Operating system calls (like DLLs in MS-Windows, or syscalls in Unices) may be reconstructed, as their names appear in a separate segment or are known beforehand. Especially small constants may have more than one possible name. They may still be present in generated object files, for use by tools like debuggers and relocating linkers, but the direct connection is lost and re-establishing that connection requires more than a mere disassembler. User defined textual identifiers, such as variable names, label names, and macros are removed by the assembly process. In practice a combination of interactive and automatic analysis and perseverance can handle all but programs specifically designed to thwart reverse engineering, like using encryption and decrypting code just prior to use, and moving code around in memory. Reverse engineering is full of such theoretical limitations, although by Rice's theorem all interesting questions about program properties are undecidable (so compilers and many other tools that deal with programs in any form run into such limits as well). As a consequence, it is not possible to write a disassembler that will correctly separate code and data for all possible input programs. The general problem of separating code from data in arbitrary executable programs is equivalent to the halting problem. Scripting your own "crawler" in this way is more efficient for large programs interactive disassembling may be impractical to the point of being unfeasible. ciasdis) will allow you to specify rules about whether to disassemble as data or code and invent label names, based on the content of the object under scrutiny. Disassemblers often will provide the instruction AND the corresponding hex data on the same line, shifting the burden for decisions about the nature of the code to the user. Many interactive disassemblers will give the user the option to render segments of code as either code or data, but non-interactive disassemblers will make the separation automatically. Since data and instructions are all stored in an executable as binary data, the obvious question arises: how can a disassembler tell code from data? Is any given byte a variable, or part of an instruction? Some Disassemblers like otool ([OS X) are distro-specific. Many of the Unix disassemblers, especially the open source ones, have been ported to other platforms, like Windows (mostly using MinGW or Cygwin). Each disassembler will have different features, so it is up to you as the reader to determine which tools you prefer to use. Notice that there are professional disassemblers (which cost money for a license) and there are freeware/shareware disassemblers. ![]() ![]() Here we are going to list some commonly available disassembler tools. We will typically not use HLA syntax for code examples, but that may change in the future. Examples in this book will use Intel and AT&T syntax interchangeably. Many disassemblers have the option to output assembly language instructions in Intel, AT&T, or (occasionally) HLA syntax.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |