PEDasm details

PEDasm : working details

back

Command line options and output format

Usage : PEdasm inputFile.exe [-r] [-l] [-p passNumber] [-s configFile] [-o outFile.asm ] [ -b [+|-]bank_name ]

Default output contains no address lines nor raw values. These can be added with -l and -r respectively.

ex : no format option

mov dword ptr [ ebp - 80 ] , edi

with -l and -r

mov dword ptr [ ebp - 80 ] , edi ;0x0040101f : 897db0

rq : these option tend to render the source file unclear maybe I will replace ';' in the future by a comment directive at the beginning of each lines.

Constants are expressed in hexadecimal, except for for indexed addressing mode like the previous example. A

.radix 10

directive is added in each generated source file.

Recognized instructions are now organised in instruction banks. At present 4 are usable : user ( used by 99.99% of programs) , system ( privileged instruction set ), fpu (floating point unit) and mmx. Switching off unused instruction bank help disassembler not stumbling over garbage code.

Symbols and relocations

In order to differentiate constants from immediate field symbol relocations are used. .reloc is an optional section in a win32 PE file that permit the loader to choose its base virtual address

When this section is stripped ambiguities will remains in some code portions .

mov eax , 0x00401200 ; maybe an address , maybe a bit field ?

call dword ptr [eax] ; ok it's an address

Without relocations only a high order code analysis may solve this problem.

Each addresses fields are replaced with symbols. Symbols have the following form :

qualifnumericAddress

ex : callback401200 .

Process steps

PEDasm tries to load the input file and map it in memory .

Locate and scan import dll to find function names : useful if functions are imported by ordinal only. Generate def files.

disassembling step 1 to n-1 : Grab data and code symbols. In most cases two passes are necessary to solve tough code/data mixing .

disassembling step n : Disassembly itself.

Code data mixing

During the first steps , jump and call target as well as direct memory access are stored and used later to discriminate code from data . This way most ambiguities are resolved but not all. See example.

Dll imports

Dll import libs provided with C compilers export functions with decorations . Decoration enable the linker to check parameters stack size as well as calling convention . Shortly this was unusable with masm obj files. That is the reason why I added an dllImport.inc and def files output to my disassembler. With these files and a librarian editor one can generate correct untyped import lib.

With ms lib editor, import function are assemble that way :

dllFunct ::

call dword ptr [ _imp__dllFunct ]

...

_imp__dllFunct : dword

but since we want the real function pointer, the dllImport.inc contains two lines

extern _imp__dllFunct : dword

dllFunct equ _imp__dllFunct

So that the assembly call

call dword ptr [ dllFunct ]

Jumps to the correct location.