Find a function by it signature in Windows DLL

最后都变了- 提交于 2020-01-20 08:15:26
问题 Have found a function address in a DLL. Have no source code for this DLL, not mine. This DLL is not really changed frequently, but when changed, it is a problem for me to find it by disassembling. Saw some notes in web about making it signature and then find it by this saved signature. Can you, please, give some ideas or working example on how to implement this? 回答1: You can achieve this by code signature scanning, which is something I have done in the past. The concept mainly works by

%al register in C code

守給你的承諾、 提交于 2020-01-17 04:54:05
问题 testb $1, %al je .L3 leal 1(%eax,%eax,2), %eax jmp .L4 I am given the above assembly code and asked to translate it to c code. I know what almost all of it is doing, I just don't know how to to do C code for the %al register. Here Is the rest of the assembly code if it helps prob2: pushl %ebp movl %esp, %ebp movl 8(%ebp), %eax cmpl $1, %eax je .L1 .L6: testb $1, %al je .L3 leal 1(%eax,%eax,2), %eax jmp .L4 .L3: shrl %eax .L4: cmpl $1, %eax jne .L6 .L1: popl %ebp ret 回答1: Doesn't matter here.

Is it safe to replace “strings” inside .class file? Or it is better to recompile?

点点圈 提交于 2020-01-14 13:33:08
问题 The main question is: is it safe to change some 'string" information inside *.class file (java compiled classes). What I'm doing is: using regexp I'm trying to find all IP address stings inside some compiled project" find . -type f | xargs grep -E "[0-9]{3}\.[0-9]{3}\.1\.[0-9]{0,3}" This command telling me that some binary files are matching my regexp. And it is pointing that this binary files are .jar and .class . When I open those .class files using vi I can see a lot of strange characters

Using objdump for ARM architecture: Disassembling to ARM

有些话、适合烂在心里 提交于 2020-01-12 04:54:27
问题 I have an object file and am trying to disassemble it. When I use: objdump -d example.o I get an assembly in code in the file format of elf64-x86-64 . I am trying to disassemble this into ARM, how do I go about doing this? 回答1: If you want to do disassemble of ARM code, you'd better have an ARM tool chain, this is what I got: http://bb.osmocom.org/trac/wiki/toolchain After you have this, you can use arm-elf-objdump instead of objdump. The command I used is arm-elf-objdump -D -b binary -marm

Why can assembly instructions contain multiplications in the “lea” instruction?

会有一股神秘感。 提交于 2020-01-12 04:53:09
问题 I am working on a very low level part of the application in which performance is critical. While investigating the generated assembly, I noticed the following instruction: lea eax,[edx*8+8] I am used to seeing additions when using memory references (e.g. [edx+4]), but this is the first time I see a multiplication. Does this mean that the x86 processor can perform simple multiplications in the lea instruction? Does this multiplication have an impact on the number of cycles needed to execute

Compilers: Understanding assembly code generated from small programs

不羁的心 提交于 2020-01-12 01:46:09
问题 I'm self-studying how compilers works. I'm learning by reading the disassembly of GCC generated code from small 64-bit Linux programs. I wrote this C program: #include <stdio.h> int main() { for(int i=0;i<10;i++){ int k=0; } } After using objdump I get: 00000000004004d6 <main>: 4004d6: 55 push rbp 4004d7: 48 89 e5 mov rbp,rsp 4004da: c7 45 f8 00 00 00 00 mov DWORD PTR [rbp-0x8],0x0 4004e1: eb 0b jmp 4004ee <main+0x18> 4004e3: c7 45 fc 00 00 00 00 mov DWORD PTR [rbp-0x4],0x0 4004ea: 83 45 f8

What do angled brackets mean when used in member name in C#?

南笙酒味 提交于 2020-01-05 15:15:32
问题 I was browsing through sources of PresentationCore.dll using DotPeek when I found this: // Type: MS.Internal.TtfDelta.CMAP_HEADER // Assembly: PresentationCore, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35 // Assembly location: D:\Windows\Microsoft.NET\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll using System.Runtime.CompilerServices; using System.Runtime.InteropServices; namespace MS.Internal.TtfDelta { [NativeCppClass]

Reading disassembled code

故事扮演 提交于 2020-01-04 09:26:09
问题 I wrote simple Hello word program with masm32. But then when I try to disassemble it with IDA and I am getting much bigger output (I won't write it there because it would take to much space). And I don't get it why it's different. How to run the disasembled code? 回答1: This is normal. Compilation is a "lossy" process, which means that if you compile code and then decompile it, you're not guaranteed to get exactly the same thing out that you originally put in. The same thing applies to assembly

x86 asm disassembler library

不想你离开。 提交于 2020-01-01 06:52:47
问题 Are there any libraries, callable from .NET, where I can pass in binary data and have it disassembled to x86 assembly code? 回答1: If you don't mind binding to an unmanaged dll using P/Invoke, have a look at beaengine, its the best disassembler library your likely to find. 回答2: libdisasm The libdisasm library provides basic disassembly of Intel x86 instructions from a binary stream. The intent is to provide an easy to use disassembler which can be called from any application; the disassembly

Why does a class definition always produce the same bytecode?

*爱你&永不变心* 提交于 2020-01-01 02:04:06
问题 Say I do: #!/usr/bin/env python # encoding: utf-8 class A(object): pass Now I disassemble it: python -m dis test0.py 4 0 LOAD_CONST 0 ('A') 3 LOAD_NAME 0 (object) 6 BUILD_TUPLE 1 9 LOAD_CONST 1 (<code object A at 0x1004ebb30, file "test0.py", line 4>) 12 MAKE_FUNCTION 0 15 CALL_FUNCTION 0 18 BUILD_CLASS 19 STORE_NAME 1 (A) 22 LOAD_CONST 2 (None) 25 RETURN_VALUE Now I add some statements in the class definition: #!/usr/bin/env python # encoding: utf-8 class A(object): print 'hello' 1+1 pass