DYNAMIC CALL TRACKING METHOD BASED ON CPU INTERRUPT INSTRUCTIONS TO IMPROVE DISASSEMBLY QUALITY OF INDIRECT CALLS

US 20150363198A1
Filed: 06/16/2014
Published: 12/17/2015
Est. Priority Date: 06/16/2014
Status: Active Grant

First Claim

Patent Images

1. A method for disassembling compiled object code, the method comprising:

disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls;

inserting an interrupt in the assembly language source code at each indirect function call;

executing the assembly language source code;

upon reaching the interrupt at each indirect function call while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call; and

for each indirect function call, replacing, in the assembly language source code, the register specified in the indirect function call with a function name corresponding to the register value.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments presented herein describe techniques to track and correct indirect function calls in disassembled object code. Assembly language source code is generated from a binary executable object. The assembly language source code may include indirect function calls. Memory addresses associated with the function calls are identified. A central processing unit (CPU) interrupt instruction is inserted in the disassembled source code at each indirect function call. The disassembled source code is executed. When the interrupt at each indirect function call is triggered, the function name of a function referenced by a register may be determined.

Citations

20 Claims

1. A method for disassembling compiled object code, the method comprising:
- disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls;
  
  inserting an interrupt in the assembly language source code at each indirect function call;
  
  executing the assembly language source code;
  
  upon reaching the interrupt at each indirect function call while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call; and
  
  for each indirect function call, replacing, in the assembly language source code, the register specified in the indirect function call with a function name corresponding to the register value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the interrupt transfers control of the execution to a debugger module executed to determine the function name.
  - 3. The method of claim 1, wherein the register value specifies a memory address stored in the register when the interrupt is triggered.
  - 4. The method of claim 1, wherein the function name is identified from a memory address stored in the register when the interrupt is triggered.
  - 5. The method of claim 1, wherein the assembly language source code is generated by a disassembler.
  - 6. The method of claim 1, wherein the interrupt is INT 3.
  - 7. The method of claim 1, wherein the assembly language source code is executed in a debugger module.

8. A computer-readable storage medium storing instructions, which, when executed on a processor, performs an operation for disassembling compiled object code, the operation comprising:
- disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls;
  
  inserting an interrupt in the assembly language source code at each indirect function call;
  
  executing the assembly language source code;
  
  upon reaching the interrupt at each indirect function call while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call; and
  
  for each indirect function call, replacing, in the assembly language source code, the register specified in the indirect function call with a function name corresponding to the register value.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, wherein the interrupt transfers control of the execution to a debugger module executed to determine the function name.
  - 10. The computer-readable storage medium of claim 8, wherein the register value specifies a memory address stored in the register when the interrupt is triggered.
  - 11. The computer-readable storage medium of claim 8, wherein the function name is identified from a memory address stored in the register when the interrupt is triggered.
  - 12. The computer-readable storage medium of claim 8, wherein the assembly language source code is generated by a disassembler.
  - 13. The computer-readable storage medium of claim 8, wherein the interrupt is INT 3.
  - 14. The computer-readable storage medium of claim 8, wherein the assembly language source code is executed in a debugger module.

15. A system, comprising:
- a processor; and
  
  a memory storing one or more application programs configured to perform an operation for disassembling compiled object code, the operation comprising;
  
  disassembling a binary executable object to generate assembly language source code, wherein the assembly language source code includes one or more indirect function calls,inserting an interrupt in the assembly language source code at each indirect function call,executing the assembly language source code,upon reaching the interrupt at each indirect function call while executing the assembly language source code, determining a register value stored in a register specified in the indirect function call, andfor each indirect function call, replacing, in the assembly language source code, the register specified in the indirect function call with a function name corresponding to the register value.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the interrupt transfers control of the execution to a debugger module executed to determine the function name.
  - 17. The system of claim 15, wherein the register value specifies a memory address stored in the register when the interrupt is triggered.
  - 18. The system of claim 15, wherein the function name is identified from a memory address stored in the register when the interrupt is triggered.
  - 19. The system of claim 15, wherein the assembly language source code is generated by a disassembler.
  - 20. The system of claim 15, wherein the interrupt is INT 3.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
YANG, Hong Yi, GUO, Rui

Granted Patent

US 9,767,004 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/3624 by performing operations on...

G06F 8/53 Decompilation; Disassembly

DYNAMIC CALL TRACKING METHOD BASED ON CPU INTERRUPT INSTRUCTIONS TO IMPROVE DISASSEMBLY QUALITY OF INDIRECT CALLS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC CALL TRACKING METHOD BASED ON CPU INTERRUPT INSTRUCTIONS TO IMPROVE DISASSEMBLY QUALITY OF INDIRECT CALLS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links