NASHTA fails disassembly

[gogo2464]

nashta.zip
Please provide as much of the following information as possible:

• I have deleted the ddisasm VM that I Used to disassemble and then I lost the version.
• How can we reproduce? Please paste the command line used to invoke ddisasm and any other relevant information.

I had to patch the disassembled asm to remove section permissions in order to avoid compilator error. I also change the INCLUDELIB keyword arguments. Then, on this file, I did:

PS C:\msys64\home\vboxuser\tmp> \masm32\bin\ml.exe /c /coff /nologo .\29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a.asm
 Assembling: .\29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a.asm

PS C:\\msys64\\home\\vboxuser\\tmp> .\\Golink\\GoLink.exe .\\29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a.obj -Fo out /entry:\_EntryPoint /console C:\\Windows\\system32\\kernel32.dll C:\\Windows\\system32\\user32.dll C:\\Windows\\system32\\shell32.dll C:\\Windows\\system32\\gdi32.dll C:\\Windows\\system32\\advapi32.dll C:\\Windows\\system32\\oleaut32.dll C:\\Windows\\system32\\advapi32.dll C:\\Windows\\System32\\KernelBase.dll /mix

GoLink.Exe Version 1.0.4.4  Copyright Jeremy Gordon 2002-2023   info@goprog.com

Error!
The following symbols were not defined in the object file or files:-
FreeLibrary\_disambig\_0\_1
FreeLibrary\_disambig\_0\_1
GetCommandLineA\_disambig\_0\_1
GetCommandLineA\_disambig\_0\_1
LocalAlloc\_disambig\_0\_1
LocalAlloc\_disambig\_0\_1
RegCloseKey\_disambig\_0\_1
RegCloseKey\_disambig\_0\_1
RegOpenKeyExA\_disambig\_0\_1
RegOpenKeyExA\_disambig\_0\_1
WriteFile\_disambig\_0\_1
WriteFile\_disambig\_0\_1
ImageBase
Output file not made

• what went wrong:
  I can not recompile the new disassembled file due to the previous error.

I have not sent the nashta malware in order to avoid to infect people by accident. I let the hash in the name instead. Could you ask me in person in order to disassemble it if you do not found it please?

[aeflores]

I think I see what might be happening here.
For some reason there are 2 copies of those symbols e.g. RegOpenKeyExA. To avoid ambiguity, gtirb-pprinter renames the symbols by adding a suffix _disambig_0_1 but if those symbols are external, they should not be renamed.
This should be fixed in the pprinter.

[gogo2464]

I got the assembly with a command similar to ddisasm --asm out.sam in.exe.

Are you sure the bug is in gtirb-pprinter and not from ddisasm? Ddisasm could rely on gtirb-pprinter after all.

[gogo2464]

Will somebody fix it or should I open a PR please?

[gogo2464]

on the same binary I also have ImageBase not defined from object file.

I would like to edit:

EXTERN ___ImageBase:BYTE

because it is the only moment where ImageBase is present in the text file.

@aeflores If you think this is not related to ddiszasm / gtirb dev, could you send me an email please?

[aeflores]

Ddisasm uses gtirb-pprinter as a library to generate assembly, so yeah this is a pprinter issue.
I can look into it.

Regarding ImageBase, I think we define this as an external symbol so it can be defined by the linker when reassembling.

[gogo2464]

Should I set ImageBase from compile command option like /imageBase, remove the variable or something in order to fix it please?

[gogo2464]

If I set /base 50000 then could I remove the linked variable please?

/base 50000 remains the undefined symbal ImageBase.

[aeflores]

The commit f6bea62 fixed the undefined externs (imports).

I checked that the resulting assembly successfully reassembles, the ___ImageBase symbol is not a problem. You might want to run ddisasm with the --generate-import-libs option to generate .def and .lib files of the dependencies, or reassemble with gtirb-pprinter's --binary option.

[gogo2464]

great! I will test this week.

[gogo2464]

I am confused. could you provide the full command please?

[aeflores]

It has been a while, but the following should work

ddisasm 29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a --ir nashta.gtirb
gtirb-pprinter nashta.gtirb -b nashta.rewritten