disarm

Used for discussing the various tools in the book as well as encouraging members to share tools

disarm

Postby morpheus » Tue Aug 18, 2015 1:31 am

Simple but really useful command line ARM64 disassembler - only good for one instruction at a time, but sometimes that's all you need

http://NewOSXBook.com/tools/disarm.html

J
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: disarm

Postby jbh2 » Wed Aug 19, 2015 1:55 pm

Cool tool! :)
Thanks!
jbh2
 
Posts: 1
Joined: Tue Jul 28, 2015 1:43 pm

Re: disarm

Postby backendbilly » Thu Aug 20, 2015 2:53 pm

Hey Jonathan,

Would you care to provide a few case scenarios of when you would want to use disarm? I find myself puzzled with how and when would I want to use this tool and how it can be helpful.

Thank you

Billy
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: disarm

Postby danzatt » Thu Aug 20, 2015 8:08 pm

As stated in the tweet (https://twitter.com/Technologeeks/status/633180893113249792) it is useful when reversing code which treats code as data.
danzatt
 
Posts: 8
Joined: Sun Jun 28, 2015 12:32 pm

Re: disarm

Postby morpheus » Fri Aug 21, 2015 2:43 am

Actually, it says so in the page. The tweet I had the guys post is a screen capture of the HTML page :)

Billy - I can't claim all my tools are useful (Though I would hope they are!). This one came out of necessity, as I am very much into ARMv8 nowadays (having abandoned ARMv7 and never dared to support x86_64). For injected code, you have two options - either grep Apple's otool to figure out if your opcode disassembled in a random binary, or use a commercial debugger like IDA, DCD the code and "covert to code". Neither of these are a good option and I needed something on the fly. I couldn't find a simple lookup utility. Basically, it's taking my disassembler in JTool and just packaging it with a simple main. And it works. And I use it - now that I have it, more than I suspected I would. So I shared it. Apparently the Twitter verse likes it, though I admit the discrepancy between the blind retweets and those who actually bothered to download the tar file (which only appeared a day later) was entertaining.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: disarm

Postby backendbilly » Fri Aug 21, 2015 11:33 am

Thanks for taking the time to list a few cases of usage. Yes it says it in the tweet but I always like use cases for my day-to-day reverse engineering. I don't typically RE injected code but more related to code logic shipped on stock iOS and OSX.

This why I love jTool, lsock, filemon, and joker. They definitely help me in REing system services in iOS. Thanks again Jonathan. I'm still looking forward for DebugView ;)

Billy
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: disarm

Postby danzatt » Mon Aug 24, 2015 8:31 pm

You can also use llvm-mc to assemble/disassemble instructions/opcodes.
Disassemble (from your examples):
Code: Select all
➜  ~  echo '0xe6 0x1f 0xbf 0xa9' | llvm-mc -disassemble -triple=aarch64
        .text
        stp   x6, x7, [sp, #-16]!

Assemble (useful for binary patching):
Code: Select all
➜  ~  echo "mov r0, 0; bx lr" | llvm-mc -assemble -triple=armv7 -show-encoding
   .text
        mov   r0, #0                  @ encoding: [0x00,0x00,0xa0,0xe3]
        bx   lr                       @ encoding: [0x1e,0xff,0x2f,0xe1]
danzatt
 
Posts: 8
Joined: Sun Jun 28, 2015 12:32 pm

Re: disarm

Postby morpheus » Fri Apr 08, 2016 9:49 pm

*shrug* I'm sure there's an IDA python plugin that can also do that :-P

But for those of you who want a quick, portable command line - I just updated to v0.2, which works on Android too, *and* disassembles arbitrary files! Useful if you want to test unknown partitions, bootloaders, etc.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: disarm

Postby moshe » Wed Apr 13, 2016 9:10 am

Guys, nowadays I just use capstone for that stuff. Yuu can trivially wrap it into something that will read your few bytes from the command line
moshe
 
Posts: 3
Joined: Mon Apr 04, 2016 6:58 pm

Re: disarm

Postby morpheus » Wed Apr 13, 2016 12:12 pm

You're free to use whatever disassembler you want. The point of this thread is to show people the tools I use, and personally find useful. If they want to, they can use and help me improve them, for which I'd be more than appreciative. At the bare minimum, a nice "thank you" would be appreciated. If the suggestion is "just use capstone", I'm sure capstone has a helpful forum as well.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Tools

Who is online

Users browsing this forum: No registered users and 2 guests