ddisasm
ddisasm copied to clipboard
GrammaTech
NASHTA fails disassembly
nashta.zip Please provide as much of the following information as possible:
- I have deleted the ddisasm VM that I Used to disassemble and then I lost the version.
- How can we reproduce? Please paste the command line used to invoke ddisasm and any other relevant information.
I had to patch the disassembled asm to remove section permissions in order to avoid compilator error. I also change the INCLUDELIB keyword arguments. Then, on this file, I did:
PS C:\msys64\home\vboxuser\tmp> \masm32\bin\ml.exe /c /coff /nologo .\29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a.asm
Assembling: .\29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a.asm
PS C:\\msys64\\home\\vboxuser\\tmp> .\\Golink\\GoLink.exe .\\29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a.obj -Fo out /entry:\_EntryPoint /console C:\\Windows\\system32\\kernel32.dll C:\\Windows\\system32\\user32.dll C:\\Windows\\system32\\shell32.dll C:\\Windows\\system32\\gdi32.dll C:\\Windows\\system32\\advapi32.dll C:\\Windows\\system32\\oleaut32.dll C:\\Windows\\system32\\advapi32.dll C:\\Windows\\System32\\KernelBase.dll /mix
GoLink.Exe Version 1.0.4.4 Copyright Jeremy Gordon 2002-2023 [email protected]
Error!
The following symbols were not defined in the object file or files:-
FreeLibrary\_disambig\_0\_1
FreeLibrary\_disambig\_0\_1
GetCommandLineA\_disambig\_0\_1
GetCommandLineA\_disambig\_0\_1
LocalAlloc\_disambig\_0\_1
LocalAlloc\_disambig\_0\_1
RegCloseKey\_disambig\_0\_1
RegCloseKey\_disambig\_0\_1
RegOpenKeyExA\_disambig\_0\_1
RegOpenKeyExA\_disambig\_0\_1
WriteFile\_disambig\_0\_1
WriteFile\_disambig\_0\_1
ImageBase
Output file not made
- what went wrong: I can not recompile the new disassembled file due to the previous error.
I have not sent the nashta malware in order to avoid to infect people by accident. I let the hash in the name instead. Could you ask me in person in order to disassemble it if you do not found it please?
I think I see what might be happening here.
For some reason there are 2 copies of those symbols e.g. RegOpenKeyExA. To avoid ambiguity, gtirb-pprinter renames the symbols by adding a suffix _disambig_0_1 but if those symbols are external, they should not be renamed.
This should be fixed in the pprinter.
I got the assembly with a command similar to ddisasm --asm out.sam in.exe.
Are you sure the bug is in gtirb-pprinter and not from ddisasm? Ddisasm could rely on gtirb-pprinter after all.
on the same binary I also have ImageBase not defined from object file.
I would like to edit:
EXTERN ___ImageBase:BYTE
because it is the only moment where ImageBase is present in the text file.
@aeflores If you think this is not related to ddiszasm / gtirb dev, could you send me an email please?
Ddisasm uses gtirb-pprinter as a library to generate assembly, so yeah this is a pprinter issue. I can look into it.
Regarding ImageBase, I think we define this as an external symbol so it can be defined by the linker when reassembling.
Should I set ImageBase from compile command option like /imageBase, remove the variable or something in order to fix it please?
If I set /base 50000 then could I remove the linked variable please?
/base 50000 remains the undefined symbal ImageBase.
The commit https://github.com/GrammaTech/ddisasm/commit/f6bea62e47a8f97fdef4a318ab5b1e5e2a35ec46 fixed the undefined externs (imports).
I checked that the resulting assembly successfully reassembles, the ___ImageBase symbol is not a problem. You might want to run ddisasm with the --generate-import-libs option to generate .def and .lib files of the dependencies, or reassemble with gtirb-pprinter's --binary option.
It has been a while, but the following should work
ddisasm 29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a --ir nashta.gtirb
gtirb-pprinter nashta.gtirb -b nashta.rewritten