Field
Embodiments presented herein generally relate to software tools used to disassemble compiled software. More specifically, embodiments presented herein describe techniques for correcting indirect function call values output in program code disassembly.
Description of the Related Art
A disassembler is a computer program that translates executable computer code (e.g., binary instructions) into assembly language. Disassembled code is often formatted for human-readability, (rather than as proper input to an assembler). Such formatting makes disassembly particularly useful for reverse engineering. Indeed, disassemblers are used extensively in several computing industries. For example, disassemblers have significance in the computer security industry. During security audits, companies often need to analyze the run-time behavior of computer applications. As a result, such companies rely on disassemblers to break down machine language into a human-readable assembly language format.
However, existing disassemblers have limitations. For example, consider indirect calls in a computer application. In computer programming, indirect function calls (e.g., virtual function calls, indicator function calls, etc.) are calls to a function via a function pointer (i.e., a memory address of the function). When source code is compiled, indirect function calls are generally converted to register calls, such as “call [ebx],” where refers to the EBX processor register. However, when a disassembler processes the resulting machine code, the disassembler has inadequate information to ascertain names of functions corresponding to indirect function calls. Consequently, the resulting disassembly may be inaccurate. Although the register names and values may be obtained using dynamic debugging techniques, one ordinarily has to evaluate each register call manually. Such an approach can be impractical for many programs.