disasm | Interactive Disassembler GUI - This Repository is NOT
kandi X-RAY | disasm Summary
kandi X-RAY | disasm Summary
Disasm is a browser-based application, built on Flask, that allows you to disassemble ELF files into Intel x86 assembly. The assembly and analysis is displayed in a browser so that you can click around and interact with it.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of disasm
disasm Key Features
disasm Examples and Code Snippets
Community Discussions
Trending Discussions on disasm
QUESTION
uint32_t sum_a_b(uint32_t a, uint32_t b) {
return a + b;
}
uint32_t mul_c_d(uint32_t c, uint32_t d) {
return c * d;
}
int main(uint16_t argc, char **argv) {
uint32_t e;
e = mul_c_d(116, sum_a_b(17, 992));
return 0;
}
ANSWER
Answered 2021-Jun-01 at 10:01The C standard doesn't specify where variables and values are stored, so the results will be very system-specific.
"Some "temporary variable" at stack?" Likely.
"Processor registers?" Likely.
"Heap?" No. The heap is only used when there's an explicit call to malloc or equivalent function. No known C compiler utilizes the heap implicitly.
Unfortunately I don't have enough asm / disasm skills to check it directly
You don't need to know a lot of assembler to do that. Just toss your code into https://godbolt.org/, disable optimizations, and this is what you get (x86):
QUESTION
Some disassemblers like IDA or Ghidra take an exe and output the instructions. Other disassemblers require the user to parse the PE header, isolate binary for the instructions and pass that in.
I'm trying to learn to use the Capstone Python API, but the .py documentation only ever shows a buffer of isolated instructions being passed, like so:
...ANSWER
Answered 2021-May-25 at 00:24Capstone is architecture-independent. It doesn't understand PE files or elf files. You just feed it bytes of machine language for whatever processor you have.
QUESTION
// iced-x86 features needed: --features "decoder nasm"
const { Decoder, DecoderOptions, Formatter, FormatterSyntax } = require("iced-x86");
/*
This code produces the following output:
00007FFAC46ACDA4 48895C2410 mov [rsp+10h],rbx
00007FFAC46ACDA9 4889742418 mov [rsp+18h],rsi
00007FFAC46ACDAE 55 push rbp
00007FFAC46ACDAF 57 push rdi
00007FFAC46ACDB0 4156 push r14
00007FFAC46ACDB2 488DAC2400FFFFFF lea rbp,[rsp-100h]
00007FFAC46ACDBA 4881EC00020000 sub rsp,200h
00007FFAC46ACDC1 488B0518570A00 mov rax,[rel 7FFA`C475`24E0h]
00007FFAC46ACDC8 4833C4 xor rax,rsp
00007FFAC46ACDCB 488985F0000000 mov [rbp+0F0h],rax
00007FFAC46ACDD2 4C8B052F240A00 mov r8,[rel 7FFA`C474`F208h]
00007FFAC46ACDD9 488D05787C0400 lea rax,[rel 7FFA`C46F`4A58h]
00007FFAC46ACDE0 33FF xor edi,edi
*/
const exampleBitness = 64;
const exampleRipLo = 0xC46ACDA4;
const exampleRipHi = 0x00007FFA;
const exampleCode = new Uint8Array([
0x48, 0x89, 0x5C, 0x24, 0x10, 0x48, 0x89, 0x74, 0x24, 0x18, 0x55, 0x57, 0x41, 0x56, 0x48, 0x8D,
0xAC, 0x24, 0x00, 0xFF, 0xFF, 0xFF, 0x48, 0x81, 0xEC, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8B, 0x05,
0x18, 0x57, 0x0A, 0x00, 0x48, 0x33, 0xC4, 0x48, 0x89, 0x85, 0xF0, 0x00, 0x00, 0x00, 0x4C, 0x8B,
0x05, 0x2F, 0x24, 0x0A, 0x00, 0x48, 0x8D, 0x05, 0x78, 0x7C, 0x04, 0x00, 0x33, 0xFF
]);
const hexBytesColumnByteLength = 10;
const decoder = new Decoder(exampleBitness, exampleCode, DecoderOptions.None);
// You have to enable the bigint feature to get i64/u64 APIs, not all browsers support BigInt
decoder.ipLo = exampleRipLo;
decoder.ipHi = exampleRipHi;
// This decodes all bytes. There's also `decode()` which decodes the next instruction,
// `decodeInstructions(count)` which decodes `count` instructions and `decodeOut(instruction)`
// which overwrites an existing instruction.
const instructions = decoder.decodeAll();
// Create a nasm formatter. It supports: Masm, Nasm, Gas (AT&T) and Intel (XED).
// There's also `FastFormatter` which uses less code (smaller wasm files).
// const formatter = new FastFormatter();
const formatter = new Formatter(FormatterSyntax.Nasm);
// Change some options, there are many more
formatter.digitSeparator = "`";
formatter.firstOperandCharIndex = 10;
// Format the instructions
instructions.forEach(instruction => {
const disasm = formatter.format(instruction);
// Eg. "00007FFAC46ACDB2 488DAC2400FFFFFF lea rbp,[rsp-100h]"
let line = ("0000000" + instruction.ipHi.toString(16)).substr(-8).toUpperCase() +
("0000000" + instruction.ipLo.toString(16)).substr(-8).toUpperCase();
line += " ";
const startIndex = instruction.ipLo - exampleRipLo;
exampleCode.slice(startIndex, startIndex + instruction.length).forEach(b => {
line += ("0" + b.toString(16)).substr(-2).toUpperCase();
});
for (let i = instruction.length; i < hexBytesColumnByteLength; i++)
line += " ";
line += " ";
line += disasm;
console.log(line);
});
ANSWER
Answered 2021-May-15 at 02:09RIP is the 64-bit program counter on x86-64. The disassembler is using RIP to keep track of the address of each instruction.
exampleRip is the start address for exampleCode, to be shown as the address of each instruction.
Normally you'd use a single 64-bit integer variable for that, but JavaScript numbers are IEEE double floating point so they round large numbers to a multiple of some power of 2, i.e. round away the low bits of big numbers, making it unusable for kernel addresses (in the high half of the canonical address range). (awk also uses double, and https://unix.stackexchange.com/questions/649013/why-does-awk-print-0xffffffffbb6002e0-as-ffffffffbb600000-using-printf on unix.SE is an example of the effect, with FP explanation.)
That's the point of this comment:
// You have to enable the bigint feature to get i64/u64 APIs, not all browsers support BigInt
They're explaining that they're not using the BigInt feature, so instead they use two variables (exampleRipHi and exampleRipLo) to implement one 64-bit variable.
QUESTION
I have seen the good answer to my quesntion from Debugging CodeStubAssembler (CSA) code in V8. howerver,i really cannot understand the point "You can then step through the CSA code as it emits a Turbofan IR graph which the Turbofan backend will then translate to machine code" in upshot one.Can I debug CSA line by line according to the source code in that way? In order to express my needs more clearly,I use some code examples:
...ANSWER
Answered 2021-Mar-22 at 15:51Yes, you can do that, just like for any other C++ code.
Of course, this code runs as part of mksnapshot, and what it does is it creates (part of) a "builtin" code object that can handle appending elements to JavaScript arrays. Line 2869 will put a comment into the code object's comment section (if you are running with the --code-comments flag), line 2870 will define a label that will be used for conditional jumps later.
So just to be clear, this code does not run when you actually append elements to arrays. At that time, the builtin generated by this code will run, and debugging that requires different techniques (see the other answer).
EDIT to address questions in comments:
If i enter
p kindin line 2870,can i get the value ofkind? if i enterp ElementsKindToStringin this function,can i get the address of functionElementsKindToString?
Yes, of course, this is plain C++. (Also, why do you ask? Just try it!)
how could i break in gdb before the Turbofan backend translate this function to machine code and get the debugging format i posted above.
Run mksnapshot in GDB and set a breakpoint on the line you want, then switch the view mode as desired. (Again, this is regular GDB usage; if you need a GDB tutorial then please search for one, there are plenty on the 'net.)
While you haven't directly asked for it, I have a suspicion that what you really want to do is step through the generated builtins instruction-by-instruction and see the CSA source that was responsible for generating them. That, unfortunately, is not possible, because the builtins and their generators run at different times (and even in different binaries!).
QUESTION
I am trying to disassambe a PE file using capstone with python bindings.
...ANSWER
Answered 2021-Feb-10 at 16:19Disasm will disassemble from start of code. You should pass raw data corresponding to code section, not the beginning of PE file, where PE headers reside:
QUESTION
I am trying to use PyDev to attach to a process on MS-Windows 10. Actually, to be more precise I was doing this. It worked wonderfully and I value it immensely, but now doesn't work and I wonder why.
I always do this to the same process, it is one written in C++ that loads a python interpreter internally to run Python plugin code. I have in past been happily breaking inside the plugin code and debugging with PyDev.
Come Dec 2020 and I try again and I get this error when trying to attach to the same process:
...ANSWER
Answered 2020-Dec-17 at 10:56It's really a bit odd that it doesn't find it given that it's alongside attach_pydevd.py and given that attach_pydevd.py is executed as a __main__ module it should (in theory) be able to find it... but practice it seems is sometimes different ;)
So, try to do the following: open attach_pydevd.py and add sys.path.append(os.path.dirname(__file__)) as the first line of the def main(setup): to see if it fixes your issue (if it does, I'll also do the fix in the debugger side).
QUESTION
I want to understand how executables work. I hope that understanding one very specific example in full detail will enable me to do so. My final (perhaps too ambitious) goal is to take a hello-world .exe file (compiled with a C compiler and linked) and understand in full detail how it is loaded into memory and executed by a x86 processor. If I succeed in doing so, I want to write an article and/or make a video about it, since I have not found something like this on the internet.
Specific questions I want to ask are marked in bold. Of course any further suggestions and sources doing something similar are very welcome. Thanks a lot in advance for any help!
What I needThis Answer gives an overview of the process that C code goes through until it gets into physical memory as a programm. I'm not sure yet how much I want to look into how the C code is compiled. Is there a way to view the Assembly code a C compiler generates before assembling it? I may decide it's worth the effort to understand the processes of loading and linking. In the meantime the most important parts I need to understand are
- the PA executable file format
- the relation between assembler code and x86 byte-code
- the process of loading (i.e. how the process RAM is prepared for execution using information from the executable file).
I have a very basic understanding of the PA format (this understanding will be outlined in the section "What I have learned so far") and I think the sources given there should be sufficient, I just need to look into it some more until I know enough to understand a basic Hello-World programm. Further sources on this topic are of course very welcome.
The translation of byte-code into assembler code (disassembly) seems to be quite difficult for x86. Nonetheless, I would love to learn more about it. How would you go about disassembling a short byte code segment?
I'm still looking for a way to view the contents of a process' memory (the virtual memory assigned to it). I've already looked into windows-kernel32.dll functions such as ReadProcessMemory but couldn't get it to work yet. Also it's strange to me that there don't seem to be (free) tools available for this. Together with an understanding of loading, I may then be able to understand how a process is run from RAM. Also I'm looking for debugging tools for assembly programmers that allow to view the entire process virtual memory conents. My current starting point of this search is this question. Do you have further advice on how I can see and understand loading and process execution from RAM?
The rest of this StackOverflow question describes what I have learned so far in some detail and giving various sources. It is meant to be reproducible and help anyone trying to understand this. However, I still do have some questions about the example I looked at so far.
PA formatIn Windows, an executable file follows the PA format. The official documentation and this article give a good overview of the format. The format describes what the individual bytes in an .exe file mean. The beginning is a DOS programm (included for legacy reasons) that I will not worry about. Then comes a bunch of headers, which give information about the executable. The actual file contents are split into sections that have names, such as '.rdata'. After the file headers, there are also section headers, which tell you which parts of the file are which section and what each section does (e.g. if it contains executable code).
The headers and sections can be parsed using tools such as dumpbin (microsoft tool to look at binary files). For comparison with dumpbin output, the hex code of a file can be viewed directly with a Hex editor or even using the Powershell (command Format-Hex -Path ).
I performed these steps for a very simple programm, which does nothing. This is the code:
...ANSWER
Answered 2020-Apr-16 at 08:42I don't think I'll be able to answer to everything. I am a beginner too so I may say some things not exact. But, I'll try my best and I think I can bring you some things.
No, compilers do not put data in code sections (correct me if I am wrong). There is the section .data (for initialized data) and section .bss (for uninitialized data).
I think, I'll better show you an example of a program which prints hello world (for linux because it's much simpler and I don't know how to do with windows. in x64 but it's like x86. Just the names of the syscalls and the registers that are different. x64 is for 64 bits and x86 for 32 bits).
QUESTION
Im pretty new to assembly, and am trying my best to learn it. Im taking a course to learn it and they mentioned a very remedial Hello World example, that I decomplied.
original c file:
...ANSWER
Answered 2020-May-18 at 19:57The technical term for decompiling assembly back into C is "turning hamburger back into cows". The generated assembly will not be a 1-to-1 translation of the source, and depending on the level of optimization may be radically different. You will get something functionally equivalent to the original source, but how closely it resembles that source in structure is heavily variable.
QUESTION
Here are the steps I followed.
1) I took the assembly language code for three different small programs from the book "Assembly Language for x86 Processors" by Kip Irvine.
2) I assembled, linked to produce a valid executable without errors in each case.
3) For each of the executable files, I generated disassembly using NASM
...ANSWER
Answered 2018-Jan-27 at 09:05Short answer: .exe ≠ .com
Hint: notice the MZ signature as two first bytes in the output of step 5 :-P
Long answer:
Microsoft's executable .exe format has more than just code. First of all it starts with a special signature (initials of the format's creator) followed by quite a bit of information that describes the organization of the code.
In contrast a .com file is just a code, meaning the very first byte of it is what gets executed once the file is loaded into memory.
The first disassembly you get is a wrong one (yes, the first one is wrong, not the second!) as it tries to start the parsing with the first byte instead of jumping on to the actual code.
dumpbin is intelligent enough to properly parse the header of that .exe file and begins the disassembly of the actual code.
Solution
If you'd like to compare the disassembly output you either have to make sure that your NASM is aware of the type of file and properly parses its header or... simplify your life and convert the .exe into a .com in which case both disassembling operations should produce the same output (barring potential bugs, of course)
The last time I was converting an .exe file into a .com was many years ago with a utility called exe2bin. A quick search online shows that this was during the days of Windows XP and is no longer shipped with the OS. Though I see no reason for it to not work if you download it from some place.
QUESTION
I'm using the Java bindings of the Capstone disassembler. When I run the code example
ANSWER
Answered 2019-Oct-22 at 11:57Nevermind, it seems to be an issue with a newer JDK. I recently switched to JDK 11. The fix is to wait till Capstone supports Java 9 and higher or to use Java 8 so indeed it's a Capstone bug.
EDIT:
This issue is now fixed.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install disasm
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
