disassembly?
in [General Programming]
|
Prev: Boost and UMFPACK: anyone tried it?
Next: Statistics for Business and Economics 9 ED by Anderson, Sweeney solutions manual
From: Bill Cunningham on 3 Mar 2010 14:09 How did a file that is so small such as this source be assembled and linked. Then disassembled into this huge file? section .text global _start ;must be declared for linker (ld) _start: ;tell linker entry point mov edx,len ;message length mov ecx,msg ;message to write mov ebx,1 ;file descriptor (stdout) mov eax,4 ;system call number (sys_write) int 0x80 ;call kernel mov eax,1 ;system call number (sys_exit) int 0x80 ;call kernel section .data msg db 'Hello, world!',0xa ;our dear string len equ $ - msg ;length of our dear string Simple and then I got this: 00000000 7365 jnc 0x67 00000002 637469 arpl [si+0x69],si 00000005 6F outsw 00000006 6E outsb 00000007 2E7465 cs jz 0x6f 0000000A 7874 js 0x80 0000000C 200D and [di],cl 0000000E 20676C and [bx+0x6c],ah 00000011 6F outsw 00000012 62616C bound sp,[bx+di+0x6c] 00000015 205F73 and [bx+0x73],bl 00000018 7461 jz 0x7b 0000001A 7274 jc 0x90 0000001C 3B0A cmp cx,[bp+si] 0000001E 6D insw 0000001F 7573 jnz 0x94 00000021 7420 jz 0x43 00000023 626520 bound sp,[di+0x20] 00000026 6465636C61 arpl [gs:si+0x61],bp 0000002B 7265 jc 0x92 0000002D 6420666F and [fs:bp+0x6f],ah 00000031 7220 jc 0x53 00000033 6C insb 00000034 696E6B6572 imul bp,[bp+0x6b],word 0x7265 00000039 286C64 sub [si+0x64],ch 0000003C 290A sub [bp+si],cx 0000003E 2020 and [bx+si],ah 00000040 2020 and [bx+si],ah 00000042 0D0D5F or ax,0x5f0d 00000045 7374 jnc 0xbb 00000047 61 popaw 00000048 7274 jc 0xbe 0000004A 3A3B cmp bh,[bp+di] 0000004C 0A7465 or dh,[si+0x65] 0000004F 6C insb 00000050 6C insb 00000051 206C69 and [si+0x69],ch 00000054 6E outsb 00000055 6B657220 imul sp,[di+0x72],byte +0x20 00000059 656E gs outsb 0000005B 7472 jz 0xcf 0000005D 7920 jns 0x7f 0000005F 706F jo 0xd0 00000061 696E74200D imul bp,[bp+0x74],word 0xd20 00000066 200D and [di],cl 00000068 6D insw 00000069 6F outsw 0000006A 7620 jna 0x8c 0000006C 6564782C fs js 0x9c 00000070 206C65 and [si+0x65],ch 00000073 6E outsb 00000074 3B0A cmp cx,[bp+si] 00000076 6D insw 00000077 657373 gs jnc 0xed 0000007A 61 popaw 0000007B 6765206C656E and [dword gs:ebp+0x6e],ch 00000081 677468 jz 0xec 00000084 200D and [di],cl 00000086 206D6F and [di+0x6f],ch 00000089 7620 jna 0xab 0000008B 6563782C arpl [gs:bx+si+0x2c],di 0000008F 206D73 and [di+0x73],ch 00000092 673B0A cmp cx,[edx] 00000095 6D insw 00000096 657373 gs jnc 0x10c 00000099 61 popaw 0000009A 676520746F20 and [dword gs:edi+ebp*2+0x20],dh 000000A0 7772 ja 0x114 000000A2 697465200D imul si,[si+0x65],word 0xd20 000000A7 206D6F and [di+0x6f],ch 000000AA 7620 jna 0xcc 000000AC 6562782C bound di,[gs:bx+si+0x2c] 000000B0 2031 and [bx+di],dh 000000B2 3B0A cmp cx,[bp+si] 000000B4 66696C6520646573 imul ebp,[si+0x65],dword 0x73656420 000000BC 637269 arpl [bp+si+0x69],si 000000BF 7074 jo 0x135 000000C1 6F outsw 000000C2 7228 jc 0xec 000000C4 7374 jnc 0x13a 000000C6 646F fs outsw 000000C8 7574 jnz 0x13e 000000CA 2920 sub [bx+si],sp 000000CC 0D206D or ax,0x6d20 000000CF 6F outsw 000000D0 7620 jna 0xf2 000000D2 6561 gs popaw 000000D4 782C js 0x102 000000D6 2034 and [si],dh 000000D8 3B0A cmp cx,[bp+si] 000000DA 7379 jnc 0x155 000000DC 7374 jnc 0x152 000000DE 656D gs insw 000000E0 206361 and [bp+di+0x61],ah 000000E3 6C insb 000000E4 6C insb 000000E5 206E75 and [bp+0x75],ch 000000E8 6D insw 000000E9 626572 bound sp,[di+0x72] 000000EC 287379 sub [bp+di+0x79],dh 000000EF 735F jnc 0x150 000000F1 7772 ja 0x165 000000F3 6974652920 imul si,[si+0x65],word 0x2029 000000F8 0D2069 or ax,0x6920 000000FB 6E outsb 000000FC 7420 jz 0x11e 000000FE 307838 xor [bx+si+0x38],bh 00000101 303B xor [bp+di],bh 00000103 0A6361 or ah,[bp+di+0x61] 00000106 6C insb 00000107 6C insb 00000108 206B65 and [bp+di+0x65],ch 0000010B 726E jc 0x17b 0000010D 656C gs insb 0000010F 200D and [di],cl 00000111 200D and [di],cl 00000113 206D6F and [di+0x6f],ch 00000116 7620 jna 0x138 00000118 6561 gs popaw 0000011A 782C js 0x148 0000011C 2031 and [bx+di],dh 0000011E 3B0A cmp cx,[bp+si] 00000120 7379 jnc 0x19b 00000122 7374 jnc 0x198 00000124 656D gs insw 00000126 206361 and [bp+di+0x61],ah 00000129 6C insb 0000012A 6C insb 0000012B 206E75 and [bp+0x75],ch 0000012E 6D insw 0000012F 626572 bound sp,[di+0x72] 00000132 287379 sub [bp+di+0x79],dh 00000135 735F jnc 0x196 00000137 657869 gs js 0x1a3 0000013A 7429 jz 0x165 0000013C 200D and [di],cl 0000013E 20696E and [bx+di+0x6e],ch 00000141 7420 jz 0x163 00000143 307838 xor [bx+si+0x38],bh 00000146 303B xor [bp+di],bh 00000148 0A6361 or ah,[bp+di+0x61] 0000014B 6C insb 0000014C 6C insb 0000014D 206B65 and [bp+di+0x65],ch 00000150 726E jc 0x1c0 00000152 656C gs insb 00000154 200D and [di],cl 00000156 200D and [di],cl 00000158 207365 and [bp+di+0x65],dh 0000015B 637469 arpl [si+0x69],si 0000015E 6F outsw 0000015F 6E outsb 00000160 2E6461 fs popaw 00000163 7461 jz 0x1c6 00000165 200D and [di],cl 00000167 200D and [di],cl 00000169 206D73 and [di+0x73],ch 0000016C 6720646220 and [dword edx+0x20],ah 00000171 27 daa 00000172 48 dec ax 00000173 656C gs insb 00000175 6C insb 00000176 6F outsw 00000177 2C20 sub al,0x20 00000179 776F ja 0x1ea 0000017B 726C jc 0x1e9 0000017D 642127 and [fs:bx],sp 00000180 2C20 sub al,0x20 00000182 307861 xor [bx+si+0x61],bh 00000185 3B0A cmp cx,[bp+si] 00000187 6F outsw 00000188 7572 jnz 0x1fc 0000018A 206465 and [si+0x65],ah 0000018D 61 popaw 0000018E 7220 jc 0x1b0 00000190 7374 jnc 0x206 00000192 7269 jc 0x1fd 00000194 6E outsb 00000195 67200D206C656E and [dword 0x6e656c20],cl 0000019C 206571 and [di+0x71],ah 0000019F 7520 jnz 0x1c1 000001A1 2420 and al,0x20 000001A3 2D206D sub ax,0x6d20 000001A6 7367 jnc 0x20f 000001A8 3B0A cmp cx,[bp+si] 000001AA 6C insb 000001AB 656E gs outsb 000001AD 677468 jz 0x218 000001B0 206F66 and [bx+0x66],ch 000001B3 206F75 and [bx+0x75],ch 000001B6 7220 jc 0x1d8 000001B8 646561 gs popaw 000001BB 7220 jc 0x1dd 000001BD 7374 jnc 0x233 000001BF 7269 jc 0x22a 000001C1 6E outsb 000001C2 67 a32 000001C3 200D and [di],cl 000001C5 200D and [di],cl 000001C7 0A db 0x0a The about numbers 0A 200D 67 and so one, are they the binary? Bill
From: Coos Haak on 3 Mar 2010 14:41 Op Wed, 3 Mar 2010 14:09:37 -0500 schreef Bill Cunningham: > How did a file that is so small such as this source be assembled and > linked. Then disassembled into this huge file? > > section .text > global _start ;must be declared for linker (ld) > > _start: ;tell linker entry point > > mov edx,len ;message length > mov ecx,msg ;message to write > mov ebx,1 ;file descriptor (stdout) > mov eax,4 ;system call number (sys_write) > int 0x80 ;call kernel > > mov eax,1 ;system call number (sys_exit) > int 0x80 ;call kernel > > section .data > > msg db 'Hello, world!',0xa ;our dear string > len equ $ - msg ;length of our dear string > > Simple and then I got this: > > 00000000 7365 jnc 0x67 > 00000002 637469 arpl [si+0x69],si > 00000005 6F outsw > 00000006 6E outsb > 00000007 2E7465 cs jz 0x6f > 0000000A 7874 js 0x80 > 0000000C 200D and [di],cl > 0000000E 20676C and [bx+0x6c],ah > 00000011 6F outsw > 00000012 62616C bound sp,[bx+di+0x6c] > 00000015 205F73 and [bx+0x73],bl > 00000018 7461 jz 0x7b > 0000001A 7274 jc 0x90 > 0000001C 3B0A cmp cx,[bp+si] > 0000001E 6D insw > 0000001F 7573 jnz 0x94 > 00000021 7420 jz 0x43 > 00000023 626520 bound sp,[di+0x20] > 00000026 6465636C61 arpl [gs:si+0x61],bp > 0000002B 7265 jc 0x92 > 0000002D 6420666F and [fs:bp+0x6f],ah > 00000031 7220 jc 0x53 > 00000033 6C insb > 00000034 696E6B6572 imul bp,[bp+0x6b],word 0x7265 > 00000039 286C64 sub [si+0x64],ch > 0000003C 290A sub [bp+si],cx > 0000003E 2020 and [bx+si],ah > 00000040 2020 and [bx+si],ah > 00000042 0D0D5F or ax,0x5f0d > 00000045 7374 jnc 0xbb > 00000047 61 popaw > 00000048 7274 jc 0xbe > 0000004A 3A3B cmp bh,[bp+di] > 0000004C 0A7465 or dh,[si+0x65] > 0000004F 6C insb > 00000050 6C insb > 00000051 206C69 and [si+0x69],ch > 00000054 6E outsb > 00000055 6B657220 imul sp,[di+0x72],byte +0x20 > 00000059 656E gs outsb > 0000005B 7472 jz 0xcf > 0000005D 7920 jns 0x7f > 0000005F 706F jo 0xd0 > 00000061 696E74200D imul bp,[bp+0x74],word 0xd20 > 00000066 200D and [di],cl > 00000068 6D insw > 00000069 6F outsw > 0000006A 7620 jna 0x8c > 0000006C 6564782C fs js 0x9c > 00000070 206C65 and [si+0x65],ch > 00000073 6E outsb > 00000074 3B0A cmp cx,[bp+si] > 00000076 6D insw > 00000077 657373 gs jnc 0xed > 0000007A 61 popaw > 0000007B 6765206C656E and [dword gs:ebp+0x6e],ch > 00000081 677468 jz 0xec > 00000084 200D and [di],cl > 00000086 206D6F and [di+0x6f],ch > 00000089 7620 jna 0xab > 0000008B 6563782C arpl [gs:bx+si+0x2c],di > 0000008F 206D73 and [di+0x73],ch > 00000092 673B0A cmp cx,[edx] > 00000095 6D insw > 00000096 657373 gs jnc 0x10c > 00000099 61 popaw > 0000009A 676520746F20 and [dword gs:edi+ebp*2+0x20],dh > 000000A0 7772 ja 0x114 > 000000A2 697465200D imul si,[si+0x65],word 0xd20 > 000000A7 206D6F and [di+0x6f],ch > 000000AA 7620 jna 0xcc > 000000AC 6562782C bound di,[gs:bx+si+0x2c] > 000000B0 2031 and [bx+di],dh > 000000B2 3B0A cmp cx,[bp+si] > 000000B4 66696C6520646573 imul ebp,[si+0x65],dword 0x73656420 > 000000BC 637269 arpl [bp+si+0x69],si > 000000BF 7074 jo 0x135 > 000000C1 6F outsw > 000000C2 7228 jc 0xec > 000000C4 7374 jnc 0x13a > 000000C6 646F fs outsw > 000000C8 7574 jnz 0x13e > 000000CA 2920 sub [bx+si],sp > 000000CC 0D206D or ax,0x6d20 > 000000CF 6F outsw > 000000D0 7620 jna 0xf2 > 000000D2 6561 gs popaw > 000000D4 782C js 0x102 > 000000D6 2034 and [si],dh > 000000D8 3B0A cmp cx,[bp+si] > 000000DA 7379 jnc 0x155 > 000000DC 7374 jnc 0x152 > 000000DE 656D gs insw > 000000E0 206361 and [bp+di+0x61],ah > 000000E3 6C insb > 000000E4 6C insb > 000000E5 206E75 and [bp+0x75],ch > 000000E8 6D insw > 000000E9 626572 bound sp,[di+0x72] > 000000EC 287379 sub [bp+di+0x79],dh > 000000EF 735F jnc 0x150 > 000000F1 7772 ja 0x165 > 000000F3 6974652920 imul si,[si+0x65],word 0x2029 > 000000F8 0D2069 or ax,0x6920 > 000000FB 6E outsb > 000000FC 7420 jz 0x11e > 000000FE 307838 xor [bx+si+0x38],bh > 00000101 303B xor [bp+di],bh > 00000103 0A6361 or ah,[bp+di+0x61] > 00000106 6C insb > 00000107 6C insb > 00000108 206B65 and [bp+di+0x65],ch > 0000010B 726E jc 0x17b > 0000010D 656C gs insb > 0000010F 200D and [di],cl > 00000111 200D and [di],cl > 00000113 206D6F and [di+0x6f],ch > 00000116 7620 jna 0x138 > 00000118 6561 gs popaw > 0000011A 782C js 0x148 > 0000011C 2031 and [bx+di],dh > 0000011E 3B0A cmp cx,[bp+si] > 00000120 7379 jnc 0x19b > 00000122 7374 jnc 0x198 > 00000124 656D gs insw > 00000126 206361 and [bp+di+0x61],ah > 00000129 6C insb > 0000012A 6C insb > 0000012B 206E75 and [bp+0x75],ch > 0000012E 6D insw > 0000012F 626572 bound sp,[di+0x72] > 00000132 287379 sub [bp+di+0x79],dh > 00000135 735F jnc 0x196 > 00000137 657869 gs js 0x1a3 > 0000013A 7429 jz 0x165 > 0000013C 200D and [di],cl > 0000013E 20696E and [bx+di+0x6e],ch > 00000141 7420 jz 0x163 > 00000143 307838 xor [bx+si+0x38],bh > 00000146 303B xor [bp+di],bh > 00000148 0A6361 or ah,[bp+di+0x61] > 0000014B 6C insb > 0000014C 6C insb > 0000014D 206B65 and [bp+di+0x65],ch > 00000150 726E jc 0x1c0 > 00000152 656C gs insb > 00000154 200D and [di],cl > 00000156 200D and [di],cl > 00000158 207365 and [bp+di+0x65],dh > 0000015B 637469 arpl [si+0x69],si > 0000015E 6F outsw > 0000015F 6E outsb > 00000160 2E6461 fs popaw > 00000163 7461 jz 0x1c6 > 00000165 200D and [di],cl > 00000167 200D and [di],cl > 00000169 206D73 and [di+0x73],ch > 0000016C 6720646220 and [dword edx+0x20],ah > 00000171 27 daa > 00000172 48 dec ax > 00000173 656C gs insb > 00000175 6C insb > 00000176 6F outsw > 00000177 2C20 sub al,0x20 > 00000179 776F ja 0x1ea > 0000017B 726C jc 0x1e9 > 0000017D 642127 and [fs:bx],sp > 00000180 2C20 sub al,0x20 > 00000182 307861 xor [bx+si+0x61],bh > 00000185 3B0A cmp cx,[bp+si] > 00000187 6F outsw > 00000188 7572 jnz 0x1fc > 0000018A 206465 and [si+0x65],ah > 0000018D 61 popaw > 0000018E 7220 jc 0x1b0 > 00000190 7374 jnc 0x206 > 00000192 7269 jc 0x1fd > 00000194 6E outsb > 00000195 67200D206C656E and [dword 0x6e656c20],cl > 0000019C 206571 and [di+0x71],ah > 0000019F 7520 jnz 0x1c1 > 000001A1 2420 and al,0x20 > 000001A3 2D206D sub ax,0x6d20 > 000001A6 7367 jnc 0x20f > 000001A8 3B0A cmp cx,[bp+si] > 000001AA 6C insb > 000001AB 656E gs outsb > 000001AD 677468 jz 0x218 > 000001B0 206F66 and [bx+0x66],ch > 000001B3 206F75 and [bx+0x75],ch > 000001B6 7220 jc 0x1d8 > 000001B8 646561 gs popaw > 000001BB 7220 jc 0x1dd > 000001BD 7374 jnc 0x233 > 000001BF 7269 jc 0x22a > 000001C1 6E outsb > 000001C2 67 a32 > 000001C3 200D and [di],cl > 000001C5 200D and [di],cl > 000001C7 0A db 0x0a > > The about numbers 0A 200D 67 and so one, are they the binary? > > Bill FCOL, this is the disassembly of the source file, not the object file. What you see is just the ASCII representation of it. Only 0x1c8 (456 decimal) bytes of the text you (or someone) typed in. -- Coos
From: Bill Cunningham on 3 Mar 2010 15:46 "Coos Haak" <chforth(a)hccnet.nl> wrote in message news:11383wlhg4u8$.14l3goznz04kj.dlg(a)40tude.net... > FCOL, this is the disassembly of the source file, not the object file. > What you see is just the ASCII representation of it. Only 0x1c8 (456 > decimal) bytes of the text you (or someone) typed in. So can you not disassemble source code? I'm new to this asssembly stuff. My C isn't that great either. Should I be disassembling object or binaries only? I thought it was a disassembly of the binary. Bill
From: rossum on 3 Mar 2010 16:21 On Wed, 3 Mar 2010 15:46:06 -0500, "Bill Cunningham" <nospam(a)nspam.invalid> wrote: > >"Coos Haak" <chforth(a)hccnet.nl> wrote in message >news:11383wlhg4u8$.14l3goznz04kj.dlg(a)40tude.net... > >> FCOL, this is the disassembly of the source file, not the object file. >> What you see is just the ASCII representation of it. Only 0x1c8 (456 >> decimal) bytes of the text you (or someone) typed in. > > So can you not disassemble source code? I'm new to this asssembly stuff. >My C isn't that great either. Should I be disassembling object or binaries >only? I thought it was a disassembly of the binary. > >Bill > You can pass a source file to a disassembler but you won't get anuthing useful out of it. You should disassemble the binary file, that will show you what instructions your computer is actually running. Many compilers will add in a lot of standard library stuff so do not be surprised if a simple "Hello World" program produces a large executable. You may want to investigate ways of excluding libraries, look at the instructions/flags for your compiler. rossum
From: Bill Cunningham on 3 Mar 2010 17:14
"rossum" <rossum48(a)coldmail.com> wrote in message news:8jjto5dbec2nb37l71eaevjsgi5eeol0dc(a)4ax.com... > You can pass a source file to a disassembler but you won't get > anuthing useful out of it. You should disassemble the binary file, > that will show you what instructions your computer is actually > running. > > Many compilers will add in a lot of standard library stuff so do not > be surprised if a simple "Hello World" program produces a large > executable. You may want to investigate ways of excluding libraries, > look at the instructions/flags for your compiler. I tried to disassemble a AVI file the other day and my linux told me the file was too large. The disassembly that was being created that is. Would using the split program to split up something between 700M and 1.2G allow me to successfully disassemble an avi. This is what I'd like to find out from the AVIs chunk size and so on and maybe change that in the binary. That would take reverse engineering. Bill |