To pub.comp.asm@ofb.net gsend/0.99danger How does one "decode" a line like: Call NNNN:NNNN (x86) the output of a disassembler an a dos .exe -- Seth Hettich at 07-19 18:37:55 To pub.comp.asm@ofb.net Fugu/1.1.6 "Decode"? -- Dan Egnor at 07-19 18:38:20 To pub.comp.asm@ofb.net gsend/0.99danger It should mean call to CS NNNN, offset NNNN. ... What else can you get out of it? To pub.comp.asm@ofb.net gsend/0.99danger I'd like to know the offset, relative to the start of the file where that goes -- Seth Hettich at 07-19 18:39:05 To pub.comp.asm@ofb.net Fugu/1.1.6 Well, that depends on relocation and stuff. -- Dan Egnor at 07-19 18:39:41 To pub.comp.asm@ofb.net gsend/0.99danger Well, you need to understand the .exe format and where dos will stick it in memory... -- Aaron Denney at 07-19 18:39:45 To pub.comp.asm@ofb.net gsend/0.99danger so I'll need to understand: http://www.delorie.com/djgpp/doc/exe/ -- Seth Hettich at 07-19 18:40:51 To pub.comp.asm@ofb.net Fugu/1.1.6 A debugger or disassembler should tell you what you need to know without you having to figure out EXE files. -- Dan Egnor at 07-19 18:41:10 To pub.comp.asm@ofb.net gsend/0.99danger the one that came with nasm didn't -- Seth Hettich at 07-19 18:41:42 To pub.comp.asm@ofb.net Fugu/1.1.6 What does it tell you? -- Dan Egnor at 07-19 18:41:56 To pub.comp.asm@ofb.net gsend/0.99danger I just get the call with 2 hex values -- Seth Hettich at 07-19 18:43:08 To pub.comp.asm@ofb.net [q] gsend/0.99danger relocation table and the program load module follow the header - relocation entries are 32 bit values representing the offset into the load module needing patched -- Seth Hettich at 07-19 18:44:50 To pub.comp.asm@ofb.net gsend/0.99danger hmm, thats no help -- Seth Hettich at 07-19 18:45:41 To pub.comp.asm@ofb.net gsend/0.99danger so the headder lists the segment addresses that need fixing it adds some # (the same for all) to each of them, right? -- Seth Hettich at 07-19 18:59:15 To pub.comp.asm@ofb.net gsend/0.99danger ah! it adds 10+where dos loaded it -- Seth Hettich at 07-19 19:26:00 To pub.comp.asm@ofb.net gsend/0.99danger 000087E2 C3 ret 000087E3 A08417 mov al,[0x1784] 000087E6 803E9C0D00 cmp byte [0xd9c],0x0 000087EB 751E jnz 0x880b 000087ED 240F and al,0xf 000087EF 8A1E8417 mov bl,[0x1784] 000087F3 80E310 and bl,0x10 000087F6 B103 mov cl,0x3 000087F8 D2E3 shl bl,cl 000087FA 0AC3 or al,bl 000087FC 8A1E8017 mov bl,[0x1780] 00008800 B104 mov cl,0x4 00008802 D2E3 shl bl,cl 00008804 80E370 and bl,0x70 00008807 0AC3 or al,bl 00008809 EB0E jmp short 0x8819 0000880B 803EC50D02 cmp byte [0xdc5],0x2 00008810 7507 jnz 0x8819 00008812 FF16DF0D call near [0xddf] 00008816 A0DB16 mov al,[0x16db] 00008819 A28517 mov [0x1785],al 0000881C C3 ret how hard is it to belive that offset 87fc is the "start" of a func? -- Seth Hettich at 07-19 19:43:10 To pub.comp.asm@ofb.net gsend/0.99danger that it's the target of a call -- Seth Hettich at 07-19 19:43:41 To pub.comp.asm@ofb.net gsend/0.99danger It is not inherently ridiculous. -- Aaron Denney at 07-19 20:23:33 To pub.comp.asm@ofb.net gsend/0.99danger can anyone make sense of: http://www.gbar.dtu.dk/~c958468/computer/execom.html I'm looking for how to follow call's to seg:off addrs looking at a simple dump of the exe -- Seth Hettich at 07-19 20:27:36 To pub.comp.asm@ofb.net gsend/0.99danger so far: the image starts at SizeOfHeader*16 the image is loaded at the start of the mem chunk+10h -- Seth Hettich at 07-19 20:29:11 To pub.comp.asm@ofb.net gsend/0.99danger so I need to subtract SizeOfHeader*16 and add 10? -- Seth Hettich at 07-19 20:30:03 To pub.comp.asm@ofb.net gsend/0.99danger grrr, nothing works I cant belive this is that hard -- Seth Hettich at 07-19 22:38:07 To pub.com.asm@ofb.net gsend/0.99danger No headway, eh? -- Josh at 07-19 22:48:20 To pub.comp.asm@ofb.net gsend/0.99danger we should find the 2 funcs thaat are 2C bytes apart. then I can calc the offset -- Seth Hettich at 07-19 22:56:55 To pub.comp.asm@ofb.net gsend/0.99danger we can also map out the code by what segment it's NOT (if a line has a call like NNNN:AAAA then its not in seg NNNN -- Seth Hettich at 07-19 22:58:47 To pub.com.asm@ofb.net gsend/0.99danger You're mad. Once we DO figure out how it addresses that call, how are we going to figure out where this particular method is being called FROM? -- Josh at 07-19 23:00:44 To pub.comp.asm@ofb.net gsend/0.99danger only 156 retf's... -- Seth Hettich at 07-19 23:02:39 To pub.comp.asm@ofb.net gsend/0.99danger Hey! 0000831D - 000082F1 2C -- Seth Hettich at 07-19 23:27:48 To pub.com.asm@ofb.net gsend/0.99danger Think you found one, eh? -- Josh at 07-19 23:29:38 To pub.comp.asm@ofb.net gsend/0.99danger 000082F2 55 push bp 000082F3 8BEC mov bp,sp 000082F5 57 push di 000082F6 C606C61600 mov byte [0x16c6],0x0 000082FB C47E06 les di,[bp+0x6] 000082FE A1A717 mov ax,[0x17a7] 00008301 40 inc ax 00008302 AB stosw 00008303 C47E0A les di,[bp+0xa] 00008306 A1A917 mov ax,[0x17a9] 00008309 40 inc ax 0000830A AB stosw 0000830B C47E0E les di,[bp+0xe] 0000830E A1AB17 mov ax,[0x17ab] 00008311 40 inc ax 00008312 AB stosw 00008313 C47E12 les di,[bp+0x12] 00008316 A1AD17 mov ax,[0x17ad] 00008319 40 inc ax 0000831A AB stosw 0000831B 5F pop di 0000831C 5D pop bp 0000831D CB retf 0000831E 55 push bp 0000831F 8BEC mov bp,sp 00008321 E8C802 call 0x85ec 00008324 8B4606 mov ax,[bp+0x6] 00008327 0BC0 or ax,ax 00008329 7417 jz 0x8342 0000832B 9C pushf 0000832C 7902 jns 0x8330 0000832E F7D8 neg ax 00008330 B406 mov ah,0x6 00008332 9D popf 00008333 7902 jns 0x8337 00008335 B407 mov ah,0x7 00008337 E800FC call 0x7f3a 0000833A E8A003 call 0x86dd 0000833D E8D302 call 0x8613 00008340 5D pop bp 00008341 CB retf -- Seth Hettich at 07-19 23:29:39 To pub.comp.asm@ofb.net gsend/0.99danger the (only) 2 funcs that start 2C bytes apart -- Seth Hettich at 07-19 23:30:11 To pub.comp.asm@ofb.net gsend/0.99danger and thus the probable targets of these 2 calls: 00007C23 9AF80AAC05 call 0x5ac:0xaf8 00007C28 837EF800 cmp word [bp-0x8],byte +0x0 00007C2C 7503 jnz 0x7c31 00007C2E E90B00 jmp 0x7c3c 00007C31 B8B500 mov ax,0xb5 00007C34 9A240BAC05 call 0x5ac:0xb24 -- Seth Hettich at 07-19 23:32:20 To pub.comp.asm@ofb.net gsend/0.99danger I would "expect" to see 0x5ac:0xaf8 -> 87C0, but its at 82f2, so, all the far calls should be adjusted by 4ce -- Seth Hettich at 07-19 23:34:49 To pub.com.asm@ofb.net gsend/0.99danger And that holds true for the other calls? -- Josh at 07-19 23:35:25 To pub.comp.asm@ofb.net gsend/0.99danger testing now... -- Seth Hettich at 07-19 23:35:37 To pub.comp.asm@ofb.net Fugu/1.1.6 Hey Josh, this category. -- Dan Egnor at 07-19 23:35:42 To pub.comp.asm@ofb.net gsend/0.99danger *groan* thanks. -- Josh at 07-19 23:36:40 To pub.comp.asm@ofb.net gsend/0.99danger a bit later... 00007CC5 B80020 mov ax,0x2000 00007CC8 50 push ax 00007CC9 9A6B05A206 call 0x6a2:0x56b works out to 9289 00009285 BBA010 mov bx,0x10a0 00009288 F606D71610 test byte [0x16d7],0x10 0000928D 7407 jz 0x9296 damn -- Seth Hettich at 07-19 23:38:01 To pub.comp.asm@ofb.net gsend/0.99danger could be a diff # for each seg? not from what I've been reading -- Seth Hettich at 07-19 23:39:21 To pub.comp.asm@ofb.net Fugu/1.1.6 How do you get 9289? -- Dan Egnor at 07-19 23:40:33 To pub.comp.asm@ofb.net gsend/0.99danger 0x6a2 * 16 + 0x56b - 4ce -- Seth Hettich at 07-19 23:41:12 To pub.comp.asm@ofb.net Fugu/1.1.6 6A20+56B-4CE 6ABD -- Dan Egnor at 07-19 23:41:26 To pub.comp.asm@ofb.net gsend/0.99danger 6A20? -- Seth Hettich at 07-19 23:43:11 To pub.comp.asm@ofb.net gsend/0.99danger *16 == <<4 -- Seth Hettich at 07-19 23:43:42 To pub.comp.asm@ofb.net Fugu/1.1.6 You're not multiplying by 16 ... hex ... are you? -- Dan Egnor at 07-19 23:43:46 To pub.comp.asm@ofb.net gsend/0.99danger uh, uh, damn -- Seth Hettich at 07-19 23:44:28 To pub.comp.asm@ofb.net gsend/0.99danger doesn't matter... there is no 6ABD. -- Josh at 07-19 23:45:00 To pub.comp.asm@ofb.net Fugu/1.1.6 Well, rethink your original 4CE calculation too, maybe. -- Dan Egnor at 07-19 23:46:01 To pub.comp.asm@ofb.net gsend/0.99danger 82F2 - 65b8 1d3a -- Seth Hettich at 07-19 23:48:16 o pub.comp.asm@ofb.net gsend/0.99danger hmm, nope -- Seth Hettich at 07-19 23:52:29 To pub.comp.asm@ofb.net Fugu/1.1.6 Segments can in fact be individually relocated, I believe. -- Dan Egnor at 07-19 23:52:46 To pub.comp.asm@ofb.net gsend/0.99danger well, so much for that idea now I'm totaly lost I thought they would all have the same adjustment made, but it's not working -- Seth Hettich at 07-19 23:58:36 To pub.comp.asm@ofb.net Fugu/1.1.6 Find a better disassembler. :) -- Dan Egnor at 07-19 23:58:46 To pub.comp.asm@ofb.net gsend/0.99danger I've looked at least 12 -- Seth Hettich at 07-19 23:59:04 To pub.comp.asm@ofb.net Fugu/1.1.6 And that's the best you've come up with? Wow. -- Dan Egnor at 07-19 23:59:21 To pub.comp.asm@ofb.net gsend/0.99danger some put in labels for you none deal with the far calls -- Seth Hettich at 07-19 23:59:52 To pub.comp.asm@ofb.net gsend/0.99danger I give up 'night p -- Seth Hettich at 07-20 00:08:27