The MASM Forum

64 bit assembler => 64 bit assembler. Conceptual Issues => Topic started by: hutch-- on December 11, 2014, 12:04:52 AM

Title: PODUMP formatter for 64 bit.
Post by: hutch-- on December 11, 2014, 12:04:52 AM
I have yet to find a decent disassembler for Win64 and needed to be able to have a look at the mnemonic code produced by a couple of different 64 bit assemblers, POASM and JWASM. I have put together a tool that accepts a PODUMP dump of a 64 bit object module that converts it from a very rudimentary form to something like human readable assembler.

The reason for disassembling the object module rather than the executable is the object module has a lot more useful information in it including procedure names and variable names. The PHUN part was resolving the procedure call addresses and the jumps to label address resolution then locating the hex numbers that don't have a trailing "h" and converting them to unsigned decimal numbers, both in and outside of complex addressing mode.

The attached zip file has the tool and 2 dumps from PODUMP, one of a very simple dump of a POASM obj, the other from a JWASM obj. Either use the command line or just drop either dump file onto the tool. If you install it  on the same drive as MASM32, QE will display the results which are saved to a file first. If you place on a different drive you can view the output file.

NOTE : You run PODUMP with the following command line or in a batch file.

yourpath\podump.exe /disasm:NOCODEBYTES test.obj > dump.txt

The JWASM formatted dump looks like this.

    Dump of Win64_3.obj
    File type: OBJ
    Can't synchronize source and assembly code

fn_WinMainCRTStartup:
    sub rsp, 40
    mov ecx, 0
    call GetModuleHandleA
    mov qword ptr [hInstance], rax
    call GetCommandLineA
    mov qword ptr [CommandLine], rax
    mov rcx, qword ptr [hInstance]
    mov rdx, 0
    mov r8, qword ptr [CommandLine]
    mov r9d, 10
    call fn_WinMain
    mov ecx, eax
    call ExitProcess

fn_WinMain:
    push rbp
    mov rbp, rsp
    sub rsp, 240
    mov qword ptr [rbp+16], rcx
    mov qword ptr [rbp+24], rdx
    mov qword ptr [rbp+32], r8
    mov dword ptr [rbp+40], r9d
    mov dword ptr [rbp-80], 50
    mov dword ptr [rbp-76], 3
    lea rax, [WndProc]
    mov qword ptr [rbp-72], rax
    mov dword ptr [rbp-64], 0
    mov dword ptr [rbp-60], 0
    mov qword ptr [rbp-56], rcx
    mov qword ptr [rbp-32], 6
    mov qword ptr [rbp-24], 0
    lea rax, [ClassName]
    mov qword ptr [rbp-16], rax
    mov ecx, 0
    mov edx, 32512
    call LoadIconA
    mov qword ptr [rbp-48], rax
    mov qword ptr [rbp-8], rax
    mov ecx, 0
    mov edx, 32512
    call LoadCursorA
    mov qword ptr [rbp-40], rax
    lea rcx, [rbp-80]
    call RegisterClassExA
    mov ecx, 0
    lea rdx, [ClassName]
    lea r8, [AppName]
    mov r9d, 13565952
    mov dword ptr [rsp+32], 80000000
    mov dword ptr [rsp+40], 80000000
    mov dword ptr [rsp+48], 80000000
    mov dword ptr [rsp+56], 80000000
    mov qword ptr [rsp+64], 0
    mov qword ptr [rsp+72], 0
    mov rax, qword ptr [rbp+16]
    mov qword ptr [rsp+80], rax
    mov qword ptr [rsp+88], 0
    call CreateWindowExA
    mov qword ptr [rbp-136], rax
    mov rcx, qword ptr [rbp-136]
    mov edx, 1
    call ShowWindow
    mov rcx, qword ptr [rbp-136]
    call UpdateWindow
  lbl_1:
    lea rcx, [rbp-128]
    mov rdx, 0
    mov r8, 0
    mov r9, 0
    call GetMessageA
    and rax, rax
    je lbl_0
    lea rcx, [rbp-128]
    call TranslateMessage
    lea rcx, [rbp-128]
    call DispatchMessageA
    jmp lbl_1
  lbl_0:
    mov rax, qword ptr [rbp-112]
    add rsp, 240
    pop rbp
    ret

fn_WndProc:
    sub rsp, 40
    cmp edx, 2
    jne lbl_2
    mov ecx, 0
    call PostQuitMessage
    xor rax, rax
    jmp lbl_3
  lbl_2:
    call DefWindowProcA
  lbl_3:
    add rsp, 40
    ret

    SUMMARY
    10 .bss
    20 .data
    4A .drectve
    24 .pdata
    1CC .text
    1C .xdata

Title: Re: PODUMP formatter for 64 bit.
Post by: anunitu on December 11, 2014, 02:00:37 AM
Seems you are putting a lot of time and effort into the 64 bit side...I was wondering how a dual chip 64 bit system shakes out as far as speed or ability to compute large data.
Title: Re: PODUMP formatter for 64 bit.
Post by: anunitu on December 11, 2014, 02:07:58 AM
Did manage to find this about dual core and multi core,but it is a bit deep for my level of understanding,but interesting non the less.

http://www.webopedia.com/DidYouKnow/Hardware_Software/dual_core.asp
Title: Re: PODUMP formatter for 64 bit.
Post by: hutch-- on December 11, 2014, 02:56:31 AM
Intel are the folks who publish the info you need, a read around their site would probably answer your question but generally a quad core processor with hyperthreading will give you 8 effective cores for 8 threads so there is not as much need for multi processor machines as there once was.
Title: Re: PODUMP formatter for 64 bit.
Post by: Gunther on December 11, 2014, 03:03:59 AM
Quote from: hutch-- on December 11, 2014, 02:56:31 AM
Intel are the folks who publish the info you need, a read around their site would probably answer your question but generally a quad core processor with hyperthreading will give you 8 effective cores for 8 threads so there is not as much need for multi processor machines as there once was.

That's the point. They're using only Dual Core or Quad Core machines at CERN (PC farm). It's enough calculation power (20 000 Cores).

Gunther
Title: Re: PODUMP formatter for 64 bit.
Post by: anunitu on December 11, 2014, 03:43:54 AM
I checked(took a bit to find the proper system thing) but found I have a quad core,so I think I will need to dig into the ins and outs of 64 bit with a quad core.  My Daughter bought the system for me,so was not aware of all its specs.(One bitch,they do not include a lot of paperwork with a new system anymore,would have loved to pore over the manual in hard copy form)
Title: Re: PODUMP formatter for 64 bit.
Post by: hutch-- on December 11, 2014, 05:11:25 PM
The toy you need is called CPU-Z. My guess she bought you an i5 Intel quad but download this toy and run it and you will be a wiser man. Once you identify the motherboard you go to their site and download the manual for it and you should end up with an almost unlimited supply of near useless information.  :P