Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: new linux disassembler

  1. #1

    new linux disassembler

    hi!

    i am currently writing a new linux disassembler - based on mammon_s libdisasm.
    currently it is in very early stage - but actually already can be useful. there are some interesting features to come (at least i think so, haha).

    you might have a look at http://lida.sourceforge.net

    comments are very welcome. interested ppl of course can join!

    cheers, your 0xf001
    Last edited by 0xf001; August 3rd, 2004 at 15:50.

  2. #2
    looks good, I hope it's not too much to ask for a console CLI version of this tool.

  3. #3
    OorjaHalT
    Guest

    linux disassembler

    The download link seems down
    Last edited by OorjaHalT; August 3rd, 2004 at 20:10. Reason: wrong spelling
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    I downloaded it and tried it, it works ok but it got some bugs.
    there is a cli backend that works on a console.

    the bug is easy to reproduce,
    as root,
    dd if=/dev/hda of=mbr count=1 bs=512 (replace /dev/hda with the device that has the boot record, normally it's /dev/hda)
    then
    lida_end mbr -d 0 512
    this doesn't seem to work.

    I tried it with another file, it worked. so there is some bug in it.

  5. #5
    hi all!

    thanks for your replies!

    [OorjaHalT]
    the download link has been corrected, anyway it is the standard SF location

    i know there are bugs in it - i am working on them. I also yesterday got libdisasm to segfault. damn. i will now update the libdisasm (it uses 0.16, but only disassemble_address of it), this requires some rewrite.

    [homersux]
    looks good, I hope it's not too much to ask for a console CLI version of this tool.

    ahm. hmmm. originally it is intended to be gui based. as you have the navigation there. nevertheless i plan to move much of the perl stuff to the backend. this is CLI based
    as you already tried this will serve the most tasks.
    do you have some comments how you would like to work with a cli version?

    To your masterboot
    lida_end mbr -d 0 512
    this doesn't seem to work.

    I tried it with another file, it worked. so there is some bug in it.

    currently RAW files are not yet supported. this is a minor effort - I will include it today evening.
    you see that if you use the gui and try to open a raw file

    ------

    thank you for trying out, definitely there is much to do and I will update as fast as I can. It is 0.1 and not intended to be stable or safe to use.
    i have already a long todo list. next to come is some cryptoanalysis, automatic disassembling of data section regions and finaly flow analysis.

    thank you again and please keep posting everything you encounter - this helps a lot!

  6. #6
    lifewire
    Guest
    the program looks nice. what kind of cryptoanalysis can we expect?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    thanks lifewire

    basically in the first run there will be a pattern based "heuristic" scanning like kanal does. This should find common patterns which are used as array initialization for certain algorithms. i am trying to make the search more "fault tolerant" or "fuzzy", so that slight changes to the standard values are recognized. Researching these patterns takes some time of course

    on the other side - what is important?
    you want to know which algorythms are used. and where. on linux - most likely programs will not implement algorythms - they will more likely use openssl functions. So possibly the above mentioned scanning is not as valuable as I initially thought. But anyway - I think in the future there will be more efforts put into SW security on linux side - for eg commercial products.
    PPl will probably try to make finding algorythms harder by coding themselfes, or at least change the default arrays. This is where the above mentioned scanning should help.
    Anyway I also ould like to provide an automated "summary overview" of functions in which you are interested.
    So even if a program just plain functions like md5_init, ... linked to openssl, it should be displayed.
    What I also plan is to try to do some heuristic fingerprint scanning for typical algorithm implementation. This will analyze the code sequences, not the datablocks.

    Any further comments - please let me know! As mentioned interested people are welcome to overtake certain parts , or submit ideas, fingerprints, ...

    cheers, 0xf001

  8. #8
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Quote Originally Posted by 0xf001
    Any further comments - please let me know! As mentioned interested people are welcome to overtake certain parts , or submit ideas, fingerprints, ...

    cheers, 0xf001
    Your projects looks really good and well-promising... Please include the possibility to have plugins and a SDK, it will make easier to expand and develop new ideas.

    Byez,

    Polaris
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  9. #9
    heya!

    i have uploaded a new version. this includes bugfixes, mainly:
    libdisasm segfault when decoding certain instruction and
    displaying the disassembly:
    now there is a difference between
    mov eax, 80808080
    and
    mov eax, [80808080]
    sorry for that of course in second case the value stored at the memory address is displayed.

    btw did you realize that ldasm does not make a difference between both instructions?
    this is really annoying.
    even objdump does
    (mov $0x80808080, %eax and mov 0x80808080, %eax)

    cheers, 0xf001

  10. #10
    hi again!

    i have now uploaded lida-0.1.4.

    this includes the cryptoanalyzer which detects currently typical implementations of
    ripemd160, md2, md4, md5, blowfish, cast, des, rc2, sha(1+2)
    algotithms

    it is definately now getting more and more nice to work with it

    cheers, 0xf001

  11. #11
    Programmer Run Amock... Bengaly's Avatar
    Join Date
    Aug 2001
    Location
    Somewhere over the Rainbow
    Posts
    289
    Blog Entries
    1
    hey 0xf,

    does lida have first pass analyzer? (aka, code-flow simulation)
    "knowledge is now free at last, everything should be free from now on, enjoy knowledge and life and never work for everybody else"

  12. #12
    hi ben,

    unfortunately not yet, it currently only plain disassembles forward the whole section and remembers certain addresses as jmp/call destinations, and exported symbols. at least for usual gcc created executables this is usable, but definately i need to include the control flow analysis ...
    besides that also the next step should be together with flow analysis - the seperation between code and data - and to somehow let the user mark address ranges to set the "type" or similar.
    i am currently starting to implement it, but have not much time. for the
    next version (except bugfixes) i hope to have a first basic implementation
    but to make it intelligent i think that requires a lot of work ... we will see

    cheers, 0xf001

  13. #13
    hi ben!

    short update: lida now does code flow analysis
    it works great (i am impressed by myself, haha)
    it traces during disassembly (which recursively goes through all possible branches) and keeps track (remembering start of instructions + their memory usage) of what it already disassembled, ... also if possible in this run indirect addressing is covered. so pass 1 == disassembly in this case
    therefore i found a very efficient method (no stucts, or storage of address values or similar needed, hehe!)
    second "pass" is to scan for function prologues and for each found one repeat pass1 starting at this address.
    third pass is to examine the left holes
    currently i am thinking of how to best find unreferenced "code regions" / "functions" as this i see as the major key for "not forgetting" to disassemble certain ranges. i know which ranges i have not yet processed, but just disassembling them could result in disassembling "data blocks". so i want to put there "some more analysis" - before attemting to disassemble.

    the nature of my "pass1" implementation also immediately tells if there is some "jump into the middle of a previous processed instruction" - which is used as old antidisassembly "trick".
    so i am also implementing a logic which tries to automatically overcome that
    and let you probably view both disassemblies, somehow specially marked.

    while implementing i find more and more fun on it, and cool it is still extremely fast (i never repeat any already processed address), oltough algorithm has totally changed

    greets, 0xf001
    Last edited by 0xf001; August 9th, 2004 at 20:16.

  14. #14
    Programmer Run Amock... Bengaly's Avatar
    Join Date
    Aug 2001
    Location
    Somewhere over the Rainbow
    Posts
    289
    Blog Entries
    1
    hi 0xf,

    great!
    if i had linux i could test it, unfortunately i don't.
    but keep up the great work!
    "knowledge is now free at last, everything should be free from now on, enjoy knowledge and life and never work for everybody else"

  15. #15
    hey ben!

    i have released now v 00.02

    this includes the control flow disassembling engine, and also the gui is pretty much updated, so i have now the typical seperate windows for
    strings and symbols where you can click on the list items to jump to the address
    also in sum i am running over 5 passes now. basically this is

    1 - recursive disassembly from entry point (following all branches, stepping into calls)
    2 - a "heuristic" scan finds the main() function, for glibc binaries, repeats
    pass 1 from there.
    3 - repeat pass 1 from the start of all executable sections
    4 - scanning for function prologues and repeat pass 1 for each
    5 - (optional) disassembling of "caves", this disassembles all bytes between
    already known code blocks
    6 - for all caves that are still existing (this can be when disassembly of the
    end of the cave would overwrite a prev disassembled instruction)
    display the bytes in DB xx, xx, xx ... form
    if 5 is not done, the whole cave is displayed so.

    cheers, 0xf001

    btw i have new screenshots for you to see the new gui if you are interested.
    getting linux on a computer btw is very easy nowadays - hehe
    i myself switched totally now - at least for work. but that is another topic.
    once you have linux, i hope to already have a good disassembler for you

    cheers, 0xf001

Similar Threads

  1. Analyzing and debugging not linux binaries on linux
    By Xgrzyb90 in forum The Newbie Forum
    Replies: 2
    Last Post: June 13th, 2010, 12:50
  2. some anti-disassembler trick ?
    By NoLOcKs in forum OllyDbg Support Forums
    Replies: 2
    Last Post: May 13th, 2009, 17:00
  3. BeaEngine 3 : disassembler library x86 and x64
    By BeatriX in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: February 13th, 2009, 14:36
  4. CPU disassembler Code vs Executable
    By Tom Smith in forum OllyDbg Support Forums
    Replies: 1
    Last Post: July 11th, 2004, 05:27
  5. Dos cracking with Softice 2.8 someone help with disassembler please
    By funfstern00 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: January 5th, 2001, 15:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •