Forcing the Disassembler Flags .
After the Disassembler has produced a Source, you may find some wrong Interpretations, that are, most often, failure cases of the Automatic Recognitions of what is Code and of what is Data. The RosAsm Disassembler offers a bit of interactivity, through the Forced Map File, that is saved after each Disassembly. When you see, in the Source, say:
Code040102E: E6:
push ebp
mov ebp esp
... if you double-Left Click upon Code040102E , the Float Menu will come out with one more Option, saying [Bad Disassembly], the selection of which will open a Dialog. This Dialog can be used for forcing the Disssembly to your own interpretations, to some extent.
Note: This feature is new (V.2.022a). Do not expect miracles...
Limitations 1: Once you have Compiled a Disassembled File, you cannot Open it again, and go on editing with the Forced Interpretations Dialog. To do so, you have to Open the original PE, each time, and to overwrite the Disassembled Source. So, it is useless to modify the disassembled Source by hand, as long as you mean to use this Dialog.
Limitations 2: For working with the Forced Map File, do not customize your Disassembled File Name: If you Disassemble, say, Application.exe, let it be the default MyApplication.exe. The Mechanism for assuming the new Name is not yet implemented, other than for the default.
The Map concept
RosAsm Disassembler uses several Tables (Maps), that are the same size as the PE, the Bytes of which are filled with Flags, all along the Disassembly Process, depending on the various Recognitions Methods. Each Byte, in the PE has its counter-parts, in the Map Tables:
The Sections Map: Each identified Location (Byte) is Flagged as Code or Data, or Import, and so on (The Forced Interpretation Dialog shows only the Code and Data Flags).
The Routing Map: Each identified Location is Flagged as Node, Label, Evocated, Exported Node, and so on... (The Forced Interpretation Dialog shows only a simplified version of these Flags, that match more with what the user can understand, than with what the Disassembler really does).
The Size Map: Each Data Byte Location is flagged accordingly to the Size of the Data. For example, if the Disassembly Code says some fld F$Address , this Address will be flagged FP4.
Forcing the Sections Map
This forced Interpretation, to Code or Data, works in all cases. Notice that you should play with this feature on a one-to-one basis, because, once you have forced one given Location to be interpreted your way, this modification may have impact on many other parts of the Disassembly, because the forced Recognition may have cascading effects, on the logical Flow of the Code Analyses..
Hit the [OK] button, after having forced one single Sections Recognition, and not re-edit previously forced Records.
Forcing the Routing map
This Option is used to define what the given Location is, at a logical Flow point of view. Usually, you should leave the [Label] Flag On, in order to follow-up with what the next Disassembly Process will do from your modification. Without Label, you could be lost, in the Source, whereas having a not used Label does not hurt.
Forcing the Size Map
As it says, this Option can be use to redefine the Sizes of Data. If the selected Item is a String or a Uncicode String, the Edit Control for defining the End of the String is then enabled. Its value is the one of the next Label not belonging to the String.
~~~~~~~