Geek asks and answers

How to split disassembled code into functions?

I have an application that creates .textwin32 process segment dumps. Then it divides the code into base blocks. The main block is a set of instructions that are always executed one after another (jumps are always the last instructions of such basic blocks). Here is an example:

Basic block 1
    mov ecx, dword ptr [ecx]
    test ecx, ecx
    je 00401013h

Basic block 2
    mov eax, dword ptr [ecx]
    call dword ptr [eax+08h]

Basic block 3
    test eax, eax
    je 0040100Ah

Basic block 4
    mov edx, dword ptr [eax]
    push 00000001h
    mov ecx, eax
    call dword ptr [edx]

Basic block 5
    ret 000008h

Now I would like to group such base blocks into functions - say, which base blocks form a function. Which algorithm? I must remember that there can be many instructions within one function ret. How to detect features fast_call?

+5
source share
3 answers

The simplest algorithm for grouping blocks into functions:

  • , call some_address
  • ret, , else
  • , ( , ), ret. , , ,

:

  • , , . call [some_address] call some_address
  • .
  • , , jump some_address call some_address, ret
  • call some_address push some_address + ret OR push some_address + jmp some_other_address
  • (, , )

, , :

push ebp
mov ebp, esp

, , (.. esp ebp , ).

(, MSV++) int 3, .

, , , (, ). MSV++ , :

  • _function - cdecl
  • _ @number - stdcall
  • @function @number - fastcall

, , , , .

+6

enter , .

push ebp
mov  ebp, esp
sub  esp, (bytes for "local" stack space)

( leave) ret:

mov esp, ebp
pop ebp

.

thiscall, fastcall .. call, / .

+3

, windasm ollydbg. call ret . , . call dword ptr [edx] edx , , , , .

To recognize fastcall functions, you need to look at how parameters are passed. Fastcall will push the first two pointer size parameters to the edx and ecx registers, where stdcall will push them onto the stack. See this article for an explanation.

+1
source

More articles:


All Articles