dumpbin /disasm output
PaulH
look at using the dumpbin tool.
The /IMPORTS line shows that it imports 2 dlls and what functions it
imports from them:
Section contains the following imports:
COREDLL.dll
13000 Import Address Table
12050 Import Name Table
0 time date stamp
0 Index of first forwarder reference
Ordinal 496 LocalFree
Ordinal 858 MessageBoxW
Ordinal 56 wsprintfW
Ordinal 516 GetLastError
Ordinal 1068 strlen
Ordinal 87 __C_specific_handler
Ordinal 1645 _XcptFilter
Ordinal 36 LocalFree
WS2.dll
13024 Import Address Table
12074 Import Name Table
0 time date stamp
0 Index of first forwarder reference
40 inet_addr
4A sendto
2D closesocket
2C bind
3C htonl
3D htons
4E socket
22 WSAStartup
4D shutdown
6 WSACleanup
4C setsockopt
But, the /DISASM command never shows these commands used:
00011050: EB0000E5 bl 000113EC
00011054: E3500000 cmp r0, #0
00011058: 0A00000C beq 00011090
0001105C: EB0000BE bl 0001135C
00011060: E59F12C8 ldr r1, [pc, #0x2C8]
00011064: E1A02000 mov r2, r0
00011068: E28D0058 add r0, sp, #0x58
0001106C: EB0000B7 bl 00011350
00011070: E59F2290 ldr r2, [pc, #0x290]
00011074: E3A03000 mov r3, #0
00011078: E28D1058 add r1, sp, #0x58
0001107C: E3A00000 mov r0, #0
00011080: EB0000AF bl 00011344
00011084: E3A00000 mov r0, #0
00011088: E28DDE2B add sp, sp, #0x2B, 28
0001108C: E8BD83F0 ldmia sp!, {r4 - r9, pc}
00011090: E3A02000 mov r2, #0
00011094: E3A01002 mov r1, #2
00011098: E3A00002 mov r0, #2
0001109C: EB0000CF bl 000113E0
How do I relate the assembly output of the /DISASM command to the
function calls imported from the two DLL imports?
Thanks,
PaulH
Tim Roberts
>
>I have a small (4.5KB) Windows Mobile 5 executable that I'm taking a
>look at using the dumpbin tool.
>The /IMPORTS line shows that it imports 2 dlls and what functions it
>imports from them:
>But, the /DISASM command never shows these commands used:
>
> 00011050: EB0000E5 bl 000113EC
> 00011054: E3500000 cmp r0, #0
> 00011058: 0A00000C beq 00011090
> 0001105C: EB0000BE bl 0001135C
> 00011060: E59F12C8 ldr r1, [pc, #0x2C8]
> 00011064: E1A02000 mov r2, r0
> 00011068: E28D0058 add r0, sp, #0x58
> 0001106C: EB0000B7 bl 00011350
> 00011070: E59F2290 ldr r2, [pc, #0x290]
> 00011074: E3A03000 mov r3, #0
> 00011078: E28D1058 add r1, sp, #0x58
> 0001107C: E3A00000 mov r0, #0
> 00011080: EB0000AF bl 00011344
> 00011084: E3A00000 mov r0, #0
> 00011088: E28DDE2B add sp, sp, #0x2B, 28
> 0001108C: E8BD83F0 ldmia sp!, {r4 - r9, pc}
> 00011090: E3A02000 mov r2, #0
> 00011094: E3A01002 mov r1, #2
> 00011098: E3A00002 mov r0, #2
> 0001109C: EB0000CF bl 000113E0
>
>How do I relate the assembly output of the /DISASM command to the
>function calls imported from the two DLL imports?
You can't. Remember that the disassembly doesn't know function names. All
it has is an address. The import table in the executable not only includes
the NAME of the import, but the location of the instruction that needs to
be patched. If you use DUMPBIN /ALL /DISASM, you can get more details
about the import table, including where the call is.
In the ARM9 instruction set, "bl" is the subroutine call instruction. You
can't tell from the disassembly which of these are calling internal
functions and which are calling external, but cross-referencing with the
import table dump should give you the answer.
--
Tim Roberts, ti...@probo.com
Providenza & Boekelheide, Inc.
h...@40th.com
>You can't. Remember that the disassembly doesn't know function names.
Sure it does. Here's some, cut up only a little:
Microsoft (R) COFF/PE Dumper Version 8.00.50727.762.8675309
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file phantasm2_wm6_d.exe
File Type: EXECUTABLE IMAGE
?xFilter@@YAXPAU_EXCEPTION_POINTERS@@@Z:
00011000: E1A0C00D mov r12, sp
00011004: E92D0001 stmdb sp!, {r0}
00011008: E92D5000 stmdb sp!, {r12, lr}
0001100C: E24DD008 sub sp, sp, #8
00011010: E59D3010 ldr r3, [sp, #0x10]
00011014: E5933000 ldr r3, [r3]
00011018: E58D3000 str r3, [sp]
0001101C: E59D3010 ldr r3, [sp, #0x10]
:
?DumpAbout_DBC@@YAXPAX@Z:
00011098: E1A0C00D mov r12, sp
0001109C: E92D0001 stmdb sp!, {r0}
000110A0: E92D5000 stmdb sp!, {r12, lr}
000110A4: E24DD010 sub sp, sp, #0x10
000110A8: EB03042A bl GetTickCount
000110AC: E58D000C str r0, [sp, #0xC]
000110B0: E59D300C ldr r3, [sp, #0xC]
:
?DoDatabaseTask@@YAII@Z:
00011174: E1A0C00D mov r12, sp
00011178: E92D0001 stmdb sp!, {r0}
0001117C: E92D5000 stmdb sp!, {r12, lr}
00011180: E24DDE4D sub sp, sp, #0x4D, 28
:
000111C4: EB030403 bl PostMessageW
000111C8: E3A03000 mov r3, #0
:
000113AC: E3530000 cmp r3, #0
000113B0: 1A000009 bne 000113DC
000113B4: E3A00002 mov r0, #2
000113B8: EB01C8C5 bl |?gt40_Shutdown@@YAII@Z|
--
40th Floor - Software @ http://40th.com/
iplay.40th.com - Advanced PPC audio player
phantasm.40th.com - The final destination
PaulH
Exactly... So, looking at the import table dump (top of my post) and
the addresses referenced by the bl functions. How do I associate the
two?
Thanks,
PaulH
PaulH
Did you do dumpbin on a debug build of your program? Does it do that
on the release build?
Thanks,
PaulH
PaulH
> If you doubt that (why not see if you can get
> this far yourself?), compile with /Fa and
> enjoy the full deal with comments and all.
> Unless you only have the exe. Is that your
> real problem, you only have the exe?
>
> --
> 40th Floor - Software @ http://40th.com/
> iplay.40th.com - Advanced PPC audio player
> phantasm.40th.com - The final destination
Stupid question, you're right. I answered it myself just after typing
that.
Yes, that's my problem. The guy who wrote the program is long gone and
all I have is the EXE.
Tim Roberts
>
>Exactly... So, looking at the import table dump (top of my post) and
>the addresses referenced by the bl functions. How do I associate the
>two?
The top of your post is NOT the import table. It's just the list of
imports. You'd have to look at the details of the import section to find
out which import is linked to which instruction(s).