2.61 快速汇编、反汇编
https://scz.617.cn/unix/201612151740.txt
A: scz
aptitude install radare2
$ rasm2 -a x86 -b 32 -s intel -o 0x98D0EBE "mov eax,3;nop;jmp 0x98d0efe" b80300000090e935000000 $ rasm2 -a x86 -b 32 -s intel -o 0x98D0EBE -D b80300000090e935000000 0x098d0ebe 5 b803000000 mov eax, 0x3 0x098d0ec3 1 90 nop 0x098d0ec4 5 e935000000 jmp 0x98d0efe
$ rasm2 -a x86 -b 64 -s intel -o 0x98D0EBE "mov rax,rbx;nop;jmp rsp" 4889d890ffe4 $ rasm2 -a x86 -b 64 -s intel -o 0x98D0EBE -D 4889d890ffe4 0x098d0ebe 3 4889d8 mov rax, rbx 0x098d0ec1 1 90 nop 0x098d0ec2 2 ffe4 jmp rsp
-a支持x86、ppc、arm、mips、bf、java等等。
BUG不少,比如x86的汇编引擎不支持cr4寄存器,反汇编引擎则支持:
$ rasm2 -a x86 -b 32 -s intel -o 0 -D 0f20e00f22e0 0x00000000 3 0f20e0 mov eax, cr4 0x00000003 3 0f22e0 mov cr4, eax $ rasm2 -a x86 -b 32 -s intel -o 0 "mov eax,cr4;mov cr4,eax" 89f889ff $ rasm2 -a x86 -b 32 -s intel -o 0 -D 89f889ff 0x00000000 2 89f8 mov eax, edi 0x00000002 2 89ff mov edi, edi $ rasm2 -a x86 -b 32 -s intel -o 0 "mov eax,edi;mov edi,edi" 89f889ff
$ rasm2 -L | grep x86 | grep ^a a_ x86.nz x86 assembler with non-zeros ad x86.olly X86 disassembly plugin (olly engine)
第1列的意义:
a capable to assemble (ollyasm, custom, ..) d disassemble (using capstone, gnu, custom, ..)
x86.olly的汇编引擎支持cr4寄存器:
$ rasm2 -a x86.olly -b 32 -s intel -o 0 "mov eax,cr4;mov cr4,eax" 0f20e00f22e0
在Intel和AT&T风格之间转换:
$ rasm2 -a x86 -b 32 -s intel -o 0 "xor eax,eax;mov [eax],eax" | rasm2 -a x86 -b 32 -s att -o 0 -D -f - 0x00000000 2 31c0 xor %eax, %eax 0x00000002 2 8900 mov %eax, (%eax)
Q:
rasm2跳转指令如何使用相对偏移?
A: bluerust 2022-04-21
先检查rasm2版本,低版本BUG较多,我在这个版本上测试
$ rasm2 -v rasm2 5.0.0 0 @ linux-x86-32 git.5.0.0
失败案例1
$ rasm2 -a x86 -b 64 -s intel -o 0x1234 "cmp rsi,0x5678;jnz $+3;nop;xor rax,rax" 4881fe785600000f85c2edffff904831c0
$ rasm2 -a x86 -b 64 -s intel -o 0x1234 -D 4881fe785600000f85c2edffff904831c0 0x00001234 7 4881fe78560000 cmp rsi, 0x5678 0x0000123b 6 0f85c2edffff jne 3 0x00001241 1 90 nop 0x00001242 3 4831c0 xor rax, rax
"jnz $+3"没有解释成相对偏移3,被解释成绝对地址3。
失败案例2
$ rasm2 -a x86 -b 64 -s intel -o 0x1234 "cmp rsi,0x5678;jnz short $+3;nop;xor rax,rax" $ rasm2 -a x86 -b 64 -s intel -o 0x1234 "cmp rsi,0x5678;jnz short .+3;nop;xor rax,rax" 4881fe7856000075c6904831c0
$ rasm2 -a x86 -b 64 -s intel -o 0x1234 -D 4881fe7856000075c6904831c0 0x00001234 7 4881fe78560000 cmp rsi, 0x5678 0x0000123b 2 75c6 jne 0x1203 0x0000123d 1 90 nop 0x0000123e 3 4831c0 xor rax, rax
指定short后+3确实被解释成相对偏移,但无论是$还是.,都被解释成0x1200,不符 合预期。
失败案例3
$ rasm2 -a x86 -b 64 -s intel -o 0x100001234 "cmp rsi,0x5678;jnz short $+3;nop;xor rax,rax" Cannot assemble 'jnz short $+3' at line 10 invalid
汇编用"x86"引擎时,若-o指定的起始地址超出32位,$+n这种写法触发汇编失败。不 涉及$+n时,-o指定的值可以超出32位。
成功案例1
$ rasm2 -a x86.nasm -b 64 -s intel -o 0x1234 "cmp rsi,0x5678;jnz $+3;nop;xor rax,rax" $ rasm2 -a x86.nasm -b 64 -s intel -o 0x1234 "cmp rsi,0x5678;jnz short $+3;nop;xor rax,rax" 4881fe785600007501904831c0
$ rasm2 -a x86 -b 64 -s intel -o 0x1234 -D 4881fe785600007501904831c0 0x00001234 7 4881fe78560000 cmp rsi, 0x5678 0x0000123b 2 7501 jne 0x123e 0x0000123d 1 90 nop 0x0000123e 3 4831c0 xor rax, rax
汇编用"x86.nasm"引擎,要求nasm位于PATH中,反汇编仍然用"x86"引擎。结果符合 预期,$被解释成jnz所在指令地址,+3是相对偏移,指不指定short无所谓。
成功案例2
$ rasm2 -a x86.nasm -b 64 -s intel -o 0x100001234 "cmp rsi,0x5678;jnz $+3;nop;xor rax,rax" $ rasm2 -a x86.nasm -b 64 -s intel -o 0x100001234 "cmp rsi,0x5678;jnz short $+3;nop;xor rax,rax" 4881fe785600007501904831c0
$ rasm2 -a x86 -b 64 -s intel -o 0x100001234 -D 4881fe785600007501904831c0 0x100001234 7 4881fe78560000 cmp rsi, 0x5678 0x10000123b 2 7501 jne 0x10000123e 0x10000123d 1 90 nop 0x10000123e 3 4831c0 xor rax, rax
汇编用"x86.nasm"引擎时,即使-o指定的起始地址超出32位,$+n这种写法仍然正常。
用rasm2时务必汇编、反汇编成对检查,不要只汇编取结果,幺蛾子蛮多的。