Finding a function in a disassembly

Question

I'm busy following a tutorial where the author uses DUMPBIN to list exports, and OllyDbg to get the assembly code for an exported function. How would I find the functions code in the complete disassemly, given that the export tables RVA's don't correspond to real addresses in the disassembly.

Answer 1

If using radare2 , you can use -AA flag for analyze function in binary (maybe) then using afl command for listing all functions. For example :

% r2 -AA hello
[Cannot analyze at 0x00400420g with sym. and entry0 (aa)
[x] Analyze all flags starting with sym. and entry0 (aa)
[Cannot analyze at 0x00400420ac)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Finding function preludes
[x] Enable constraint types analysis for variables
-- Greetings, human.
[0x00400430]> afl
0x00400430    1 41           entry0
0x00400410    1 6            sym.imp.__libc_start_main
0x00400460    4 50   -> 41   sym.deregister_tm_clones
0x004004a0    4 58   -> 55   sym.register_tm_clones
0x004004e0    3 28           entry.fini0
0x00400500    4 38   -> 35   entry.init0
0x004005b0    1 2            sym.__libc_csu_fini
0x004005b4    1 9            sym._fini
0x00400540    4 101          sym.__libc_csu_init
0x00400526    1 21           main
0x00400400    1 6            sym.imp.puts
0x004003c8    3 26           sym._init
[0x00400430]>

Windows version for radare2 -> Cutter

Answer 2

A RVA is a relocatable virtual address. To find the real address in the process space you need to know the base address where the module was loaded in the process. Add that base address to the RVA and you have the real address. I haven't used ollydbg but I'd be astounded if it didn't supply the base address for the modules loaded in the process to which it was attached. If for some reason it doesn't supply that info, you can get it by using procexp.exe from the sysinternal tools.

Answer 3

A pretty good good indicator for a function, at least for programs written in high level languages is code that sets up a stack frame.

If you know the compiler that has been used to generate the code in question you should be able to find out what to look for.

Example

$ cat main.c
int main(int argc, char **argv) {
        return 1;
}
$ gcc -m32 -S main.c
$ cat main.s 
        .file     "main.c"
        .text
.globl main
        .type    main, @function
main:
        leal     4(%esp), %ecx
        andl     $-16, %esp
        pushl    -4(%ecx)
        pushl    %ebp
        movl     %esp, %ebp
        pushl    %ecx
        movl     $1, %eax
        popl     %ecx
        popl     %ebp
        leal     -4(%ecx), %esp
        ret
        .size    main, .-main
        .ident   "GCC: (Debian 4.3.3-4) 4.3.3"
        .section    .note.GNU-stack,"",@progbits

In my example, the movl %esp, %ebp instruction is the last instruction of that setup code.

The commercial disassembler IDA Pro for which a free-as-in-beer version is available for download does a pretty good job of automatically finding functions.