Qtilities from Other Developers | The Assembly Programming Master Book

QUMPPE.EXE

This program was briefly mentioned in Chapter 1. In many respects, it is similar to the QUMPBIN.EXE utility; however, it has limited functionality in comparison to it.

NEW.EXE

This program is widely known among programmers in the hacker world. Its name is an abreviation of the phrase "hacker's view." The main tasks carried out by this program are viewing and editing executable modules. There are three possible modes of work in this program: binary, text, and assembly. There are tons of good disassembling programs; however, the programs similar to this one are few.

The interface of this program makes you recall the interfaces found in FAR Manager or Norton Commander (see Fig. 22.1). All commands are issued by functional keys (including combinations with the <Alt> and <Ctrl> keys). For example, by pressing <F4> , you can choose the mode of displaying the file: text, assembly, or binary. By pressing <F3> , you switch to the editing mode (provided that you are viewing the file in binary or assembly modes). If you switch to the assembly view and press <F2> after <F3> , you'll be able to edit machine commands in symbolic form. I will not describe the commands of this program in detail because they are simple and obvious, and the list of available commands can be obtained by pressing <F1> . Therefore, I'll demonstrate a practical example of using this program. For clarity, I will use a simple console application.

Figure 22.1: HIEW.EXE program at work

Listing 22.2 presents a simple console application that outputs a text string to the console.

Listing 22.2: A simple console application

 .586P ; Flat memory model .MODEL FLAT,  stdcall ; Constants STD_OUTPUT_HANDLE     equ -11 INVALID_HANDLE_VALUE  equ -1 ; Prototypes of external procedures EXTERN  GetStdHandle@4:NEAR EXTERN  WriteConsoleA@20:NEAR EXTERN  ExitProcess@4:NEAR ; INCLUDELIB directives for the linker includelib c:\masm32\lib\user32.lib includelib c:\masm32\lib\kernel32.lib ;----------------------------------------------- ; Data segment _DATA SEGMENT       BUF   DB  "Output string",  0       LENS  DWORD ? ; Number of characters for output       HANDL DWORD ? _DATA ENDS ; Code segment _TEXT SEGMENT START: ; Get the HANDLE output handle         PUSH  STD_OUTPUT_HANDLE         CALL  GetStdHandle@4         CMP   EAX,  INVALID_HANDLE_VALUE         JNE   _EX         MOV   HANDL,  EAX ; String output         PUSH  0         PUSH  OFFSET LENS         PUSH  17         PUSH  OFFSET BUF         PUSH  HANDL         CALL  WriteConsoleA@20 _EX:         PUSH  0         CALL  ExitProcess@4 _TEXT ENDS END START

The program in Listing 22.2 is easy. Now imagine that in the course of debugging, you accidentally changed a single command: you inserted JNE instead of JE . As a result, the program ceased to operate after translation. Is it possible to correct it without using the Assembly code? Of course, this is possible. To achieve this goal, it is necessary to disassemble the program, locate the error, and then use the HIEW.EXE program. It is possible to use only the HIEW program because it disassembles correctly. However, to illustrate the approach, I will carry out the task in two stages.

Disassemble the module using the DUMPBIN.EXE program. The disassembled code of this program is presented in Listing 22.3.

Listing 22.3: Disassembled code of the program in Listing 22.2

 Dump of  file  cons1.exe File Type: EXECUTABLE  IMAGE 00401000: 6AF5           PUSH    0F5h 00401002: E82B000000     CALL    00401032 00401007: 83F8FF         CMP     EAX,  0FFh 0040100A: 751E           JNE     0040102A 0040100C: A316304000     MOV     [00403016], EAX 00401011: 6A00           PUSH    0 00401013: 6812304000     PUSH    403012h 00401018: 6A11           PUSH    11h 0040101A: 6800304000     PUSH    403000h 0040101F: FF3516304000   PUSH    DWORD PTR  DS:[00403016h] 00401025: E80E000000      CALL    00401038 0040102A: 6A00           PUSH    0 0040102C: E80D000000     CALL    0040103E 00401031: CC             INT     3 00401032: FF2508204000   JMP     DWORD PTR  DS:[00402008h] 00401038: FF2500204000   JMP     DWORD PTR  DS:[00402000h] 0040103E: FF2504204000   JMP     DWORD PTR  DS:[00402004h]

By the disassembled code, it is easy to locate the error. By the way, the CMP EAX, 0FFh command must naturally be interpreted-as CMP EAX, 0FFFFFFFFh . Memorize the required code, 83F8FF , and start HIEW.EXE, then press <F7> to search for the required combination. After that, press <F3> ; then press <F2> and replace JNE with JE . Having completed this, press <F9> to save the change. As a result, you'll correct the program without needing to recompile and rebuild it.

DEWIN.EXE

This program operates in the command-line mode; however, it has several advantages in comparison to DUMPBIN.EXE. Its main advantage is the recognition of high-level languages. In addition, it provides the possibility of writing scripts using the built-in macro language.

IDA Pro

This is one of the most powerful disassemblers. Its functional capabilities are so rich that most programmers consider it a universal and almighty tool. When working with the text of the program being disassembled, it is possible to rename labels and procedures and to provide custom comments so that the disassembled text finally becomes easily readable and understandable. The corrected program text is saved in a special database and is recovered at the next startup. The main window of the IDA Pro disassembler is shown in Fig. 22.2. This illustration shows the disassembled code of the EDIT.EXE program (see Listing 3.2 in Chapter 3). By the way, notice the offset WNDPROC reference. The WNDPROC name was assigned in the course of analyzing the code of this program.

Figure 22.2: Program disassembling using the IDA Pro disassembler

Now, consider some features of this disassembler:

It can rename procedures and labels in a program. Naturally, in the course of disassembling, IDA Pro gives internal names to all procedures and labels. You can replace them with custom names to make the program text more understandable. All changes introduced into the text will be stored in special database and can be recovered after restart.
It recognizes library and application program interface functions (see Fig. 22.2). The disassembler not only recognizes these functions but also comments their parameters.
Using the context menu or double-clicking the mouse on the JMP or CALL commands, it is possible to jump to the specified location within a program and continue to execute the jumps any number of times. To return any number of steps back, use the arrow button on the toolbar.
Using key combinations such as <Shift>+<Insert>, the <Insert> key, and commands from the Edit menu, it is possible to insert a comment in any location within a program. Like custom label names, comments are saved in the program database. However, the most advantageous feature is that it is possible to insert the address of a specific program line or label name into the text of the comment. If you double-click that address or label, you'll automatically jump to the required location.
This disassembler can expand and collapse procedures. By pressing the < ˆ > key on the numeric keypad, it is possible to collapse the procedure. Pressing the <+> key expands the collapsed procedure. Presenting procedures in collapsed form allows you to represent the program code in more compact and readable form.
IDA Pro correctly recognizes both code and data. Fig. 22.3 shows the disassembled part of the EDIT.EXE program containing data.

Figure 22.3: Program fragment containing data disassembled using IDA Pro

IDA Pro also allows you to create and execute batch files. The language of IDA Pro batch files is close to the C programming language. Because of the limited volume of this book, I will not cover this language in detail. Nevertheless, I will provide an example batch file demonstrating this capability of IDA Pro.

Listing 22.4: An IDA Pro batch file

 // // This example shows how to get a list of functions. // #include <idc.idc> static main() { auto ea, x; for (ea = NextFunction(0); ea != BADADDR; ea = NextFunction(ea)) {  Message("Function at %08lX:%s", ea, GetFunctionName(ea));  x = GetFunctionFlags(ea);  if (x & FUNG_NORET)  Message(" Noret");  if (x & FUNC_FAR)  Message(" Far");  Message("\n"); }  ea = ChooseFunction("Please  choose  a function");  Message("The user chose  function at %08lX\n", ea) ; }

The file presented in Listing 22.4 requires some comments. As can be easily guessed, loop organization and conditional constructs have exactly the same syntax as in the C language. The main point here is that you should grasp the sense of the library functions used. As can be easily seen, the Message function outputs the string to the message window located below the main window. The ChooseFunction function opens the window that also can be opened by choosing the Jump to Function command from the Jump menu (the GetFunctionFlags function returns information about the specified function). Finally, the NextFunction function jumps to the next function and returns its address. The argument of the NextFunction function is the address of the previous function, from which the jump to the next function is carried out. I hope that you will study the IDA Pro language on your own, using the online help system. Theoretically, using this language, it is possible to write a program of any level of sophistication that would analyze the disassembled code.

IDA Pro disassembles modules of various formatsOBJ, EXE, DLL, VXD, ZIP, NLM, etc.

IDA Pro functionality can be considerably extended by using various plug-in modules. Plug-ins are written in C++ language and have the structure of typical portable executable modules. Usually, plug-ins are invoked by using hotkeys or by choosing the Edit Plugins menu commands. Plug-ins must be located in a special plug-ins directory with the configuration file that specifies these modules.

Another advantage of this disassembler is that it creates an Assembly file that makes it possible to work in the text mode.