Heaventools

   English English  Deutsch Deutsch  Français Français  Italiano Italiano  Русский Русский

I have been using PE Explorer for a while, and am very impressed with the latest version's functions, especially the PE Explorer Disassembler.

Conrad Herrmann,
Zone Labs, Inc.

Among the products I tried (editors, dll showers, hex editors, disassemblers etc.) it is one of the best because without any long studies and a little skill and patience you are able to begin to understand the way a program works and how (and it was for me the most important).

Xavier B.

One of the reasons that I bought PE Explorer was the Disassembler. Good stuff. The other reason is the GUI — it is really useful when trying to get an overview over a given PE file.

Gerald Beuchelt,
Sun Microsystems, Inc.



More praise for PE Explorer

PE Explorer: Win32 Disassembler

The PE Explorer disassembler is designed to be easy to use compared with other disassemblers. To that end, some of the functionality found in other products has been left out in order to keep the process simple , fast and easy to use.

The disassembler (Ctrl + MTools | Disassembler) opens in its own window and overlaps the main interface, which can be toggled back anytime.

The PE Explorer disassembler assumes that some manual editing of the reproduced code will be needed. To facilitate additional hand coding, however, the disassembler utilizes a qualitative algorithm designed to reconstruct the assembly language source code of target files with the highest degree of accuracy possible. While as powerful as the more expensive, dedicated disassemblers, PE Explorer focuses on ease of use, clarity and navigation. We just made a good disassembler at a reasonable price. It will save you hours of time and it's easy to use!

The Disassembler opens a second window. Before the disassembly process the Options window displays the following options:

Options window

The disassembler options (View | Disassembler Options) provide with a list of instruction sets to disassemble for. The checked Auto Rescan option and Auto Rescan count value are fine at default values, but for complicated binaries, they may require more passes. The number of displayed opcodes can be set to a default value.

Once you pressed Start Now, the disassembly process begins by identifying the compiler used to build the target file. Forehand knowledge of how a compiler puts files together improves the guesswork involved in determining the data allocation patterns within the target file. Moreover, given this information, identifying most of the objects, procedures, variables, types etc. of the target file can be achieved with a very high degree of accuracy.

Only various Borland compilers are currently identified. The disassembler will decompile files built with other compilers too. At this time, however, it will only display specifically identified internal items for files compiled with Borland/CodeGear compilers. During the disassembly process the Processing Info window displays the following information:

Processing Info window

Disassembling files larger than 1 Mb in size can take several minutes depending on the capabilities of your system. Generally, each byte of a target file requires 40 bytes of memory for processing. For example, a 1 Mb file would require 40 Mb of processing memory, a 2 Mb file — 80 Mb and so on.

The Disassembler window appears when the disassembly process finishes. The main disassembly view is towards the top-left. A nice feature in this view is the provision for an immediate adjustment of the space between each assembly line (Ins and Del) and the number of opcodes per line (Shift + Ins and Shift + Del).

The main Disassembler window

After all processing has been completed, the disassembler displays the resulting source code for the target file. This output can be manually edited or saved to disk for future reference.

Navigation is really simple. Branching addresses can be navigated by selecting the relevant line and pressing Enter. For instructions with a second operand destination address, press Ctrl + Enter. Going back to a previous address requires pressing Esc, and to visit a particular address, you have press Ctrl + G and type the address in the hexadecimal format.

Subroutines that might have references can be listed in a pop-up window by selecting the starting address of the procedure and pressing R (Search | References). The list can then be traversed by double-clicking on each listed address.

Name List to the right provides a list of labeled addresses (including conditional and unconditional branching destinations, function prologues, named data, and string references) by the disassembler, with the entry point clearly indicated. Labels can be renamed by pressing N (Edit | Rename Label).

The lower left tabs View 1View 2View 3, and View 4 (F6F7F8, and F9) provide persistent disassemble views that are independent of the main view and are swappable.

The Strings tab provides a list of detected strings; you can further manipulate strings detection by using the toolbar, using menu items (Edit | Mark as String/Pascal String/Long Pascal String/Unicode), or pressing SAL, or U to activate each of them.

Code can be manually marked in the assembly listing by pressing 'C.' Dwords and offsets can be marked by pressing D and O, respectively.

Comments can be entered by pressing ;.

The unprocessed data tab displays some blocks of data that do not have a reference to a procedure.

Although the customized modeling performed by the PE Explorer Disassembler does increase processing time, the result is a dramatic reduction of incorrect opcode translations. We think you will agree that that the extra time needed to achieve this high level of accuracy is justly compensated for by the time saved when hand correcting the output.

Known Limitations

At this time, features in the disassembly implementation do not allow for producing source code that could be recompiled as is. File sections in which the physical size equals 0 and the data is located behind the boundaries of the physical size of the section cannot be accurately translated. The disassembler marks these items [DB Count DUP (??)] and does not place labels inside these areas. These kinds of sections arise because programmers often request memory and then fail to manage it properly, relying entirely on the operating system or the compiler to release the memory resources. For example (in Pascal):

Var MyData: Array [WORD] of Byte;

In this case, the space for storing the variable MyData will not be allocated physically in the data section, but the virtual size of the data section containing it will be increased by a WORD value. It also happens that variables declared in this fashion will result in lost megabytes of virtual space for the containing data section.

At present, due to the features of the internal data structures in PE Explorer and for the reasons cited above, mismanaged memory allocations are excluded from disassembly. Otherwise, the memory expenditure required to process target files could grow astronomically. Currently, each byte of incoming data requires 30-40 bytes of memory to process.

< previous | next >

 

 Download PE Explorer and learn how it can make you more productive.

PE Explorer Data Sheet PE Explorer Data Sheet (PDF) 320 Kb