65 [errid:6641/hlaparse.bsn]: Macro called in file "rhbottle.hla" at line 126 Index size must be an unsigned value greater than or equal to zero. Near: << ] >> Error in file "rhboHLA (High Level Assembler) Released to the public domain by Randall Hyde. Version Version 1.79 build 10132 (prototype) ELF output Using GAS assembler GAS output -test active HLA Lib Path: /usr/hla/hlalib/hlalib.a HLA include path: /usr/hla/include/ HLA temp path: Files: 1: rhbottle.hla Compiling 'rhbottle.hla' to 'rhbottle.asm' using command line [hlaparse -v -sg -test "rhbottle.hla"] And there it ends. Like Bernd's RedBlackTree, this is leaving me with zero-length (.asm and .inc) files. The "index size" message is familiar from that problem, too. If you'll recall, I finally *did* get RedBlackTreeTest working, by deleting a couple of innocuous lines in "macros.hhf", ignoring a bunch of error messages from hla, and running as and ld "by hand". I may not go to the bother of trying to get it to work in this case. I like Nathan's version, and my slight "tweak" of it, better anyway. I may tweak it one more time, to "XCIX Bottles"... maybe run Jeff's asmsrc on that... or not... I may be screwing something up here, but I suspect there's something "funny" going on with hla's macro-processing in Linux. If anyone else is getting these to work, it's "just me"... Best, Frank
From: Dragontamer on 21 Jan 2006 08:53
Betov wrote: > [And L0<< // L0>>, if the jumps are long, to give > control to the programmer on the local jumps sizes, > which is one another write-time security] Hmm, so does >> force a long jump and does > force a short jump? If that is the case... maybe there is some kind of overflow error. Probably not, another trivial error for a disassembler :-/ --Dragontamer |