2.2. The W32Dasm Debugger and Disassembler


2.2. The W32Dasm Debugger and Disassembler

The Windows Disassembler (W32Dasm) program is a symbiosis of a powerful debugger and a disassembler. Versions 8.93 and 10 of this program, which are the most widely used nowadays, can work not only with PE modules but also with DOS, NE, and LE modules. In this section, this program will be covered in detail.

2.2.1. Getting Started

Program Appearance and Settings

The main window of the W32Dasm program is shown in Fig. 2.7. The main menu is supplemented by the toolbar, elements of which are activated depending on the situation.

image from book
Figure 2.7: The main window of the W32Dasm program

As already mentioned, this program is a combination of a debugger and a disassembler. This is reflected by the presence of the two menu items: Disassembler and Debug. Accordingly, there are individual settings both for the disassembler and for the debugger. For the disassembler, there are only three options related to the analysis of the cross-references in conditional jumps, unconditional jumps, and procedure calls. By default, all three options are set. It is undesirable to disable these options because this reduces the information content of the disassembled code. Principally, disabling these options might be necessary if you are going to disassemble a large program, because this would slightly speed up the process of program code analysis.

Debugger options are more numerous; however, all of them are self-evident. The W32Dasm Debugger Options window is shown in Fig. 2.8. As you can see, all debugger options relate to the specific features of loading processes, threads, and DLLs.

image from book
Figure 2.8: The W32Dasm Debugger Options window

To start working with the chosen executable module, it is necessary to choose the required file by selecting the Disassembler | Open File... menu options. After that, the program will carry out analysis of that module and produce the disassembled text, along with detailed information about the sections existing in the module. [2] W32Dasm correctly recognizes API functions and supplies them with informative comments (Fig. 2.9).

image from book
Figure 2.9: A fragment of the disassembled text

Having completed the work with the module, it is possible to create a working project using the Disassembler | Save Disassembler... menu commands. By default, the project will be saved in the wpjfiles subdirectory of the W32Dasm working directory. Every project includes two files: the file with the .alf file name extension, containing the disassembled text, and another file with the .wpj file name extension, which represents the project as such. If you want to start another working session, you can open the saved project using the Project | Open... menu commands.

2.2.2. Working with the Disassembled Code

Navigating the Disassembled Code

When navigating the disassembled code, the current line is highlighted in a different color. In addition, jumps and procedure calls are highlighted specially. Navigation over the disassembled code is also simplified by the Goto menu item. The available options are as follows:

  • Goto Code Start — This means go to the start of the listing.

  • Goto Program Entry Point — This is the most important menu item, allowing you to go to the program entry point.

  • Goto Page — This menu item allows you to go to the page with the specified number. By default, each page contains 50 lines of code.

  • Goto Code Location — This means jump to the specified address. If the address is missing, then the range and proximity to other addresses are taken into account.

The Search menu command is another method of navigating the disassembled text. This command doesn't differ from similar commands found in other programs.

If the current line contains a jump or procedure call, you can jump to the appropriate address by clicking the respective toolbar button. You can continue navigating in this way until you detect the required program fragment. The most advantageous point here is that it is also possible to move in the inverse direction. All required toolbar buttons will be automatically highlighted.

Furthermore, those addresses, to which the jump is carried out, contain lists of source addresses, from which the jumps were carried out. If you highlight the line, in which the address is located, and double-click it with the right mouse button, you'll go to the required line of code.

Displaying Data

There are several methods of working with the data.

First, there is the HexData | Hex Display of Data... menu item, which you can use to view the contents of data segments in hex or string representations. In addition, the program code can be viewed in hex format. For this purpose, use HexData | Hex Display of Code... menu command sequence.

Second, there is the Refs | String Data References menu item. This is a powerful and useful tool. When you choose this menu item, the list of code lines, to which there are references from the program text, will appear. This list includes everything the disassembler could detect when analyzing the program. By selecting the required line, you can double-click it and jump to the required program location. If this line is referenced from several locations, you can continue double-clicking to visit all required locations. Fig. 2.10 displays the window containing references to string data types.

image from book
Figure 2.10: The window displaying references to strings

As you can see from Fig 2.10, it is possible to copy either selected string or all strings into the clipboard.

Outputting Imported and Exported Functions

The list of imported functions and modules is located in the beginning of the disassembled text (Fig. 2.11). In addition, the list of imported functions can be obtained by choosing the Functions | Imports menu options. If you select a specific function from the list and double-click it, you'll obtain all program locations, from which that function is called.

image from book
Figure 2.11: A fragment of the list of imported modules and functions

To obtain the list of exported functions, choose the Functions | Exports menu commands.

Displaying Resources

Resources (or, to be precise, two main resources — menu and dialog) are also described in the beginning of the disassembled text. It is possible to work with the list of resources in special windows that can be opened by choosing the Refs | Menu References and Refs | Dialog references options from the menu. String resources can be viewed in the previously-mentioned window for viewing string references (see Fig. 2.10). Unfortunately, this version of the program doesn't recognize other types of resources.

Text Operations

Strings of the disassembled text can be copied to the clipboard or printed. To select the string, move the cursor to its leftmost position and click the left mouse button. To select a group of code lines, use the <Shift> key as well. To copy or print the selected fragment, click a special toolbar button, which is highlighted when the fragment is copied to the clipboard or sent to the printer.

2.2.3. Debugging Programs

In this section, I briefly cover the functional possibilities of application debugging using the W32Dasm debugger.

Loading a Program for Debugging

There are two methods of loading a module for debugging. To load a module that has already been disassembled, choose the Debug | Load Process menu commands. The Debug | Attach to an Active Process menu options allow you to attach and debug the process loaded into the memory. When the debugger loads, two windows appear on the screen. The first one is the information window (Fig. 2.12).

image from book
Figure 2.12: The information window of the debugger

The second window is the control window (Fig. 2.13).

image from book
Figure 2.13: The control window of the debugger

The information window contains several list windows, including the contents of the central processing unit (CPU) registers, processor flag values, breakpoints, the contents of segment registers, base addresses, and two data displays. Later in this chapter, I will explain the functions of the buttons located in this window.

Now, consider the control window. The Run button starts the program loaded into the debugger, and the Pause button pauses its execution. The Terminate button stops the program's execution and removes it from the debugger. The Step Into and Step Over buttons are intended for step-by-step execution of the program being debugged. The first button executes all instructions sequentially, and the second button executes instructions by stepping over the code of procedures and repeating chains of commands. In addition, there are AutoStep Into and AutoStep Over buttons for automatic step-by-step execution of the debugged program. With an API function, even the use of the Step Into button will not result in step-by-step execution of the function code because this code is not available to user programs. A convenient feature is that in the course of step-by-step execution, the cursor moves synchronously not only in the debugger but also in the disassembler window.

Note that if you are attaching to the process loaded into the memory, then this process will be unloaded from the memory when exiting the debugger, which might result in incorrect operation of the operating system.

Working with Dynamic Link Libraries

To debug a DLL, you can proceed as follows: Load the program that accesses the required DLL into the debugger. Then, view the list of used DLLs. To work with a particular DLL, you might be required to start the program and execute one of its functions. After you double-click the required library, you'll see its disassembled code in the disassembler window and will be able to work with the library code.

Setting Breakpoints

You can set breakpoints in the disassembled listing. To achieve this, go to the required line of code and press <F2> or press <Ctrl> and click the left mouse button. The breakpoint will immediately appear in the information window and in the control window; the marked command will have the BP* prefix. The existing breakpoint can be deleted in the same way it was set. It is also possible to deactivate the existing breakpoint. To achieve this, go to the information window and open the list of existing breakpoints. Choose the required address and right-click it with the mouse. The asterisk near the breakpoint will disappear, and the line of code in the disassembler window will change from yellow to green.

To quickly jump to the required breakpoint, choose it from the list in the information window and double-click it with the mouse. Finally, it is possible to set breakpoints to specific events, such as loading and unloading a DLL or creating and deleting a thread. These goals are achieved by setting an appropriate flag in the information window.

Modifying Code, Data, and Registers

The debugger allows you to modify the code that you loaded previously. To do so, click the Patch Code button in the control window (Fig. 2.14). It is important to note that only the code loaded into the debugger is modified, not the disassembled text. Having found the required location in the code being debugged, you can modify this code and immediately test the result of modification by running the program. If your modification was correct, you can proceed with modifying the module.

image from book
Figure 2.14: The window for modifying the code being debugged

To modify the registers and memory cells of an executable process, there is a special button — the Modify Data button in the information window. The window opened with this button is shown in Fig. 2.15. At first glance, it might seem that this window is cluttered with elements; however, after you carefully study this window, you'll discover that there isn't anything redundant there. The top part of the window displays the current values of the main processor flags, which you can change. To modify the content of a register or memory cell, first set the modifier value using Enter Value. Then choose the required register and click the button next to it.

image from book
Figure 2.15: The window for modifying the contents of registers and memory cells

To restore the previous value, click the R button to the right of the register field. To change the content of the memory cell, first write the cell address to the Mem Lock field and then use the Mem button above it. Other operations that can be carried out in this window are self-evident.

Outputting Information about an Application Programming Interface

The debugger allows you to output additional information about executed API functions. To use this functionality, go to the control window and set the following flags: Enable Documented API Detail and Stop Auto On API. Then, press <F5> to start program execution. Every time the program encounters an API function, it will stop and the screen will display information about the specific function.

Searching for the Required Locations in a Program

Quite often, it is necessary to find a location within the disassembled code that corresponds to a specific location within the executable program. The most efficient way of achieving this goal is as follows: Load the required module into the debugger. Start it for execution, step to the required position, and click the Terminate button. As a result, the highlighted string in the disassembled code will be at the required position. Bear in mind that some programs introduce modifications that remain in force. For instance, the hotkeys can be classified as such modifications.

The use of W32Dasm will be covered in more detail later in this book.

[2]Although W32Dasm is capable of working with modules of different types, only PE modules will be covered here.




Disassembling Code. IDA Pro and SoftICE
Disassembling Code: IDA Pro and SoftICE
ISBN: 1931769516
EAN: 2147483647
Year: 2006
Pages: 63
Authors: Vlad Pirogov

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net