What's wrong with w32Dasm_2002828_pll621
 

WIN2000 with sp3 and use w32Dasm_2002828_pll621.exe
I saved unASM file to disk, when I open it again,some codes were changed:

-------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0079FF1B(C)
|
:0079FF22 8D4C2408 lea ecx, dword ptr [esp+08]
:0079FF26 8BD7 mov edx, edi
:0079FF28 8BC6 mov eax, esi
:0079FF2A E80DF7C6FF call 0040F63C
:0079FF2F FF74240C push [esp+0C]
:0079FF33 FF74240C push [esp+0C]
:0079FF37 8B433C mov eax, dword ptr [ebx+3C]
:0079FF3A 50 push eax
:0079FF3B 8D44241C lea eax, dword ptr [esp+1C]
:0079FF3F 50 push eax
:0079FF40 8B4B38 mov ecx, dword ptr [ebx+38]
:0079FF43 33D2 xor edx, edx
:0079FF45 33C0 xor eax, eax
:0079FF47 E808F7C6FF call 0040F654
:0079FF4C 8D442418 lea eax, dword ptr [esp+18]
:0079FF50 50 push eax

-------------------------------Saved then Opened--------
U)nconditional or (C)onditional Jump at Address:
|:0079FF1B(

|
:0079FF22 8D4C2408 lea ecx
dword ptr [esp+08]
:0079FF26 8BD7
mov edx, edi
:0079FF28 8BC6
mov eax, esi
:0079FF2A E80DF7C6FF
call 0040F63C
:0079FF2F FF74240C
push [esp+0C]
:0079FF33 FF74240C push [es
0C]
:0079FF37 8B433C mov
ax, dword ptr [ebx+3C]
:0079FF3A 50 pus
eax
:0079FF3B 8D44241C lea
ax, dword ptr [esp+1C]
:0079FF3F 50 pus
eax
:0079FF40 8B4B38 mov ecx
dword ptr [ebx+38]
:0079FF43 33D2
xor edx, edx
:0079FF45 33C0
xor eax, eax
:0079FF47 E808F7C6FF call 004
654
:0079FF4C 8D442418 lea

, dword ptr [esp+18]
:0079FF50 50
push eax

w32Dasm is out of date, its development has stopped years ago. If you want propper disassembler use IDA Pro.

Tom

For large file IDA too slow ,
unasm a 5MB-size file needs 5hours,@@@

Longest I've seen here is about 5 minutes for a 10mb file. Are you using a 486 or something?

IDA is too superior.... However, you can try PVDasm... It is supported and free.

Byyeyeyzz

Polaris

MEM=256MB,CPU=PIII 800 , HD=40Gb/7000 SYS=WIN2000 SP3 ,

test.exe (DELPHI) 5.70 MB (5,987,328 BYTE)
use IDA4.5.1.770
time used :almost 5 hours.
My God !

For Delphi generated apps, I use PE Explore.

It has a lot of the same key sequences as IDA, and it seems to understand Delphis qwirks better than anything else.

It's REALLY fast, and it's available here, so I'd give it a look. It even has a built in resource editor.

It's not PERFECT, but if it had three bug fixes and a MAP exporter to Olly, I'd probably buy the thing. (It's amazing how many Borland targets there are out there).

I should mention that OllyDbg also understands Borland stuff OK. It's not PE Explore, but then again, it can debug while PE Explore can't.

Although I would NEVER use anything than my IDA, for delphi written apps I would use old good Dede from Dafixer... Really better than PE Explorer ;)

HA HA. Good old IDA Pro! It uses inefficient algorithms so some programs take hours to analyze. I once disassembled a VB app that took more than 24 hours to analyze and I have a VERY fast computer. Things that will make IDA slow is having lots of obfuscated code with jumps or lots of variables in a function.

I prefer good to fast. IDA Pro is not a tool I would use for VB and AFAIK it was not designed for VB.

Tom

IDA was designed to disassemble programs. Doesn't matter what language the program was written in.

w32Dasm can't instead, I like its speed and references of CALLs /Jumps ,so conveniency.

Wrong. There is a difference between compiler and interpreter. FLIRT signatures in IDA are mostly for C libraryes of various compilers.

Tom

1. VB can be compiled into native code.
2. You can make your own FLIRT sigs.
3. You can program your own p-code disassembler for IDA

So you're wrong.:D

> 2. You can make your own FLIRT sigs.

h**p://www.datarescue.com/ubb/ultimatebb.php?ubb=get_topic;f=1;t=000296

> 3. You can program your own p-code disassembler for IDA

h**p://www.datarescue.com/ubb/ultimatebb.php?ubb=get_topic;f=1;t=000406

> So you're wrong.:D

Not likely.

Tom

You can make FLIRT sigs for any compiled app. Since VB calls VB dlls, it doesn't contain any VB libs in the main app. That's why they say it doesn't make any sense to do that for VB apps. If you have reversed a VB app, or any other app for that matter, and want to continue with the latest version, FLIRT sigs are valuable because you can take the FLIRT sigs from the older version and apply them to the latest version. Most of the funcs are unchanged so they have the same FLIRT sigs.

And as for your link to support your claim that one can't write a VB p-code disassembler in IDA is just plain silly. Ilfak says "As about P-code, its format and descriptions are not available, so IDA is not much of help for them. " Nowhere does it say you can't do it. In fact, people have written custom plugins for IDA to support various other processors not supported by IDA.

So again, you're wrong.

> You can make FLIRT sigs for any compiled app. Since VB calls VB dlls, it doesn't contain any VB libs in the main app

Maybe this would be a better idea:

h**p://www.sport-und-event.de/backtrace.de/idc/VB5060DLLcall.zip

> Nowhere does it say you can't do it

I have not seen such a plugin for VB. Have you?

Tom

Whether or not one exists is irrelevant. You said it couldn't be done. Clearly, it's possible because you can write a new processor module for IDA Pro if you have the IDA SDK.