Mail Archives: djgpp/1999/08/04/00:10:47
In article <37A70EBA DOT 3B29BA7B AT Software DOT dk> you wrote:
> Is it possible in DJGPP, to make a assembler-file (with
> asm-instructions and data) from an exe-file.? I mean going from
> "aprog.exe" to "aprog.s". Is it in the debugger (gdb), or somewhere
> else, i should do this?
The first question I'd like to ask you: why on earth do you think you
need such a thing? If you want to see the assembly your own code got
compiled into, use 'objdump -dlS' on your compiled .o files. Don't
expect to get compilable output though: it'll be enough to see what
gcc made of your C code, and that's about it.
In the general case (esp. if there's no debug info with the program,
nor knowledge what compiler generated the program), this is provably
impossible (equivalent to Turings 'halting problem'). So much for the
theoretical point of view.
That being said: for many special cases, such tools can be
made. They're called 'disassemblers', or sometimes 'Sourcers'. Without
human intervention, it's extremely hard for an automatic procedure to
distinguish code from data, which is the first and most important
difficulty in this discipline.
AFAIK, there is nothing peculiar to DJGPP that would make this task
either harder or easier than it usually is.
For straightforward code, it's rather simple to trace execution flow
starting with the entry point, in order to find all executable code,
and classify the remains as 'data'. But as soon as things like
jump-tables ('computed goto'), or self-modifying code comes into play,
it becomes practically impossible for the computer to do this, without
help from an experienced asm programmer.
I've never seen any such tool, yet, that can automatically produce
meaningful, or at least directly compilable assembly source code that
will reproduce the original .exe. The best one I've seen so far is
'IDA', the Interactive DisAssembler. It outputs almost-compilable
Intel-format assembly, after you've helped it to tell code from data.
I've used IDA with remarkable success to decipher the working of some
Viruses. Those were cases where people got the 'Not COFF -- check for
viruses' message from the DJGPP stub loader, but claimed they knew for
sure they didn't have any infections. I was able to prove them wrong,
every single time, and then I used IDA to analyse the samples I had
made them send me. In two cases, the virus was brand-new, and mine was
the first (probably only) report of that virus to the antivirus
community.
--
Hans-Bernhard Broeker (broeker AT physik DOT rwth-aachen DOT de)
Even if all the snow were burnt, ashes would remain.
- Raw text -