Nytro Posted July 30, 2012 Report Posted July 30, 2012 [h=1]PEBrowseProfessional[/h] [h=2]Windows Disassembler[/h]PEBrowse64 Professional (v3.1) is a 64-bit executable and requires the .NET framework. It will display both Win32 and Win64 executables, native, managed and mixed. PEBrowse Professional (v10.1.4) is a static-analysis tool and disassembler for Win32/Win64 executables and Microsoft .NET assemblies. With the PEBrowse disassembler, one can open and examine any executable without the need to have it loaded as part of an active process with a debugger. Applications, system DLLs, device-drivers and Microsoft .NET assemblies are all candidates for offline analysis using either PEBrowse programs. The information is organized in a convenient treeview index with the major divisions of the PE file displayed as nodes. In most cases selecting nodes will enable context-sensitive multiple view menu options, including binary dump, section detail, disassembly and structure options as well as displaying sub-items, such as optional header directory entries or exported functions, that can be found as part of a PE file unit. Several table displays, hex/ASCII equivalents, window messages and error codes, as well as a calculator and scratchpads are accessible from the main menu (calculator, messages and codes in PEBrowse Professional only). While the binary dump display offers various display options, e.g., BYTE, WORD, or DWORD alignment, the greatest value of PEBrowse comes when one disassembles an entry-point. An entry-point in PEBrowse is defined as: [TABLE=class: pagetable, width: 95%] [TR] [TD=width: 33%] module entry-point exports (if any) [/TD] [TD=width: 33%] debug-symbols (if a valid PDB, i.e., program database file, is present) imported API references [/TD] [TD=width: 34%] relocation addresses internal functions/subroutines any valid address inside of the module [/TD] [/TR] [/TABLE]Selecting and disassembling any number of these entry-points produces a versatile display rich in detail including upper/lowercase display, C/Pascal/Assembler suffix/prefixing, object code, color-coded statements, register usage highlighting, and jump/call target preview popups. Additional information, such as variable and function names, will also be present if one has access to a valid PDB file. Disassembly comes in two flavors: linear sweep (sequential disassembly from a starting address) and recursive traversal, aka, analysis mode (disassembly of all statements reachable by non-call statements - extended analysis disassembles all internal call statements as well). The latter mode also presents local variables with cross-referencing, highlighting, and renaming options. If one adds/changes variable name or adds comments to specific lines, these can be displayed in a session file which will record and save all currently opened displays. PEBrowse Professional will decompile type library information either embedded inside of the binary as the resource "TYPELIB" or inside of individual type libraries, i.e., .TLB or .OLB files. PEBrowse Professional and PEBrowse64 Professional also display all metadata for .NET assemblies and displays IL (Intermediate Language) for .NET methods. They seamlessly handle mixed assemblies, i.e., those that contain both native and managed code. Finally, the 32-bit PEBrowse can be employed as a file browse utility for any type of file with the restriction that the file must be small enough that it can be memory-mapped. Screenshot of PEBrowse Professional: Download PEBrowse Professional. Download PEBrowse64 Professional. Read the Tutorial. Sursa: Windows Disassembler Quote
