17 replies to this topic

[diablo2oo2]

I am currently looking for a method (algorithm) to get all function adresses and their size from x86 assembler code.
i am using BeaEngine as disassembler.

my ideas:

get start-address of thefunction :
analyse code for "call" commands. now get the function start address from the "call" command.

get end-address of the function :
a function usually ends with a "ret" command. but it can contain multiple "ret" commands.
so i need to detect if there is a jump over the "ret" command. if there is one, there must be a further "ret" command. if there is not jump over the "ret" command, the function ends here.


the aim is to code a simple bindiff library for assembler code (pe files), which compares the matched functions.

Maybe somebody has already expierence with this topic and can push me into the right direction?

Edited by diablo2oo2, 25 October 2011 - 11:07 AM.

[deepzero]

cant help you there, sorry, but also consider that Delphi likes to compile things like this:

>PUSH 00746996
>RETN														;  RET used as a jump to 00746996
>JMP <System::__linkproc__ HandleFinally(void)>
>JMP SHORT 0074698E
>POP EBP													 ;  kernel32.7C817077
>RETN
 

or even worse:

 
 
|>MOV DWORD PTR FS:[EAX],EDX								  ;  ntdll.KiFastSystemCallRet
|>PUSH 007467AE
|>LEA EAX,DWORD PTR SS:[EBP-10]
|>MOV EDX,DWORD PTR DS:[41B788]							   ;  .0041B78C
|>MOV ECX,4												   ;  unknown_libname_1999
|>CALL 00408E94
\>RETN
>JMP <System::__linkproc__ HandleFinally(void)>
>JMP SHORT 00746793
>MOV ESP,EBP
>POP EBP													 ;  kernel32.7C817077
>RETN

i guess you could scan dwon from your function start, till you hit padding bytes or typical function prologue...not a good solution, though
Maybe you can check the address after a retn for references from within your function...but again there are cases that wont be caught.
I dont really see a reliable solution here.

Edited by deepzero, 08 October 2011 - 08:44 AM.

[Nacho_dj]

When I saw the title of this thread, I remembered this had been discussed previously at woodmann's forum.
Here is the link of that thread, maybe there is the solution, or at least some clue for your challenge:

http://www.woodmann.com/forum/showthread.php?11888-help-function-size

Good luck with this veeeery hard task!

Cheers

Nacho_dj

[diablo2oo2]

@deepzero:
delphi could probably cause some problems (see step 3).  the problem with delphi code is, that many functions do not have a "call" source.

@nacho_dj:
naaah, i don't think this task is so very hard. i make good progress in coding, since i have a huge code library from previous projects.
BeaEngine is a very good and fast disassembler which helps me with this task.

1. analysing all "CALL" commands is a good start i think. this will cover the most functions.
2. get size of all found functions
3. analyse the code between the found functions (this will be the hardest part)
4. get size of the found functions from step 3

your link is interesting, could be helpful. thank you.

[diablo2oo2]

whats the idea behind this?

i recently read about how google chrome makes updates: http://www.chromium....dates-courgette

so i decided to code something similar. the aim is to code a "diff" tool which can compare PE files. because many other "diff" tools like "bsdiff" do not know about the PE format, the patchsize is too big. i do not know how googles patch tool "courgette" works in detail, but i have some good own ideas to make this work.

my difftool ( lets call it "pediff") will compare all procedures in assembler code. for this step all functions of old and new file must be matched.
I read about some methods zynamics bindiff tool uses to match all functions ( http://www.zynamics....tml#description)
but one method is not mentioned there. and i think its a very strong way to match functions with the levenshtein algo. so i will do some experiments with matching functions by the levenshstein distance.

pediff could also be used just for quick analysis between to versions of a PE file. it will list all procedures where changes has been made for example....

Edited by diablo2oo2, 10 October 2011 - 09:09 PM.

[diablo2oo2]

Here is a screenshot of first tests with my pediff engine.

In the example i compare the "dup2.exe" of version 2.23 and 2.24.

pediff analyses the assembler code for all functions and shows what has been changed between the two versions.

[mudlord]

Ah, so delta patching in dup2.
Super nice idea!

[diablo2oo2]

i am not 100% sure now if it would make sense to implent this feature to dUP. if i can generate smaller patchfiles than with bsdiff, i could imagine to implent the pediff feature (aka delta patching for PE files).
its still an experiment, and i am not finished with coding yet, so i can't compare results with other delta patching tools.

Edited by diablo2oo2, 12 October 2011 - 04:19 PM.

[diablo2oo2]

here is a little update:






so far you can just compare two PE files for changes between 2 versions

Download
 
 
http://diablo2oo2.di.funpic.de/downloads/pediff.rar

Edited by diablo2oo2, 17 October 2011 - 09:13 PM.

[diablo2oo2]

made a few changes and coded a little GUI.

Download:
http://diablo2oo2.di.funpic.de/downloads/pediff.rar

[diablo2oo2]

i am coding now a GUI for better code analysis now

[Loki]

Looking nice

[deepzero]

indeed
which disassembler engine are you using? olly/bea?

[diablo2oo2]

deepzero, on 02 November 2011 - 03:06 PM, said:

indeed
which disassembler engine are you using? olly/bea?

bea. its very fast and has many functions.

Loki, on 02 November 2011 - 02:48 PM, said:

Looking nice

thank you. its just the first ugly version just for testing. still many work to do.

[mudlord]

Looks awesome! Is there any docs around for BeaEngine? I personally could use it for something I am working on..

[diablo2oo2]

mudlord, on 03 November 2011 - 08:12 AM, said:

Looks awesome! Is there any docs around for BeaEngine? I personally could use it for something I am working on..

just check out the website: http://www.beaengine.org/
i got all infos i need from this site.
there are many examples how to use the disasm function. also there is a documentation about the structures.

[+erisoft]

Diablos2002 I know your project is unde beta stage but wold be interesting digging more in the differences between the functions... Example 00415445 and 0045825 match but little differente on.... xxx rva xx rva ...... For fasting analisys jejeje soryy but my english sucks....

[cob_258]

You said that this tool reconize procs with RET, what about functions ending with a jump ?, for example under win7 kernel32.VirtualAlloc ends with a jmp KERNELBASE.VirtualAlloc