We can also see that Ida has correctly identified the data inside the instructions at address 0x00411A10 and it automatically placed the comments around it to make it stand out as a non-used instruction, which is correct since it’s a data instruction and shouldn’t be executed. We can see the disassembled piece of code on the picture below:Ĭool, we can see that Ida was quite successful at the disassembly and it also preserved the actual label names that we’re using for jumping around the executable. Let’s take a look at how successful Ida is at disassembling the above code. This proves that Olly can correctly disassemble the executable and execute all the instructions the way they should be executed. If we then press the step into button (F7 in Olly), the execution will of course jump to the 0x00411A11 instruction right after the “DB 0F” instruction, which will never be executed. If we place a breakpoint on the “jmp short 00411A11” instruction and run the program, the program execution will hit that breakpoint and pause the execution. Then there is one byte of data that Olly has correctly assigned the “DB 0F” instruction. First, there is the jmp short 00411A11 call that corresponds to our “jmp B” instruction in C++ source code. We can see that Olly has properly disassembled the executable. Let’s first load the compiled executable in Olly disassembler, which produces the result that can be seen on the picture below: What’s important is how different disassemblers disassemble the executable. I won’t describe this here in detail, because it’s really not important for the purpose of this exercise. This is because we’re pushing something onto the stack (the “push eax” instruction), so when the function returns, the EIP and ESP cannot be properly restored, since we’re now trying to load a different value in the ESP register when returning (because of an additional push instruction). If we compile and run the program, a notification dialog such as the one seen on the picture below, will be displayed: Let’s take a look at the following example, which is written in C++ in Visual Studio: The most common linear sweep disassemblers are objdump, WinDbg and SoftICE. This makes the algorithm very simple, but also susceptible to any mistakes intentionally left in the code to derail the linear sweep algorithm from its path. It starts with the first byte in the code section and proceeds by decoding each byte, including any intermediate data byte, as code, until an illegal instruction is encountered. text sections of the executable and disassembling everything sequentially. When using the linear sweep algorithm, we’re going through the.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |