Advanced Programming | "Smart disassemblers"

Author	Message	Time
Arta	This topic is intended only for people who have experience using disassemblers/debuggers. What do you wish your decompiler could do that it doesn't? Do you often find yourself doing any kind of analysis that is routine, and that could perhaps be automated? What kind of information about disassembled code might you find useful that your disassembler doesn't currently provide? What's your 'wish list' for a disassembler? Don't feel the need to limit your answers to computationally feasible things. Do limit them, however, to the plausible :)	March 31, 2006, 2:30 PM
rabbit	Are you asking for ideas or something? Anyway, I wish for a compiler that can unpack packed executables for me, so that I don't need to go and do it myself.	March 31, 2006, 2:44 PM
Arta	Yes ideas. Ideas, not really features -- ideas for doing anaysis that people usually do.	March 31, 2006, 2:51 PM
Darawk	Hmm...maybe some kind of signature library of some of the more obscure compiler optimizations/features. Especially those that involve doing conditional branching based on floating point comparisons...I always have to take like 20 minutes to figure out what is actually going on there. So, it would just basically try to identify these code sequences, and auto-comment them or something. Better handling of "this" pointers. I've yet to see any disassemblers that can really properly handle OOP. There's still lots of relatively tedious work that could be alleviated in this area. STL signatures. I'll add more if I think of anything else...	March 31, 2006, 10:52 PM
Topaz	[quote author=rabbit link=topic=14631.msg149479#msg149479 date=1143816294] Are you asking for ideas or something? Anyway, I wish for a compiler that can unpack packed executables for me, so that I don't need to go and do it myself. [/quote] If your preferred decompiler supports plugins, you could probably automate it if the packer library is open source.	April 1, 2006, 1:10 AM
tA-Kane	I use IDA 4.8. It frequently fucks up the virtual tables so that not only do you not get function pointers, but also not not get function names. Instead, all you get is an array of byte values and locations that reference the vtable, like so: http://www.n00bstories.com/image.view.php?id=1324193953 To fix, I select the first byte of the vtable, push 'D' twice to change the type to a DWORD, then push 'O' to force the type to an offset (can't just push 'O', otherwise it turns it into a byte-sized offset rather than a DWORD-sized offset... wtf?). Then I push keypad * to create an array. IDA's default is: http://www.n00bstories.com/image.view.php?id=1310415123 But, I like my vtable listings a certain way, which is 1 item per line and not to use the "dup" construct/operator, like so: http://www.n00bstories.com/image.view.php?id=1332870012 And the end result: http://www.n00bstories.com/image.view.php?id=1274159765 I don't know about you, but to me that looks a lot more pleasing to the eye. I looked briefly through IDA's options, but I did not see anything pertaining to setting the default values for the array creation dialog. Nor did I see any options for setting the default way to disassemble vtables. Although, now that I think about it, I suppose this is more of a quirk with IDA rather than some generic feature. It would save a lot of time though, especially when you're looking at projects that have literally thousands of vtables (took me a day and a half just to get them formatted the way I like).	April 2, 2006, 7:40 AM
tA-Kane	[quote author=Arta[vL] link=topic=14631.msg149478#msg149478 date=1143815400]What do you wish your decompiler could do that it doesn't? ... What's your 'wish list' for a disassembler?[/quote]Something else that would be very nice would be a group-friendly disassembler. For example, with IDA, it saves everything to a database. But, if you want others to help you dissassemble the same program, they save to their own databases. So you end up either with different incomplete databases, or a single database but waiting on the other people to finish their work (which could take a long time, mind you). It would be nice if there a disassembler that could support, for example, CVS-like features. Although, since CVS is mostly text-based, it would probably be unfeasable for disassembly databases -- as far as I know, IDA's databases are stored in binary, and I've seen databases that are so large, they would not fit on a single CD.	April 19, 2006, 3:24 PM

Author

Message

Time

Arta

This topic is intended only for people who have experience using disassemblers/debuggers.

What do you wish your decompiler could do that it doesn't? Do you often find yourself doing any kind of analysis that is routine, and that could perhaps be automated? What kind of information about disassembled code might you find useful that your disassembler doesn't currently provide?

What's your 'wish list' for a disassembler?

Don't feel the need to limit your answers to computationally feasible things. Do limit them, however, to the plausible :)

March 31, 2006, 2:30 PM

rabbit

Are you asking for ideas or something?

Anyway, I wish for a compiler that can unpack packed executables for me, so that I don't need to go and do it myself.

March 31, 2006, 2:44 PM

Arta

Yes ideas. Ideas, not really features -- ideas for doing anaysis that people usually do.

March 31, 2006, 2:51 PM

Darawk

Hmm...maybe some kind of signature library of some of the more obscure compiler optimizations/features. Especially those that involve doing conditional branching based on floating point comparisons...I *always* have to take like 20 minutes to figure out what is actually going on there. So, it would just basically try to identify these code sequences, and auto-comment them or something.

Better handling of "this" pointers. I've yet to see any disassemblers that can really properly handle OOP. There's still lots of relatively tedious work that could be alleviated in this area.

STL signatures.

I'll add more if I think of anything else...

March 31, 2006, 10:52 PM

Topaz

[quote author=rabbit link=topic=14631.msg149479#msg149479 date=1143816294]
Are you asking for ideas or something?

Anyway, I wish for a compiler that can unpack packed executables for me, so that I don't need to go and do it myself.
[/quote]

If your preferred decompiler supports plugins, you could probably automate it if the packer library is open source.

April 1, 2006, 1:10 AM

tA-Kane

I use IDA 4.8. It frequently fucks up the virtual tables so that not only do you not get function pointers, but also not not get function names. Instead, all you get is an array of byte values and locations that reference the vtable, like so:
http://www.n00bstories.com/image.view.php?id=1324193953

To fix, I select the first byte of the vtable, push 'D' twice to change the type to a DWORD, then push 'O' to force the type to an offset (can't just push 'O', otherwise it turns it into a byte-sized offset rather than a DWORD-sized offset... wtf?). Then I push keypad * to create an array. IDA's default is:
http://www.n00bstories.com/image.view.php?id=1310415123

But, I like my vtable listings a certain way, which is 1 item per line and not to use the "dup" construct/operator, like so:
http://www.n00bstories.com/image.view.php?id=1332870012

And the end result:
http://www.n00bstories.com/image.view.php?id=1274159765

I don't know about you, but to me that looks a lot more pleasing to the eye. I looked briefly through IDA's options, but I did not see anything pertaining to setting the default values for the array creation dialog. Nor did I see any options for setting the default way to disassemble vtables. Although, now that I think about it, I suppose this is more of a quirk with IDA rather than some generic feature. It would save a lot of time though, especially when you're looking at projects that have literally thousands of vtables (took me a day and a half just to get them formatted the way I like).

April 2, 2006, 7:40 AM

tA-Kane

[quote author=Arta[vL] link=topic=14631.msg149478#msg149478 date=1143815400]What do you wish your decompiler could do that it doesn't?
...
What's your 'wish list' for a disassembler?[/quote]Something else that would be very nice would be a group-friendly disassembler. For example, with IDA, it saves everything to a database. But, if you want others to help you dissassemble the same program, they save to their own databases. So you end up either with different incomplete databases, or a single database but waiting on the other people to finish their work (which could take a long time, mind you). It would be nice if there a disassembler that could support, for example, CVS-like features. Although, since CVS is mostly text-based, it would probably be unfeasable for disassembly databases -- as far as I know, IDA's databases are stored in binary, and I've seen databases that are so large, they would not fit on a single CD.

April 19, 2006, 3:24 PM

Valhalla Legends Forums Archive | Advanced Programming | "Smart disassemblers"