Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NASHTA fails disassembly #69

Open
gogo2464 opened this issue Oct 3, 2023 · 12 comments
Open

NASHTA fails disassembly #69

gogo2464 opened this issue Oct 3, 2023 · 12 comments
Assignees
@aeflores

Comments

@gogo2464
Copy link
Contributor

gogo2464 commented Oct 3, 2023
edited
Loading

nashta.zip
Please provide as much of the following information as possible:

  • I have deleted the ddisasm VM that I Used to disassemble and then I lost the version.
  • How can we reproduce? Please paste the command line used to invoke ddisasm and any other relevant information.

I had to patch the disassembled asm to remove section permissions in order to avoid compilator error. I also change the INCLUDELIB keyword arguments. Then, on this file, I did:

PS C:\msys64\home\vboxuser\tmp> \masm32\bin\ml.exe /c /coff /nologo .\29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a.asm
 Assembling: .\29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a.asm

PS C:\\msys64\\home\\vboxuser\\tmp> .\\Golink\\GoLink.exe .\\29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a.obj -Fo out /entry:\_EntryPoint /console C:\\Windows\\system32\\kernel32.dll C:\\Windows\\system32\\user32.dll C:\\Windows\\system32\\shell32.dll C:\\Windows\\system32\\gdi32.dll C:\\Windows\\system32\\advapi32.dll C:\\Windows\\system32\\oleaut32.dll C:\\Windows\\system32\\advapi32.dll C:\\Windows\\System32\\KernelBase.dll /mix

GoLink.Exe Version 1.0.4.4  Copyright Jeremy Gordon 2002-2023   info@goprog.com

Error!
The following symbols were not defined in the object file or files:-
FreeLibrary\_disambig\_0\_1
FreeLibrary\_disambig\_0\_1
GetCommandLineA\_disambig\_0\_1
GetCommandLineA\_disambig\_0\_1
LocalAlloc\_disambig\_0\_1
LocalAlloc\_disambig\_0\_1
RegCloseKey\_disambig\_0\_1
RegCloseKey\_disambig\_0\_1
RegOpenKeyExA\_disambig\_0\_1
RegOpenKeyExA\_disambig\_0\_1
WriteFile\_disambig\_0\_1
WriteFile\_disambig\_0\_1
ImageBase
Output file not made
  • what went wrong:
    I can not recompile the new disassembled file due to the previous error.

I have not sent the nashta malware in order to avoid to infect people by accident. I let the hash in the name instead. Could you ask me in person in order to disassemble it if you do not found it please?
@aeflores
Copy link
Collaborator

aeflores commented Oct 5, 2023

I think I see what might be happening here.
For some reason there are 2 copies of those symbols e.g. RegOpenKeyExA. To avoid ambiguity, gtirb-pprinter renames the symbols by adding a suffix _disambig_0_1 but if those symbols are external, they should not be renamed.
This should be fixed in the pprinter.

@aeflores aeflores transferred this issue from GrammaTech/ddisasm Oct 5, 2023
@gogo2464
Copy link
Contributor Author

gogo2464 commented Oct 6, 2023

I got the assembly with a command similar to ddisasm --asm out.sam in.exe.

Are you sure the bug is in gtirb-pprinter and not from ddisasm? Ddisasm could rely on gtirb-pprinter after all.

@gogo2464
Copy link
Contributor Author

gogo2464 commented Oct 6, 2023

Will somebody fix it or should I open a PR please?

@gogo2464
Copy link
Contributor Author

gogo2464 commented Oct 6, 2023

on the same binary I also have ImageBase not defined from object file.

I would like to edit:

EXTERN ___ImageBase:BYTE

because it is the only moment where ImageBase is present in the text file.

@aeflores If you think this is not related to ddiszasm / gtirb dev, could you send me an email please?

@aeflores
Copy link
Collaborator

aeflores commented Oct 6, 2023

Ddisasm uses gtirb-pprinter as a library to generate assembly, so yeah this is a pprinter issue.
I can look into it.

Regarding ImageBase, I think we define this as an external symbol so it can be defined by the linker when reassembling.

@gogo2464
Copy link
Contributor Author

gogo2464 commented Oct 6, 2023

Should I set ImageBase from compile command option like /imageBase, remove the variable or something in order to fix it please?

@gogo2464
Copy link
Contributor Author

gogo2464 commented Oct 6, 2023
edited
Loading

If I set /base 50000 then could I remove the linked variable please?

/base 50000 remains the undefined symbal ImageBase.

@aeflores aeflores transferred this issue from GrammaTech/gtirb-pprinter Oct 11, 2023
@aeflores
Copy link
Collaborator

The commit f6bea62 fixed the undefined externs (imports).

I checked that the resulting assembly successfully reassembles, the ___ImageBase symbol is not a problem. You might want to run ddisasm with the --generate-import-libs option to generate .def and .lib files of the dependencies, or reassemble with gtirb-pprinter's --binary option.

@gogo2464
Copy link
Contributor Author

great! I will test this week.

@gogo2464
Copy link
Contributor Author

I am confused. could you provide the full command please?

@aeflores
Copy link
Collaborator

It has been a while, but the following should work

ddisasm 29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a --ir nashta.gtirb
gtirb-pprinter nashta.gtirb -b nashta.rewritten

@aeflores aeflores reopened this Jan 31, 2024
@gogo2464
Copy link
Contributor Author

gogo2464 commented Feb 1, 2024

should it work with --asm option as well please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aeflores aeflores

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aeflores @gogo2464