Page 1 of 1

disarm

PostPosted: Tue Aug 18, 2015 1:31 am
by morpheus
Simple but really useful command line ARM64 disassembler - only good for one instruction at a time, but sometimes that's all you need

http://NewOSXBook.com/tools/disarm.html

J

Re: disarm

PostPosted: Wed Aug 19, 2015 1:55 pm
by jbh2
Cool tool! :)
Thanks!

Re: disarm

PostPosted: Thu Aug 20, 2015 2:53 pm
by backendbilly
Hey Jonathan,

Would you care to provide a few case scenarios of when you would want to use disarm? I find myself puzzled with how and when would I want to use this tool and how it can be helpful.

Thank you

Billy

Re: disarm

PostPosted: Thu Aug 20, 2015 8:08 pm
by danzatt
As stated in the tweet (https://twitter.com/Technologeeks/status/633180893113249792) it is useful when reversing code which treats code as data.

Re: disarm

PostPosted: Fri Aug 21, 2015 2:43 am
by morpheus
Actually, it says so in the page. The tweet I had the guys post is a screen capture of the HTML page :)

Billy - I can't claim all my tools are useful (Though I would hope they are!). This one came out of necessity, as I am very much into ARMv8 nowadays (having abandoned ARMv7 and never dared to support x86_64). For injected code, you have two options - either grep Apple's otool to figure out if your opcode disassembled in a random binary, or use a commercial debugger like IDA, DCD the code and "covert to code". Neither of these are a good option and I needed something on the fly. I couldn't find a simple lookup utility. Basically, it's taking my disassembler in JTool and just packaging it with a simple main. And it works. And I use it - now that I have it, more than I suspected I would. So I shared it. Apparently the Twitter verse likes it, though I admit the discrepancy between the blind retweets and those who actually bothered to download the tar file (which only appeared a day later) was entertaining.

Re: disarm

PostPosted: Fri Aug 21, 2015 11:33 am
by backendbilly
Thanks for taking the time to list a few cases of usage. Yes it says it in the tweet but I always like use cases for my day-to-day reverse engineering. I don't typically RE injected code but more related to code logic shipped on stock iOS and OSX.

This why I love jTool, lsock, filemon, and joker. They definitely help me in REing system services in iOS. Thanks again Jonathan. I'm still looking forward for DebugView ;)

Billy

Re: disarm

PostPosted: Mon Aug 24, 2015 8:31 pm
by danzatt
You can also use llvm-mc to assemble/disassemble instructions/opcodes.
Disassemble (from your examples):
Code: Select all
➜  ~  echo '0xe6 0x1f 0xbf 0xa9' | llvm-mc -disassemble -triple=aarch64
        .text
        stp   x6, x7, [sp, #-16]!

Assemble (useful for binary patching):
Code: Select all
➜  ~  echo "mov r0, 0; bx lr" | llvm-mc -assemble -triple=armv7 -show-encoding
   .text
        mov   r0, #0                  @ encoding: [0x00,0x00,0xa0,0xe3]
        bx   lr                       @ encoding: [0x1e,0xff,0x2f,0xe1]

Re: disarm

PostPosted: Fri Apr 08, 2016 9:49 pm
by morpheus
*shrug* I'm sure there's an IDA python plugin that can also do that :-P

But for those of you who want a quick, portable command line - I just updated to v0.2, which works on Android too, *and* disassembles arbitrary files! Useful if you want to test unknown partitions, bootloaders, etc.

Re: disarm

PostPosted: Wed Apr 13, 2016 9:10 am
by moshe
Guys, nowadays I just use capstone for that stuff. Yuu can trivially wrap it into something that will read your few bytes from the command line

Re: disarm

PostPosted: Wed Apr 13, 2016 12:12 pm
by morpheus
You're free to use whatever disassembler you want. The point of this thread is to show people the tools I use, and personally find useful. If they want to, they can use and help me improve them, for which I'd be more than appreciative. At the bare minimum, a nice "thank you" would be appreciated. If the suggestion is "just use capstone", I'm sure capstone has a helpful forum as well.