Search function during disassembly

Question

Search function during disassembly

I am busy after a tutorial in which the author uses DUMPBIN for export, and OllyDbg for getting the assembly code for the exported function. How would I find the function code in a complete disassembler, given that the RVA export tables do not match the actual addresses when disassembling.

+3

assembly debugging reverse-engineering

Profk Mar 01 '09 at 12:48

source share

2 answers

A good good indicator for a function, at least for programs written in high-level languages, is the code that sets the stack frame.

If you know the compiler that was used to generate the code in question, you should know what to look for.

Example

$ cat main.c int main(int argc, char **argv) { return 1; } $ gcc -m32 -S main.c $ cat main.s .file "main.c" .text .globl main .type main, @function main: leal 4(%esp), %ecx andl $-16, %esp pushl -4(%ecx) pushl %ebp movl %esp, %ebp pushl %ecx movl $1, %eax popl %ecx popl %ebp leal -4(%ecx), %esp ret .size main, .-main .ident "GCC: (Debian 4.3.3-4) 4.3.3" .section .note.GNU-stack,"",@progbits

In my example, the command movl% esp,% ebp is the last instruction of this installation code.

The IDA Pro commercial disassembler, for which the beer-free version is available for download, the search function works pretty well automatically.

+2

hillu Mar 01 '09 at 13:06

source share

Steve steiner · Accepted Answer · 2009-03-03T06:49:57+0000

A RVA is a roaming virtual address. To find the real address in the process space, you need to know the base address where the module was loaded in the process. Add this base address to the RVA and you have a real address. I did not use ollydbg, but I would be amazed if it did not provide a base address for the modules loaded into the process to which it was attached. If for some reason it does not provide this information, you can get it using procexp.exe from the sysinternal tools.

Search function during disassembly

More articles: