Now I realise that this thread could be seen as being helpful to cracking, a subject not allowed on this forum for reasons woth which I am in complete agreement.

However if you were to read too much into it a simple question such as "How do I turn on my computer?" could be helpful to a craker since that is the first thing he/she would need to do if the computer were turned off.

So at that I'll ask my question. Do any of you out there know of any disassemblers which will effictivly convert an exe to an asm file (I know it probably won't recompile but thats ok). I assure you I want this only for my own programs. Can anyone help?
Posted on 2001-07-27 14:00:50 by Eóin
I think most will tell you that the best one out there is IDA.
Posted on 2001-07-27 14:11:15 by Hiroshimator
I agree, IDA or maybe W32Dasm (less efficient but easier to use).

(s)
Posted on 2001-07-27 14:21:11 by (scalp)
IDA is awesome, and produces almost compilable source. It's programable, too.
Posted on 2001-07-27 14:36:46 by bitRAKE
Thanks for the speedy replies, I'll definitly look into IDA, and win32Dasm doesn't sound too bad either.
Posted on 2001-07-27 14:50:14 by Eóin
On that note, i would like to add something I thought was quite surprising...

The other day, i was frustrating with floating point numbers and precisions, so i decided to write a very smalll C++ program using borlands TC. It was one line long... multiply 2 floats and store it into a third... thats it!!

I then used DASM to decompile the exe generated so i could see just how the compilers generate such code... To my surprise the code was f'n huge!! so huge i couldnt easily follow just were my little one line of thought existed in... to me this is quite bizzare, since i didnt include any headers...

I will admitt im with Zadkiel, and very new to DASM, but i certainly didnt expect so much "bloat" from TC...

NaN
Posted on 2001-07-28 10:00:13 by NaN
NaN, you have to remember that the library startup code will be
included unless you turn it off yourself - which is more work than it
sounds. Also, it probably has calls to various floating-point helper
functions.

You need to find your main() proc. In a stupid disassembler, this might
not be too easy. But any disassembler supporting debug information
will make it a breeze. IDA makes ANYTHING a breeze :P
Posted on 2001-07-28 12:26:01 by f0dder
Howdy NaN et al..
This is a little trick to find your code inside the sea that represents a 'dead-listing' (disassembly)..

Just add something like this in your src code before your floating point routine:

_asm{
nop
nop
nop
nop
nop
}

Then when you disasm (using IDA of course :) your own proggy, search for the NOPs (or for a 0x90 string (0x90 = NOP)) and you'll locate your own routine :).

There are many many more tricks that are popping now, if you need a hand debugging your proggy just ask.

Bye!

Latigo
Posted on 2001-07-28 15:07:37 by latigo
Your idea is fine latigo (I used to do that when I had sucky tools),
but using NOP is a bad idea - VC (with some "smart relink" options, I think)
places a LARGE amount of NOP padding in your code... using more
obscure instructions, like HLT is smarter. Or even a


db "jeg savner min bl? cykel"


(I think the inline assembler supports that). Well, time to get back
to my drinking session, nite all :)
Posted on 2001-07-28 15:13:28 by f0dder
nan,

the way you used is not good to know what a c code look in asm. use the -S switch of the compiler. this will give a listfile easy to follow, with your c source lines inserted as comment between the asm.

ancev
Posted on 2001-07-28 15:39:27 by ancev
Thanx all for the advice...

I will look into them all... Including IDA..

Ancev, Thanx for the suggestion, in the short term i think this will be best.. but in the long run, i do want to know how to tear into a program I made to see just how it was placed together... This is why i got soft ice going.. but Im still a bit green at using it.. I know for now how to alter registers and exit on unwanted faults.. but Im barely ready to debug my sources with it..

Altho i want to.. because it looks far more powerful than my traditional DPrintValH messages to give me 'insite'... These take many compiles to zero in on the problem, and i know tracing would be much easier... :)

Actually quick Question to who would know... SoftIce will kick in if i made a PageFault unexpectedly.. This is the only way i know of using SoftIce... But how would i get into my program WHILE its running (presumably properly), to see how registers are holding up etc. etc.? Is there a hot key or something?

Thanx again
NaN
Posted on 2001-07-28 18:02:52 by NaN
You can certainly set-up a hotkey to activate softice. It's been a while, but I think it defaults to Alt-D or Ctl-D? Not certain. :tongue:
Posted on 2001-07-28 18:23:40 by bitRAKE
CTRL-D :tongue:
Posted on 2001-07-28 18:28:13 by Hiroshimator
Too bad ctrl+d is also used for "logout" / "exit" shortcut on unices :(.

NaN, you can also use "bpx" to break on an address - or API calls.
VERY VERY VERY useful feature. Read the docs (if you got it warezzzzed,
there are docs available...).
Bpx is a VERY nice thing. If you're on 9x/me (same thing...) you can
also use BPR to break on a *range* of memory (!!!). Softice is a very
nice and useful tool, whether you're cracking (boooore), or reversing
(more fun), or debugging (great fun, grate labour). Do the right thing :)
Posted on 2001-07-28 18:36:07 by f0dder

CTRL-D :tongue:


Hiro's right, the (default) hot-key to let Soft-Ice pop up is ctrl-d. But this way you will probably end up debugging kernel32.dll or something, not your own app :-). AFAIK the best way to debug your win32asm programs with Softice is as follows:

You start your program with the Softice Symbol Loader. Soft-Ice will pop up upon entry point. Now you can set breakpoints (like bpx getwindowtexta, or bpx 00401234 etc...) and exit Softice. Now, every time your program calls this function/executes that line of code, Softice will pop up and you can trace from there on, or do whatever you want... In order to break on the most common api's, you must uncomment some exports in your softice.dat. Search the web for `configuring soft ice' or `softice tut' etc... and you'll find heaps of info on this (most probably on cracking-oriented sites...). And of course, have a look at the manual :-).

HTH
Posted on 2001-07-28 18:40:25 by Unregistered
I use the following a lot in my programs:

void main(void)
{

asm{
int 3
}
call myfpuroutines()
}

Once your source is compiled, enter softice (ctrl+d)and type the following:

bpint 3

This means: Break when you find an 'int 3' instruction. Thus softice will popup when it finds the int 3 in your proggy. From then on trace your way to happiness :)

Byeeee


Latigo
Posted on 2001-07-28 18:47:52 by latigo
I use a little trick similar to Latigo's, but I use the never-used API AnyPopup (betcha didn't think that one even existed;)

I just stick an Invoke AnyPopup line wherever I want to start tracing my code and keep the 'BPX AnyPopup' breakpoint active in SoftIce while I'm debugging. Nothing else on your system is likely to use it, so it breaks only when your code is run.

To be honest, I don't think I *could* write in assembly without having used SoftIce to understand how it really works. Problems with code not working right, or crashes because of stack corruption, the only way I can figure them out is careful tracing in SoftIce.

Nan, to get rid of the unwanted page faults, add 'faults off' to the INIT line in winice.dat. Something like:
INIT="X;lines 74;width 90;faults off;code on;wc 40;wd 12;ww 4;watch *es:di;"

Cheers,
Kayaker
Posted on 2001-07-29 01:31:24 by Kayaker
Thanx for the kick in the right direction all... And just to let it be known.. there are enough 'hackers' out there as is, they dont need my help, so i dont have plans to join the "dark side" of softice...

Im trying it out (based on a suggestion from a very old post) and it shows alot of promise.. but cryptic at the same time :)

Thanx again..

NaN
Posted on 2001-07-31 20:28:47 by NaN
Just a comment:

To break at interupt 3 one must first set it in SoftIce or in winice.dat.

Use the I3HERE command to specify that any interrupt 3 instruction pops up SoftICE. This feature is useful for stopping your program in a specific location.

To use this feature, set I3HERE on, and place an INT 3 instruction into your code immediately before the location where you want to stop. When the INT 3 occurs, it brings up the SoftICE screen. At this point, the current EIP is the instruction after the INT 3 instruction.
Posted on 2001-08-01 06:03:00 by forge
does anybody of you know a good documentation on IDA? i mean, just a kind of introduction to how to use it. wouldn't be bad if it would be a cr**king tutorial. of course, not because of cracking, but how to use IDA.

[-alloces-]
Posted on 2001-08-01 07:34:34 by NOP-erator