Date: Tue, 3 Aug 1999 19:07:18 +0200 From: Hans-Bernhard Broeker Message-Id: <199908031707.TAA09967@acp3bf.physik.rwth-aachen.de> To: Martin AT Software DOT dk (Martin Nielsen) Cc: djgpp AT delorie DOT com Subject: Re: Making assembler-code from binary (exe) Newsgroups: comp.os.msdos.djgpp Organization: RWTH Aachen, III. physikalisches Institut B X-Newsreader: TIN [version 1.2 PL2] Reply-To: djgpp AT delorie DOT com In article <37A70EBA DOT 3B29BA7B AT Software DOT dk> you wrote: > Is it possible in DJGPP, to make a assembler-file (with > asm-instructions and data) from an exe-file.? I mean going from > "aprog.exe" to "aprog.s". Is it in the debugger (gdb), or somewhere > else, i should do this? The first question I'd like to ask you: why on earth do you think you need such a thing? If you want to see the assembly your own code got compiled into, use 'objdump -dlS' on your compiled .o files. Don't expect to get compilable output though: it'll be enough to see what gcc made of your C code, and that's about it. In the general case (esp. if there's no debug info with the program, nor knowledge what compiler generated the program), this is provably impossible (equivalent to Turings 'halting problem'). So much for the theoretical point of view. That being said: for many special cases, such tools can be made. They're called 'disassemblers', or sometimes 'Sourcers'. Without human intervention, it's extremely hard for an automatic procedure to distinguish code from data, which is the first and most important difficulty in this discipline. AFAIK, there is nothing peculiar to DJGPP that would make this task either harder or easier than it usually is. For straightforward code, it's rather simple to trace execution flow starting with the entry point, in order to find all executable code, and classify the remains as 'data'. But as soon as things like jump-tables ('computed goto'), or self-modifying code comes into play, it becomes practically impossible for the computer to do this, without help from an experienced asm programmer. I've never seen any such tool, yet, that can automatically produce meaningful, or at least directly compilable assembly source code that will reproduce the original .exe. The best one I've seen so far is 'IDA', the Interactive DisAssembler. It outputs almost-compilable Intel-format assembly, after you've helped it to tell code from data. I've used IDA with remarkable success to decipher the working of some Viruses. Those were cases where people got the 'Not COFF -- check for viruses' message from the DJGPP stub loader, but claimed they knew for sure they didn't have any infections. I was able to prove them wrong, every single time, and then I used IDA to analyse the samples I had made them send me. In two cases, the virus was brand-new, and mine was the first (probably only) report of that virus to the antivirus community. -- Hans-Bernhard Broeker (broeker AT physik DOT rwth-aachen DOT de) Even if all the snow were burnt, ashes would remain.