0

I have a 64-bit COFF object file (no source code or debug info) from which I need to extract a single procedure.

The procedure is relatively short, and its only dependencies are:

  1. One global variable.
  2. A couple of imported procedure.

I have already tried disassembling and re-assembling the code; however, for some odd reason, even though the code looks the same in a debugger and a disassembler, it doesn't behave the same way. (I've already tried making sure that the executable sections have the correct flags, etc. but to my knowledge, all of these are correct, and the values also match what they "should" be at runtime.)

So is there any way to directly copy over the function to a new object file (or to delete everything except that function), without having to disassembling and reassemble the code in the process?

user541686
  • 205,094
  • 128
  • 528
  • 886

1 Answers1

1

I am not sure, there is are easy way in general case.

For example, multiple procedures can refer for one shared piece of code (i.e. static function). So you need to build call graph for all code blocks in file and and take code blocks that are referred by your procedure. Than you should fix addresses in all jumps and calls, since there will be new code layout.

werewindle
  • 3,009
  • 17
  • 27
  • i.e. you should write special utility, that will do it for you. But why not use the object file you have? I think linker will not link unused functions from it. It depends on the way functions are stored in the file, they may be packed and may be not. – Dmitriy Yurchenko Jul 23 '12 at 10:54