News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

assemble/disassemble

Started by minor28, June 14, 2017, 05:24:54 PM

Previous topic - Next topic

minor28

When I wrote the Disassembler.exe program, I used one of the earlier versions to disassemble. Now I have disassembled the latest version and discovered that after the jump table there were two additional functions that I have not written. No calls from my code to these functions. Furthermore, ImageBase,which is set to 400000h in the header, is chaned to another location.

Can anyone explain this to me?


011C580A: FF 25 20 60 1C 01 jmp dword ptr ds:[011C6020h]
011C5810: FF 25 18 60 1C 01 jmp dword ptr ds:[011C6018h]
011C5816: FF 25 08 60 1C 01 jmp dword ptr ds:[011C6008h]
011C581C: FF 25 0C 60 1C 01 jmp dword ptr ds:[011C600Ch]
011C5822: CC int 3
011C5823: CC int 3
011C5824: 55 push ebp
011C5825: 8B EC mov ebp,esp
011C5827: 60 pushad
011C5828: 8B 55 0C mov edx,dword ptr [ebp+0Ch]
011C582B: 8B 75 08 mov esi,dword ptr [ebp+8]
011C582E: 33 C0 xor eax,eax
011C5830: 33 C9 xor ecx,ecx
011C5832: 88 42 08 mov byte ptr [edx+8],al
011C5835: B1 07 mov cl,7
011C5837: 8B C6 mov eax,esi
011C5839: 24 0F and al,0Fh
011C583B: 3C 0A cmp al,0Ah
011C583D: 1C 69 sbb al,69h
011C583F: 2F das
011C5840: 88 04 11 mov byte ptr [ecx+edx],al
011C5843: C1 EE 04 shr esi,4
011C5846: 49 dec ecx
011C5847: 79 EE jns 011C5837
011C5849: 61 popa
011C584A: C9 leave
011C584B: C2 08 00 retn 8
011C584E: 55 push ebp
011C584F: 8B EC mov ebp,esp
011C5851: 83 C4 FC add esp,0FFFFFFFCh
011C5854: 60 pushad
011C5855: 6A 00 push 0
011C5857: 68 24 76 1C 01 push 11C7624h
011C585C: E8 97 00 00 00 call 011C58F8
011C5861: 0B C0 or eax,eax
011C5863: 75 18 jnz 011C587D
011C5865: 6A 01 push 1
011C5867: 68 32 76 1C 01 push 11C7632h
011C586C: E8 81 00 00 00 call 011C58F2
011C5871: 6A 00 push 0
011C5873: 68 24 76 1C 01 push 11C7624h
011C5878: E8 7B 00 00 00 call 011C58F8
011C587D: 0B C0 or eax,eax
011C587F: 74 6C jz 011C58ED
011C5881: 6A 01 push 1
011C5883: 6A 00 push 0
011C5885: 68 36 04 00 00 push 436h
011C588A: 50 push eax
011C588B: E8 26 FF FF FF call 011C57B6
011C5890: 89 45 FC mov dword ptr [ebp-4],eax
011C5893: 6A FF push 0FFFFFFFFh
011C5895: 6A FF push 0FFFFFFFFh
011C5897: 68 B1 00 00 00 push 0B1h
011C589C: FF 75 FC push dword ptr [ebp-4]
011C589F: E8 12 FF FF FF call 011C57B6
011C58A4: 6A 00 push 0
011C58A6: 6A 00 push 0
011C58A8: 6A 0E push 0Eh
011C58AA: FF 75 FC push dword ptr [ebp-4]
011C58AD: E8 04 FF FF FF call 011C57B6
011C58B2: 0B C0 or eax,eax
011C58B4: 74 14 jz 011C58CA
011C58B6: 68 47 76 1C 01 push 11C7647h
011C58BB: 6A 00 push 0
011C58BD: 68 C2 00 00 00 push 0C2h
011C58C2: FF 75 FC push dword ptr [ebp-4]
011C58C5: E8 EC FE FF FF call 011C57B6
011C58CA: FF 75 08 push dword ptr [ebp+8]
011C58CD: 6A 00 push 0
011C58CF: 68 C2 00 00 00 push 0C2h
011C58D4: FF 75 FC push dword ptr [ebp-4]
011C58D7: E8 DA FE FF FF call 011C57B6
011C58DC: 6A 00 push 0
011C58DE: 6A 00 push 0
011C58E0: 68 B7 00 00 00 push 0B7h
011C58E5: FF 75 FC push dword ptr [ebp-4]
011C58E8: E8 C9 FE FF FF call 011C57B6
011C58ED: 61 popa
011C58EE: C9 leave
011C58EF: C2 04 00 retn 4
011C58F2: FF 25 8C 60 1C 01 jmp dword ptr ds:[011C608Ch]
011C58F8: FF 25 1C 61 1C 01 jmp dword ptr ds:[011C611Ch]




jj2007

Could be injected; this code is not present in your latest exe. Can you post the version where you found this, please?

minor28


jj2007

Mystery solved: push offset 00237644               ; ³ClassName = "RadASM30Class"

minor28

I do not understand. Please explain. Why suddenly change from 400000h as ImageBase? Dumpbin.exe uses 400000h and also the additional functions at the end. And what about RadASM30Class?

jj2007

ImageBase depends on linker settings. To discourage virus writers who assume certain fixed addresses, Windows introduced randomly assigned ImageBases years ago.

Re RadASM30Class, apparently you are using RadAsm, and it seems that some extra code is being added by the IDE. Searching through your sources, I only found this, though:

RegisterDecod mov wc.lpszClassName,offset szClassName/invoke RegisterClassEx,addr wc

DlgProc invoke CreateWindowEx,0,offset szClassName,0,/WS_CHILD or WS_VISIBLE or SS_LEFT or SS_WHIT
Disassembler.inc szClassName db "DecodeWindowClass",0


I am not a RadAsm user, so I can't help you here...

fearless

Looks like an edit or hex control from RadASM ? or a debug output window?

0095581B | 68 44 76 95 00           | push    disassembler.957644                     | LPCTSTR lpClassName = "RadASM30Class"
00955820 | E8 97 00 00 00           | call    <JMP.&FindWindowA>                      | FindWindowA
00955825 | 0B C0                    | or      eax, eax                                |
00955827 | 75 18                    | jne     disassembler.955841                     |
00955829 | 6A 01                    | push    1                                       | int uCmdShow = SW_SHOWNORMAL
0095582B | 68 52 76 95 00           | push    disassembler.957652                     | LPCSTR lpCmdLine = "\\RadASM30\\RadASM.exe"
00955830 | E8 81 00 00 00           | call    <JMP.&WinExec>                          | WinExec
00955835 | 6A 00                    | push    0                                       | LPCTSTR lpWindowName = NULL
00955837 | 68 44 76 95 00           | push    disassembler.957644                     | LPCTSTR lpClassName = "RadASM30Class"
0095583C | E8 7B 00 00 00           | call    <JMP.&FindWindowA>                      | FindWindowA
00955841 | 0B C0                    | or      eax, eax                                |
00955843 | 74 6C                    | je      disassembler.9558B1                     |
00955845 | 6A 01                    | push    1                                       | LONG_PTR lParam = 1
00955847 | 6A 00                    | push    0                                       | UINT_PTR wParam = NULL
00955849 | 68 36 04 00 00           | push    436                                     | UINT Msg = WM_USER+54
0095584E | 50                       | push    eax                                     | HANDLE hWnd
0095584F | E8 20 FF FF FF           | call    <JMP.&SendMessageA>                     | SendMessageA
00955854 | 89 45 FC                 | mov     dword ptr ss:[ebp - 4], eax             |
00955857 | 6A FF                    | push    FFFFFFFF                                | LONG_PTR lParam = -1
00955859 | 6A FF                    | push    FFFFFFFF                                | UINT_PTR wParam = -1
0095585B | 68 B1 00 00 00           | push    B1                                      | UINT Msg = EM_SETSEL
00955860 | FF 75 FC                 | push    dword ptr ss:[ebp - 4]                  | HANDLE hWnd
00955863 | E8 0C FF FF FF           | call    <JMP.&SendMessageA>                     | SendMessageA
00955868 | 6A 00                    | push    0                                       | LONG_PTR lParam = NULL
0095586A | 6A 00                    | push    0                                       | UINT_PTR wParam = NULL
0095586C | 6A 0E                    | push    E                                       | UINT Msg = WM_GETTEXTLENGTH
0095586E | FF 75 FC                 | push    dword ptr ss:[ebp - 4]                  | HANDLE hWnd
00955871 | E8 FE FE FF FF           | call    <JMP.&SendMessageA>                     | SendMessageA
00955876 | 0B C0                    | or      eax, eax                                |
00955878 | 74 14                    | je      disassembler.95588E                     |
0095587A | 68 67 76 95 00           | push    disassembler.957667                     | LONG_PTR lParam = "\r\n"
0095587F | 6A 00                    | push    0                                       | UINT_PTR wParam = NULL
00955881 | 68 C2 00 00 00           | push    C2                                      | UINT Msg = EM_REPLACESEL
00955886 | FF 75 FC                 | push    dword ptr ss:[ebp - 4]                  | HANDLE hWnd
00955889 | E8 E6 FE FF FF           | call    <JMP.&SendMessageA>                     | SendMessageA
0095588E | FF 75 08                 | push    dword ptr ss:[ebp + 8]                  | LONG_PTR lParam
00955891 | 6A 00                    | push    0                                       | UINT_PTR wParam = NULL
00955893 | 68 C2 00 00 00           | push    C2                                      | UINT Msg = EM_REPLACESEL
00955898 | FF 75 FC                 | push    dword ptr ss:[ebp - 4]                  | HANDLE hWnd
0095589B | E8 D4 FE FF FF           | call    <JMP.&SendMessageA>                     | SendMessageA
009558A0 | 6A 00                    | push    0                                       | LONG_PTR lParam = NULL
009558A2 | 6A 00                    | push    0                                       | UINT_PTR wParam = NULL
009558A4 | 68 B7 00 00 00           | push    B7                                      | UINT Msg = EM_SCROLLCARET
009558A9 | FF 75 FC                 | push    dword ptr ss:[ebp - 4]                  | HANDLE hWnd
009558AC | E8 C3 FE FF FF           | call    <JMP.&SendMessageA>                     | SendMessageA

minor28

Yes, I found it. I used debug.inc and debug.lib to print some values. I commented out these files and the additional code disappeared as well as "RadASM30Class" and path to RadAsm.

Mystery solved. Thank you.