Jump to content
Welcome, welcome! Come in and register, and have some developer coffee. 👨‍💻 ×

Short Tutorial On How To Disassemble Code Section Of EXE


Recommended Posts

Suppose we have a "Hello World" console app compiled to 33,280 bytes Windows EXE.   How to disassemble its code section quickly and effortlessly?

First of all, we need the following tools (or online services) come handy:

  1. PEDUMP
  2. HEXDUMP
  3. Online Disassembler

 

PEDUMP

Today, we will look at how to find out where the code section starts in an binary executable compiled using Free Pascal Compiler.

So this is the Optional Header of the said executable:

  Magic              : 0x10B [PE32]
  Linker Version     : 3.20
  Size Of Code       : 0x6B50 (27472) bytes.
  Size Of Data       : 0x514 (1300) bytes.
  Size Of Data?      : 0x1B34 (6964) bytes.
  Entrypoint RVA     : 0x1510 (Offset = 0x910)
  Base Of Code       : 0x1000
  Base Of Data       : 0x8000
  Image Base         : 0x400000
  Section Alignment  : 0x1000 (4096) bytes.
  File Alignment     : 0x200 (512) bytes.
  OS Version         : 4.0
  Image Version      : 1.0
  Subsystem Version  : 4.0
  Win32 Ver Value    : 0
  Size Of Image      : 0x10000 (65536) bytes.
  Size Of Headers    : 0x400 (1024) bytes.
  Checksum           : 0x0 (Real = 0x131EC)
  Subsystem          : 3 [Windows Console]
  DLL Flags          : 0x0 

Entrypoint RVA is what we need.  It shows 0x1510 as the memory address, but we just need the 0x910 file offset.

 

HEXDUMP

hexdump.thumb.PNG.95ba85866bdb256a77aed6e9f5ca7abe.PNG

 

We will be copying the hexadecimal values starting from 0x910 file offset until it reaches at 0x952 (after which it is a series of null bytes which cannot be CPU opcodes).

 

Online Disassembler

We will be using two online disassemblers here.

The first one is plain one:

Disassembly:
0:  55                      push   ebp
1:  89 e5                   mov    ebp,esp
3:  c6 05 20 82 40 00 01    mov    BYTE PTR ds:0x408220,0x1
a:  68 d0 b2 40 00          push   0x40b2d0
f:  6a f6                   push   0xfffffff6
11: e8 da fa ff ff          call   0xfffffaf0
16: 50                      push   eax
17: e8 e4 fa ff ff          call   0xfffffb00
1c: b9 00 c0 40 00          mov    ecx,0x40c000
21: ba 04 c0 40 00          mov    edx,0x40c004
26: b8 50 80 40 00          mov    eax,0x408050
2b: e8 30 ff ff ff          call   0xffffff60
30: e8 3b ff ff ff          call   0xffffff70
35: b8 10 80 40 00          mov    eax,0x408010
3a: e8 91 5c 00 00          call   0x5cd0
3f: 89 ec                   mov    esp,ebp
41: 5d                      pop    ebp
42: c3                      ret

 

We would not know what the CALL [memory location] does until we use another better online disassembler:

firstapp.PNG.dc01c44569d0c781dc458e62ecbba4cf.PNG

This is much better, is not it?

GetStdHandle is needed before displaying text screen on console screen.

The real functions to display the actual text string might be CALL func_004014XX.   But I would not go further.

 

Conclusion

This is the first tutorial, rather quick one, how to find the Entrypoint of the code section in PE file (Windows EXE), and then disassemble the opcodes.   Please note that not each and every hexadecimal value is CPU opcode, they can be anything.

Usually a code segment starts with PUSH xxx and ends with POP xxx.  RET means return (just like in HLL) from subroutine to main routine.

Of course it will be easier to use full-featured debugger and disassembler, no need to find out the file offset ourselves.  This tutorial is meant to learn the basics step-by-step manually.

Enjoy this tutorial?  Please feel free to ask something, although I am far from the level of a RE expert. 🤩

 

 

  • Love 2
Link to post
Share on other sites
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...