There is one particular .exe that when I try to disassemble I get this message:

W32Dasm could only allocate enough memory to process 368640 lines of text. The disassembly listing will not be complete and the search functions may not be successful. You can free up additional memory by closing other programs, increasing RAM/or virtual memory. Also, be sure to have at least 150MB of free space on your working drive. If you are running Win 3.1 with Win32S, please note that W32Dasm works better in Windows 95 when disassembling large files.
*********************************************************

The file is 848KBs in size...I'm running 1024MB RAM [512mbs each side] and I have about 70 gbs of hard space left. I'm running xp. Can anyone tell me what's going on here? Really would appreciate some advise.

Thanks

Do yourself a favor and move up to IDA. W32Dasm is really older technology which has, for the most part, been passed by because it hasn't been updated. IDA is much more complex and will include a learning curve, but is well forth the transition. Since you are just starting in the reversing area, you might as will start with modern tools, especially since you are using XP.

Regards

Even a small app can fill up the available memory by placing anti-dissasembly code:

004533045: call 004633045
.
.
.
004633045: jmp 004533045

or variations on the theme. W32Dasm just goes round and round until the buffer overloads, but IDA will only disassemble code that will actually excecute in some instance.

Needless to say, the real application never gets to execute such code.

naides...

Is there some way that I can noop this anti-disassembly code or if it appears the way you displayed it in your post, enter code to stop this from running awry? If it is, then I'd like to learn this among everything else. I'm going to hop on google now and look for IDA.

Thank you and JMI for responding

Yes, there are, but it would be an excercise of futility. . .

You would need heavy use of IDA (INTERACTIVE) Disassembler to locate and modify the code and/or Learn to Debug the W32Dasm disassembly machine live and direct, to locate and deactivate the Anti-disassmbly tricks.

If you look for Anti-disassmbly in the web and in this board, you will find that those tricks can be quite sophisticated, (not like my quick and dirty example), so you would need deep undertading of the code and the disassembly process. . .

In other words NOT WORTH THE TIME AND EFFORT.

naides...

Got'cha...Thanks

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Man...you are right...JMI set a helava post back in April of 2001 on this issue.
I'm going to take Wdasm89 and use it on itself to see if I can find that loop...wish me luck!!!

jmi, naides... i think we failed :\

disavowed...



Who are you? Where did you come in on this conversation? I don't see you anywhere else in this thread! What do you mean,"You failed"? Elaborate

Relax, man. . .!
Disavowed post is tongue in cheek!

ha ha ha ha ha....OK man! I also offer my humble appology to all who deserves to receive it. That dude just rubbed me the wrong way. Won't happen again...rest assured.
Oh yeah, by the way...I realized my mistake when I submitted that one post...The issue doesn't lie within the Wdasm as I stated...it lies within the .exe, dlls and possibly the .shl files that are incorporated with the install. I just don't recogonize the code when one directs to the other, that's all.

Thanks for the laugh naides...being as new at this as I am, you wouldn't believe the actual headaches I'm going through trying to learn this crap without any software development experience what-so-ever. I downloaded the IDA Pro Demo as you gents suggested, but it seems like I need a hard-back users manual to teach me how to understand it. If I could just understand what codes say go where, then I'd have a pretty good start at things. MAN I WANT TO LEARN HOW TO CRACK. Once I did, I'd crack my a*s off.

Later

If you REALLY want to learn you simply have to accept the fact that it is NOT a quick process to learn how. You have to acquire some basic knowledge in several subjects before you will grasp what the heck you are looking at and what you are doing. A really good starting point is learning the basics of Assembly Language, not to the level that you can program in the language, but to the level that you recognize what the heck you are looking at when you see the code in a debugger or disassembler. Most of the time that view will be assembly language. If your do not recognize what the operation codes are doing with the registers and flags and such, you are in a dark hole looking up into a starry sky wondering whether there is a pattern to the heavens which you just haven't recognized. All these things take TIME. There are no really effective short cuts to spending the time it takes, however that is for YOU. Impatience is your worst enemy. It makes you try to take short cuts which hurt you in the long run.

FIRST try to learn what you are seeing and what is happening with the code, and THEN began to try to figure out how to change it to do what you want it to do.

Regards,

W32Dasm could only allocate enough memory to process 368640 lines of text. The disassembly listing will not be complete and the search functions may not be successful. You can free up additional memory by closing other programs, increasing RAM/or virtual memory. Also, be sure to have at least 150MB of free space on your working drive. If you are running Win 3.1 with Win32S, please note that W32Dasm works better in Windows 95 when disassembling large files.....

This message from W32Dasm is misleading. It actually has nothing to with physical memory. The message occurs if the section containing the code doesn't have the executable attribute checked. You will need a PE Editor to change this attribute for the code section.

jmi, i remember e!nstein (or something like that) had a really good crash-course on x86 and win32api for reversers. this tutorial is from several years ago, but if anyone knows what i'm talking about, it might be good to post a link to it

he mabye got the msg (seen in the first post) because w32dasm creates a tmp file (<win>\temp) and either his hdd space was low or the file was too large for the listview (not virtual listview) to handle over 32k data.

use this patch. Also i have many patches (custom bug-fixes from different people) but this better. His old but cool

dmx...

Thank you...I'll give'er a shot.
*******************************************************

Got an invalid checksum...but went ahead with'er anyway.

i'm to, but it's working


Of corse ida more powerful, but by my opinion it's very slow-and for example, it cannot be used for working with big files. One time i give it some file.. i go to look cinema, and when i come back i found what ida still working... windasm32 work much more faster...

dmx...

ok...I'll check aroung for it...thanks