Disassembling an executable binary

US 8,869,109 B2
Filed: 03/17/2008
Issued: 10/21/2014
Est. Priority Date: 03/17/2008
Status: Active Grant

First Claim

Patent Images

1. A method performed by at least one computer processing unit for disassembling an executable binary, the method comprising:

identifying a plurality of potential address references included in the executable binary, wherein the identifying includes excluding at least some values included in the executable binary that do not represent potential addresses in the executable binary; and

generating a plurality of assembler source code instructions by disassembling the executable binary at one or more sequential addresses starting at individual potential address references,wherein the disassembling comprises;

assigning confidence codes to the individual potential address references, the confidence codes reflecting relative confidence that the individual potential address references are valid address references;

comparing the confidence codes to resolve a conflict between two different source code streams that overlap in memory, wherein the two different source code streams are generated from two distinct potential address references from the plurality of potential address references; and

discarding one of the two different source code streams that overlap in memory based on the confidence codes.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for disassembling an executable binary (binary). In one implementation, a plurality of potential address references may be identified based on the binary and a plurality of storage addresses containing the binary. A plurality of assembler source code instructions (instructions) may be generated by disassembling the binary. The binary may be disassembled at one or more sequential addresses starting at each of the plurality of potential address references.

39 Citations

View as Search Results

20 Claims

1. A method performed by at least one computer processing unit for disassembling an executable binary, the method comprising:
- identifying a plurality of potential address references included in the executable binary, wherein the identifying includes excluding at least some values included in the executable binary that do not represent potential addresses in the executable binary; and
  
  generating a plurality of assembler source code instructions by disassembling the executable binary at one or more sequential addresses starting at individual potential address references,wherein the disassembling comprises;
  
  assigning confidence codes to the individual potential address references, the confidence codes reflecting relative confidence that the individual potential address references are valid address references;
  
  comparing the confidence codes to resolve a conflict between two different source code streams that overlap in memory, wherein the two different source code streams are generated from two distinct potential address references from the plurality of potential address references; and
  
  discarding one of the two different source code streams that overlap in memory based on the confidence codes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the executable binary is disassembled using a recursive traversal algorithm.
  - 3. The method of claim 1, further comprising:
    - associating the individual potential address references with one or more of the plurality of assembler source code instructions.
  - 4. The method of claim 3, further comprising:
    - determining whether the individual potential address references are valid based on locations of code sections, data sections, or combinations thereof.
  - 5. The method of claim 3, further comprising:
    - identifying one of the plurality of potential address references in an address-holding structure within the executable binary, or an entry point location in the executable binary.
  - 6. The method of claim 5, wherein the address-holding structure is a jump table or a virtual table.
  - 7. The method of claim 3, further comprising determining that a first individual potential address reference is invalid when bytes referred to by the first individual potential address reference include a pattern of a valid string.
  - 8. The method of claim 3, further comprising determining that a first individual potential address reference is invalid when bytes following a last instruction of the plurality of assembler source code instructions associated with the first individual potential address reference do not include a valid instruction.
  - 9. The method of claim 1, further comprising:
    - validating the plurality of potential address references based on consistency of the plurality of assembler source code instructions; and
      
      discarding invalid potential address references and source code instructions from the plurality of assembler source code instructions that are associated with the invalid potential address references.
  - 10. The method of claim 9, wherein the validating includes determining whether a first one of the potential address references is valid based on whether the first potential address reference is an operand in one of the plurality of assembler source code instructions that is associated with the first potential address reference.
  - 11. The method of claim 1, wherein the generating comprises:
    - virtually executing at least one of the plurality of assembler source code instructions.
  - 12. The method of claim 1, further comprising:
    - assigning additional confidence codes to bytes of the two different source code streams; and
      
      comparing the additional confidence codes to resolve the conflict,wherein the discarding is based on both the confidence codes and the additional confidence codes.

13. A computer-readable memory device, optical storage device, or magnetic storage device having stored thereon computer-executable instructions which, when executed by a computer, cause the computer to perform acts comprising:
- identifying a plurality of potential address references included in an executable binary, wherein the identifying includes excluding at least some values included in the executable binary that do not represent potential addresses in the executable binary; and
  
  generating a plurality of assembler source code instructions by disassembling the executable binary based on the plurality of potential address references, wherein the disassembling comprises;
  
  assigning confidence codes to individual potential address references, the confidence codes reflecting relative confidence that the individual potential address references are valid address references;
  
  comparing the confidence codes to resolve a conflict between two different source code streams that overlap in memory, wherein the two different source code streams are generated from two distinct potential address references from the plurality of potential address references; and
  
  discarding one of the two different source code streams that overlap in memory based on the confidence codes.
- View Dependent Claims (14)
- - 14. The computer-readable memory device or storage device of claim 13, the acts further comprising:
    - virtually executing a first one of the plurality of assembler source code instructions to calculate a branch address.

15. A computer system, comprising:
- at least one processing unit; and
  
  a memory comprising program instructions which, when executed by the at least one processing unit, cause the at least one processing unit to;
  
  identify a plurality of potential address references in an executable binary, the plurality of potential address references excluding at least some values included in the executable binary that do not represent potential addresses in the executable binary; and
  
  generate a plurality of assembler source code instructions by disassembling the executable binary based on the plurality of potential address references;
  
  wherein, to disassemble the executable binary, the program instructions further cause the at least one processing unit to;
  
  assign major confidence codes to individual potential address references, the major confidence codes reflecting relative confidence that the individual potential address references are valid address references;
  
  compare the major confidence codes of two different source code streams that overlap in memory to resolve a conflict between the two different source code streams, wherein the two different source code streams are generated from two distinct potential address references from the plurality of potential address references; and
  
  discard one of the two different source code streams that overlap in memory based on the major confidence codes.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system according to claim 15, wherein the instructions are further configured to cause the at least one processing unit to:
    - assign minor confidence codes to bytes of the two different source code streams.
  - 17. The system according to claim 16, wherein the minor confidence codes indicate levels of confidence as to whether the bytes represent beginnings of actual instructions.
  - 18. The system according to claim 16, wherein the instructions are further configured to cause the at least one processing unit to:
    - when the major confidence codes for the two different source code streams are equal, compare the minor confidence codes of first instruction bytes of the two different source code streams to resolve the conflict.
  - 19. The system according to claim 18, wherein the instructions are further configured to cause the at least one processing unit to:
    - in an instance when the major confidence codes for the two different source code streams are identical and the minor confidence codes of the first instruction bytes of the two different source code streams are also identical, compare a number of branch instructions in the two different source code streams to resolve the conflict.
  - 20. The system according to claim 18, wherein the instructions are further configured to cause the at least one processing unit to:
    - in an instance when the major confidence codes for the two different source code streams are identical and the minor confidence codes of the first instruction bytes of the two different source code streams are also identical, compare a total number of assembler source code instructions in the two different source code streams to resolve the conflict.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zhigu Holdings Limited
Original Assignee
Microsoft Corporation
Inventors
Pan, Aimin, Zhang, Kaimin, Zhu, Bin
Primary Examiner(s)
Dao, Thuy
Assistant Examiner(s)
Chowdhury, Ziaul A

Application Number

US12/050,159
Publication Number

US 20090235054A1
Time in Patent Office

2,409 Days
Field of Search
US Class Current

717/124
CPC Class Codes

G06F 8/53 Decompilation; Disassembly

Disassembling an executable binary

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Disassembling an executable binary

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links