"Smart disassemblers"

Arta · March 31, 2006, 08:30 AM

This topic is intended only for people who have experience using disassemblers/debuggers.

What do you wish your decompiler could do that it doesn't? Do you often find yourself doing any kind of analysis that is routine, and that could perhaps be automated? What kind of information about disassembled code might you find useful that your disassembler doesn't currently provide?

What's your 'wish list' for a disassembler?

Don't feel the need to limit your answers to computationally feasible things. Do limit them, however, to the plausible

rabbit · March 31, 2006, 08:44 AM

Are you asking for ideas or something?

Anyway, I wish for a compiler that can unpack packed executables for me, so that I don't need to go and do it myself.

Arta · March 31, 2006, 08:51 AM

Yes ideas. Ideas, not really features -- ideas for doing anaysis that people usually do.

Darawk · March 31, 2006, 04:52 PM

Hmm...maybe some kind of signature library of some of the more obscure compiler optimizations/features. Especially those that involve doing conditional branching based on floating point comparisons...I *always* have to take like 20 minutes to figure out what is actually going on there. So, it would just basically try to identify these code sequences, and auto-comment them or something.

Better handling of "this" pointers. I've yet to see any disassemblers that can really properly handle OOP. There's still lots of relatively tedious work that could be alleviated in this area.

STL signatures.

I'll add more if I think of anything else...

topaz · March 31, 2006, 07:10 PM

Quote from: rabbit on March 31, 2006, 08:44 AM
Are you asking for ideas or something?

Anyway, I wish for a compiler that can unpack packed executables for me, so that I don't need to go and do it myself.

If your preferred decompiler supports plugins, you could probably automate it if the packer library is open source.

tA-Kane · April 02, 2006, 01:40 AM

I use IDA 4.8. It frequently fucks up the virtual tables so that not only do you not get function pointers, but also not not get function names. Instead, all you get is an array of byte values and locations that reference the vtable, like so:
http://www.n00bstories.com/image.view.php?id=1324193953

To fix, I select the first byte of the vtable, push 'D' twice to change the type to a DWORD, then push 'O' to force the type to an offset (can't just push 'O', otherwise it turns it into a byte-sized offset rather than a DWORD-sized offset... wtf?). Then I push keypad * to create an array. IDA's default is:
http://www.n00bstories.com/image.view.php?id=1310415123

But, I like my vtable listings a certain way, which is 1 item per line and not to use the "dup" construct/operator, like so:
http://www.n00bstories.com/image.view.php?id=1332870012

And the end result:
http://www.n00bstories.com/image.view.php?id=1274159765

I don't know about you, but to me that looks a lot more pleasing to the eye. I looked briefly through IDA's options, but I did not see anything pertaining to setting the default values for the array creation dialog. Nor did I see any options for setting the default way to disassemble vtables. Although, now that I think about it, I suppose this is more of a quirk with IDA rather than some generic feature. It would save a lot of time though, especially when you're looking at projects that have literally thousands of vtables (took me a day and a half just to get them formatted the way I like).

tA-Kane · April 19, 2006, 10:24 AM

Quote from: Arta[vL] on March 31, 2006, 08:30 AMWhat do you wish your decompiler could do that it doesn't?
...
What's your 'wish list' for a disassembler?

Something else that would be very nice would be a group-friendly disassembler. For example, with IDA, it saves everything to a database. But, if you want others to help you dissassemble the same program, they save to their own databases. So you end up either with different incomplete databases, or a single database but waiting on the other people to finish their work (which could take a long time, mind you). It would be nice if there a disassembler that could support, for example, CVS-like features. Although, since CVS is mostly text-based, it would probably be unfeasable for disassembly databases -- as far as I know, IDA's databases are stored in binary, and I've seen databases that are so large, they would not fit on a single CD.