I have been flying in the dark with 64 bit so I went for a hunt for a 64 bit disassembler to slightly illuminate what was going on.
Toy is PEBROWSE64 and it appears to work OK. Wasted the time and 850 meg download to get the Microsoft symbols but found it wanted a URL path set in an environment variable.
This is the link.
http://www.smidgeonsoft.prohosting.com/pebrowse-pro-interactive-debugger.html
Copy the results to clipboard then paste into your editor.
Results look like this after pasting into a text editor.
Disassembly for .text (0x00000001`40001000)
;********************************************************************************
; Starting RVA: 00000000`00001000
; Section: .text + 0x00000000
0x00000001`40001000: 4883EC28 sub rsp,0x28
0x00000001`40001004: 488B0D36200000 mov rcx,qword ptr [0x0000000140003041] ; (.data + 0x41)
0x00000001`4000100B: 488B1537200000 mov rdx,qword ptr [0x0000000140003049] ; (.data + 0x49)
0x00000001`40001012: 49C7C01B000000 mov r8,0x1B
0x00000001`40001019: E831000000 call 0x000000014000104F ; (.text + 0x4F)
0x00000001`4000101E: 33C9 xor ecx,ecx
0x00000001`40001020: 4533C9 xor r9d,r9d
0x00000001`40001023: 488B151F200000 mov rdx,qword ptr [0x0000000140003049] ; (.data + 0x49)
0x00000001`4000102A: 4C8D05CF1F0000 lea r8,[0x0000000140003000] ; 'Byte Copy'
; WINUSERAPI int WINAPI MessageBoxA( HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
0x00000001`40001031: FF15D90F0000 call qword ptr [user32.dll!MessageBoxA] ; (0x00000001`40002010)
0x00000001`40001037: 33C9 xor ecx,ecx
; WINBASEAPI DECLSPEC_NORETURN VOID WINAPI ExitProcess( UINT uExitCode );
0x00000001`40001039: FF15C10F0000 call qword ptr [kernel32.dll!ExitProcess] ; (0x00000001`40002000)
0x00000001`4000103F: 56 push rsi
0x00000001`40001040: 57 push rdi
0x00000001`40001041: 488BF1 mov rsi,rcx
0x00000001`40001044: 488BFA mov rdi,rdx
0x00000001`40001047: 498BC8 mov rcx,r8
0x00000001`4000104A: F3A4 rep movs byte ptr [rdi],byte ptr [rsi]
0x00000001`4000104C: 5F pop rdi
0x00000001`4000104D: 5E pop rsi
0x00000001`4000104E: C3 ret
0x00000001`4000104F: 56 push rsi
0x00000001`40001050: 57 push rdi
0x00000001`40001051: FC cld
0x00000001`40001052: 488BF1 mov rsi,rcx
0x00000001`40001055: 488BFA mov rdi,rdx
0x00000001`40001058: 498BC8 mov rcx,r8
0x00000001`4000105B: 48C1E903 shr rcx,0x3
0x00000001`4000105F: F348A5 movs qword ptr [rdi],qword ptr [rsi]
0x00000001`40001062: 498BC8 mov rcx,r8
0x00000001`40001065: 4883E107 and rcx,0x7
0x00000001`40001069: F3A4 rep movs byte ptr [rdi],byte ptr [rsi]
0x00000001`4000106B: 5F pop rdi
0x00000001`4000106C: 5E pop rsi
0x00000001`4000106D: C3 ret
> it wanted a URL path set in an environment variable.
Quote_NT_SYMBOL_PATH=srv*c:\asm\symbols*http://msdl.microsoft.com/download/symbols
This saves a local (updated if needed) copy of the .pdb in c:\asm\symbols e.g.
QuoteC:\asm\symbols\kernel32.pdb\4D16E830321944FF892574FCDF5606DF1\kernel32.pdb
Any debugger should look for _NT_SYMBOL_PATH
There is x64dbg (https://sourceforge.net/projects/x64dbg/), too, but it fails for me with exception c0000007 (STATUS_PAGEFILE_QUOTA??) :(
See also http://reverseengineering.stackexchange.com/questions/1817/is-there-any-disassembler-to-rival-ida-pro for a list including Hopper, Immunity, x64_dbg, VisualDux, ...
JJ,
You may need to get the Win7 version. I had it working for 32 bit code on my Win7 64 box. The biggest problem for me in getting a disassembler was to get one that was not full of a mountain of other stuff that I am not interested in. All I want is the mnemonic disassembly, not a mountain of other crap.
Hutch,
Problem with exception c..7b solved, it needed the Visual C++ Redistributable Packages for Visual Studio 2013 (https://www.microsoft.com/en-us/download/details.aspx?id=40784) (I wonder when people will learn to check the availability of xyz, and give a meaningful feedback if not).
Now it works. The interface looks suspiciously like OllyDbg, and the F7...F9 keys do what you expect them to do.
Slow like hell on startup, the x64dbg GUI is built on the crappy QT "framework", meaning to say Hello World, you need a 10MB exe.
deleted
Quote from: nidud on June 26, 2016, 07:31:49 PM
http://www.agner.org/optimize/ (http://www.agner.org/optimize/)
Nice link :t.
http://www.agner.org/optimize/blog/read.php?i=417
QuoteFor many years, we have seen a symbiosis between the hardware industry and the software industry, where the software industry has produced ever-more advanced and demanding software that prompts consumers to buy the ever-more powerful hardware. As the rate of growth in hardware technology is slowing down, and consumers turn to small portable devices where battery life is more important than number-crunching power, the software industry now has to change its course. The software industry has to cut down on the resource-hungry development tools and multilayer software and develop less feature-bloated products that take longer time to develop, but use fewer hardware resources and run faster
http://www.arkdasm.com/
sinsi,
Have you used arkdasm ?
Simple question really,would a 64 bit disassembler also be used to disassemble a 32 bit file ?,or maybe a 16 bit. Perhaps it would be very specialized in only handling 64 bit code.?
Just wondering.
Pelles IDE is also a GUI alternative to disassemble 64-bit executables.
Quote from: anunitu on June 27, 2016, 04:06:14 AMwould a 64 bit disassembler also be used to disassemble a 32 bit file ?
The ones I've seen so far were all "specialised" 8)
@Erol: Can you use it to debug a Masm exe?
Till now I haven't seen better debugger than MS WinDbg if you want to debug an executive file.
For long time already I use Vsual studio to build and debug my projects.
The advantage of using Visual Studio is that you can mix C and assembler files to create .exe files and debug in both source level and disassembly. You can use ml.exe or ml64.exe or HJWasm 32 or 64.
Here is an example of VS debug built with HJWasm x64:
WinMain proc FRAME uses rbx ymm6 ymm7 hInst:HINSTANCE, hPrevInst:HINSTANCE, CmdLine:LPSTR, CmdShow:UINT
00007FF70D6F1109 C5 FD 7F BC 24 A0 01 00 00 vmovdqa ymmword ptr [rsp+1A0h],ymm7
LOCAL baba:YMMWORD
LOCAL deda:YMMWORD
LOCAL wc:WNDCLASSEXA
LOCAL msg:MSG
LOCAL var:QWORD
LOCAL hwnd:HWND
;--- init the "shadow variable". Alternatively, one may set bit 0
;--- of OPTION WIN64, then this is done automatically.
lea rax,__ImageBase
00007FF70D6F1112 48 8D 05 E7 EE FF FF lea rax,[7FF70D6F0000h]
;lea r10,testloc
;lea r11,test1
;lea rax,testloc1
;lea r8,testloc2
;vmovdqa testloc1,ymm1
lea rax,deda
00007FF70D6F1119 48 8D 84 24 C0 00 00 00 lea rax,[deda]
vmovdqa deda,ymm2
00007FF70D6F1121 C5 FD 7F 94 24 C0 00 00 00 vmovdqa ymmword ptr [deda],ymm2
mov hInst, rcx
00007FF70D6F112A 48 89 8C 24 E0 01 00 00 mov qword ptr [hInst],rcx
mov wc.cbSize, SIZEOF WNDCLASSEXA
00007FF70D6F1132 C7 84 24 E0 00 00 00 50 00 00 00 mov dword ptr [wc],50h
mov wc.style, CS_HREDRAW or CS_VREDRAW
00007FF70D6F113D C7 84 24 E4 00 00 00 03 00 00 00 mov dword ptr [rsp+0E4h],3
lea rax, [WndProc]
00007FF70D6F1148 48 8D 05 CA FE FF FF lea rax,[WndProc (07FF70D6F1019h)]
mov wc.lpfnWndProc, rax
00007FF70D6F114F 48 89 84 24 E8 00 00 00 mov qword ptr [rsp+0E8h],rax
mov wc.cbClsExtra, 0
00007FF70D6F1157 C7 84 24 F0 00 00 00 00 00 00 00 mov dword ptr [rsp+0F0h],0
mov wc.cbWndExtra, 0
00007FF70D6F1162 C7 84 24 F4 00 00 00 00 00 00 00 mov dword ptr [rsp+0F4h],0
mov wc.hInstance, rcx
00007FF70D6F116D 48 89 8C 24 F8 00 00 00 mov qword ptr [rsp+0F8h],rcx
mov wc.hbrBackground, COLOR_WINDOW+1
00007FF70D6F1175 48 C7 84 24 10 01 00 00 06 00 00 00 mov qword ptr [rsp+110h],6
mov wc.lpszMenuName, NULL
00007FF70D6F1181 48 C7 84 24 18 01 00 00 00 00 00 00 mov qword ptr [rsp+118h],0
lea rax, [ClassName]
00007FF70D6F118D 48 8D 05 6C 3E 00 00 lea rax,[ClassName (07FF70D6F5000h)]
mov wc.lpszClassName, rax
00007FF70D6F1194 48 89 84 24 20 01 00 00 mov qword ptr [rsp+120h],rax
invoke LoadIconA, NULL, IDI_APPLICATION
00007FF70D6F119C 33 C9 xor ecx,ecx
00007FF70D6F119E 48 C7 C2 00 7F 00 00 mov rdx,7F00h
00007FF70D6F11A5 FF 15 05 5F 00 00 call qword ptr [__imp_LoadIconA (07FF70D6F70B0h)]
mov wc.hIcon, rax
00007FF70D6F11AB 48 89 84 24 00 01 00 00 mov qword ptr [rsp+100h],rax
mov wc.hIconSm, rax
00007FF70D6F11B3 48 89 84 24 28 01 00 00 mov qword ptr [rsp+128h],rax
invoke LoadCursor, NULL, IDC_ARROW
00007FF70D6F11BB 33 C9 xor ecx,ecx
00007FF70D6F11BD 48 C7 C2 00 7F 00 00 mov rdx,7F00h
00007FF70D6F11C4 FF 15 DE 5E 00 00 call qword ptr [__imp_LoadCursorA (07FF70D6F70A8h)]
mov wc.hCursor,rax
00007FF70D6F11CA 48 89 84 24 08 01 00 00 mov qword ptr [rsp+108h],rax
invoke RegisterClassEx, addr wc
00007FF70D6F11D2 48 8D 8C 24 E0 00 00 00 lea rcx,[wc]
00007FF70D6F11DA FF 15 A8 5E 00 00 call qword ptr [__imp_RegisterClassExA (07FF70D6F7088h)]
invoke CreateWindowEx, NULL, ADDR ClassName, ADDR AppName,\
WS_OVERLAPPEDWINDOW, CW_USEDEFAULT,\
CW_USEDEFAULT, CW_USEDEFAULT,CW_USEDEFAULT, NULL, NULL,\
hInst, NULL
00007FF70D6F11E0 33 C9 xor ecx,ecx
00007FF70D6F11E2 48 8D 15 17 3E 00 00 lea rdx,[ClassName (07FF70D6F5000h)]
00007FF70D6F11E9 4C 8D 05 1F 3E 00 00 lea r8,[AppName (07FF70D6F500Fh)]
00007FF70D6F11F0 41 B9 00 00 CF 00 mov r9d,0CF0000h
00007FF70D6F11F6 C7 44 24 20 00 00 00 80 mov dword ptr [rsp+20h],80000000h
00007FF70D6F11FE C7 44 24 28 00 00 00 80 mov dword ptr [rsp+28h],80000000h
00007FF70D6F1206 C7 44 24 30 00 00 00 80 mov dword ptr [rsp+30h],80000000h
00007FF70D6F120E C7 44 24 38 00 00 00 80 mov dword ptr [rsp+38h],80000000h
00007FF70D6F1216 48 C7 44 24 40 00 00 00 00 mov qword ptr [rsp+40h],0
00007FF70D6F121F 48 C7 44 24 48 00 00 00 00 mov qword ptr [rsp+48h],0
00007FF70D6F1228 48 8B 84 24 E0 01 00 00 mov rax,qword ptr [hInst]
00007FF70D6F1230 48 89 44 24 50 mov qword ptr [rsp+50h],rax
00007FF70D6F1235 48 C7 44 24 58 00 00 00 00 mov qword ptr [rsp+58h],0
00007FF70D6F123E FF 15 4C 5E 00 00 call qword ptr [__imp_CreateWindowExA (07FF70D6F7090h)]
mov hwnd,rax
00007FF70D6F1244 48 89 84 24 68 01 00 00 mov qword ptr [hwnd],rax
invoke ShowWindow, hwnd, SW_SHOWNORMAL
00007FF70D6F124C 48 8B 8C 24 68 01 00 00 mov rcx,qword ptr [hwnd]
00007FF70D6F1254 BA 01 00 00 00 mov edx,1
00007FF70D6F1259 FF 15 39 5E 00 00 call qword ptr [__imp_ShowWindow (07FF70D6F7098h)]
invoke UpdateWindow, hwnd
00007FF70D6F125F 48 8B 8C 24 68 01 00 00 mov rcx,qword ptr [hwnd]
00007FF70D6F1267 FF 15 33 5E 00 00 call qword ptr [__imp_UpdateWindow (07FF70D6F70A0h)]
.for(::)
invoke GetMessage, ADDR msg, NULL, 0, 0
00007FF70D6F126D 48 8D 8C 24 30 01 00 00 lea rcx,[msg]
00007FF70D6F1275 33 D2 xor edx,edx
00007FF70D6F1277 45 33 C0 xor r8d,r8d
00007FF70D6F127A 45 33 C9 xor r9d,r9d
00007FF70D6F127D FF 15 DD 5D 00 00 call qword ptr [__imp_GetMessageA (07FF70D6F7060h)]
.break .if (!eax)
00007FF70D6F1283 85 C0 test eax,eax
00007FF70D6F1285 74 20 je WinMain+1B4h (07FF70D6F12A7h)
invoke TranslateMessage, ADDR msg
00007FF70D6F1287 48 8D 8C 24 30 01 00 00 lea rcx,[msg]
00007FF70D6F128F FF 15 D3 5D 00 00 call qword ptr [__imp_TranslateMessage (07FF70D6F7068h)]
invoke DispatchMessage, ADDR msg
00007FF70D6F1295 48 8D 8C 24 30 01 00 00 lea rcx,[msg]
00007FF70D6F129D FF 15 CD 5D 00 00 call qword ptr [__imp_DispatchMessageA (07FF70D6F7070h)]
xor eax,eax
00007FF70D6F12A3 33 C0 xor eax,eax
.endfor
00007FF70D6F12A5 EB C6 jmp WinMain+17Ah (07FF70D6F126Dh)
mov rax, msg.wParam
00007FF70D6F12A7 48 8B 84 24 40 01 00 00 mov rax,qword ptr [rsp+140h]
ret
00007FF70D6F12AF C5 FD 6F B4 24 80 01 00 00 vmovdqa ymm6,ymmword ptr [rsp+180h]
00007FF70D6F12B8 C5 FD 6F BC 24 A0 01 00 00 vmovdqa ymm7,ymmword ptr [rsp+1A0h]
00007FF70D6F12C1 48 81 C4 D0 01 00 00 add rsp,1D0h
00007FF70D6F12C8 5B pop rbx
00007FF70D6F12C9 C3 ret
WinMain endp
Hi Jochen,
PEBrowse Professional Interactive can be used to debug Masm executables but I would prefer Ollydbg.
Windbg understand 'invoke' while debugging.
ml64 removed 'invoke' but that continue being a reserved word.
I can't test now, but I remember this. If you create a invoke macro windbg will understand that. You should I think compile with debug informations.
Update on X64Dbg: If you insert an int 3 to force a break at interesting points of your code, the debugger won't allow you to continue with F7/F8/F9. The solution is to press Ctrl F8.
I was chatting to mrexodia on the gitter channel they have (https://gitter.im/x64dbg/x64dbg), and mentioned this to him - he did state that this was by design - and referenced issue #211 (https://github.com/x64dbg/x64dbg/issues/211) - he did mention emails, so i presume you already spoke to him about it anyhow.
Worth mentioning the full source debugging in x64dbg and in the most recent additions the ability to toggle breakpoints from the source view (feature request by myself), and you can use F10 and F11 to step source lines, which is pretty cool.
(https://s20.postimg.org/tvuab5zkp/x64dbg_source_view_debugging.png) (https://postimg.org/image/tvuab5zkp/)
I took sinsi's suggestion with ArkDasm and have been very pleased with the results. Clean dis-assembly, differentiates each procedure clearly and will single step through the exe with F10.
Quote from: hutch-- on July 12, 2016, 12:35:24 PM
I took sinsi's suggestion with ArkDasm and have been very pleased with the results. Clean dis-assembly, differentiates each procedure clearly and will single step through the exe with F10.
I also tried ArkDasm. Its pretty cool especially renaming functions and adding multiline comments and the possibility to create memory snapshot.
Some debugging Windows are a bit hidden and need to be enabled when debugging starts e.g. Debugging menu -> Windows -> General registers or View -> Hex View (for memory view)
Have fdbg too by feryno, I'm using it on linux but have used it on windows side too years ago. Have source code using Flat Assembler.
http://fdbg.x86asm.net/