Examples of disassembly programs under Windows

After compiling the link, the program written under Windows can be debugged by debugging tools such as Debug, as well as the results of disassembly, which makes it easy to understand how the assembler instruction translates into "machine instructions". For Windows programs, there are a lot of tools like SoftICE, TRW, W32dasm, IDA, Hiew, and so on. Here to talk about W32dasm.

;===============================================================
; Example: Take command-line arguments and display them in a message box
; File name: 6.asm

.386
. Model Flat,stdcall
Option Casemap:none

Include windows.inc; constants and Structure definitions

Include Kernel32.inc; function prototype declaration
Include User32.inc

Includelib kernel32.lib; used in the introduction of the storage
Includelib User32.lib

. Data
Szcaption db "command line arguments", 0

. Code
Start
Invoke GetCommandLine
Invoke Messagebox,null,eax,addr SZCAPTION,MB_OK
Invoke Exitprocess,null
End Start
---------------------------------------------------------
Use the API function:
LPTSTR GetCommandLine (VOID)
This function has no parameters.
The return value was a pointer to the command-line string for the current process.
---------------------------------------------------------
Compile Link:

---------------------------------------------------------

The following uses W32dasm to disassemble the 6.exe.

Start W32dasm, choose Open File to disassemble from the menu disassembler, and select the program to disassemble from the dialog box that appears, such as 6.exe and open.

If the disassembly tool is used for the first time, the screen display may be a bit messy, and the execution of Disassembler/font.../select font to select the appropriate fonts will solve the problem. Execute Disassembler/font.../save Default Font so that the next time you start the software, it will not be messy. The following is the result of the 6.exe disassembly:

Disassembly of File:6.exe
Code Offset = 00000400, code Size = 00000200
Data Offset = 00000800, data Size = 00000200

Number of Objects = 0003 (dec), Imagebase = 00400000h

Object01:. Text rva:00001000 offset:00000400 size:00000200 flags:60000020
Object02:. Rdata rva:00002000 offset:00000600 size:00000200 flags:40000040
Object03:. Data rva:00003000 offset:00000800 size:00000200 flags:c0000040

+++++++++++++++++++ MENU Information ++++++++++++++++++

There Are No Menu resources in this application

+++++++++++++++++ DIALOG Information ++++++++++++++++++

There Are No Dialog to this application

+++++++++++++++++++ Imported Functions ++++++++++++++++++
Number of imported Modules = 2 (decimal); This program uses two introduction libraries

Import Module 001:kernel32.dll
Import Module 002:user32.dll

+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++

Import Module 001:kernel32.dll; To use the following two functions in this library

addr:00002072 hint (00b6) name:getcommandlinea
addr:00002064 hint (0075) name:exitprocess

Import Module 002:user32.dll

addr:00002092 hint (01BB) name:messageboxa

+++++++++++++++++++ exported Functions ++++++++++++++++++
Number of exported functions = 0000 (decimal)

+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
Start of Code in Object. Text **************
Program Entry point = 00401000 (6.exe File offset:00001600)

* Reference to:kernel32. Getcommandlinea, ord:00b6h
|

Program Entry Point ******** Procedure entry points
: 00401000 e81d000000 call 00401022; Fetch command line arguments
: 00401005 6a00 Push 00000000
: 00401007 680E304000 Push 0040300E
: 0040100C push EAX
: 0040100D 6a00 Push 00000000

* Reference To:user32. MessageBoxA, ORD:01BBH
|
: 0040100F E814000000 call 00401028; Display message box
: 00401014 6a00 Push 00000000

* Reference to:kernel32. ExitProcess, ord:0075h
|
: 00401016 E801000000 call 0040101C; End Program
: 0040101B CC int 03

* Referenced by a call to address:
|:0 0401016
|

* Reference to:kernel32. ExitProcess, ord:0075h
|
: 0040101C FF2504204000 Jmp dword ptr [00402004]; go to ExitProcess to execute

* Referenced by a call to address:
|:0 0401000
|

* Reference to:kernel32. Getcommandlinea, ord:00b6h
|
: 00401022 FF2500204000 Jmp dword ptr [00402000]; go to GetCommandLine to execute

* Reference To:user32. MessageBoxA, ORD:01BBH
|
: 00401028 ff250c204000 Jmp dword ptr [0040200C]; go to MessageBoxA to perform

-----------------------------------------------------------------------
Question: Why does invoke getcommandline not translate directly into call DWORD ptr [00402000] at compile time and use the following form?
: 00401000 e81d000000 call 00401022; Fetch command line arguments
. .
. .
. .
: 00401022 FF2500204000 Jmp dword ptr [00402000] go to GetCommandLine to perform

Note: The loader also has a relocation problem when loading the program, that is, the address of a function in the dynamic-link library must be set before it can be executed. If a function is called 100 times, using the second method, the loader only needs to modify the contents of one place, and in the first method, the loader modifies the contents of 100 places. Obviously increased the workload of the loader.

Execute the Debug/load Process, enter the command arguments (or not) in the window that appears, and make sure that the following debugging window appears, just as you would in a DOS debug operation.