8 replies to this topic

[artificial]

Hello all!

I have a problem when disassembling my assembly programs on Linux (Debian GNU/Linux 5.0.5). I use NASM and its disassembler NDISASM. I've read that it's only able to work with object-files, but I'm not sure.

I've written this code...

segment .data

	STRING: db "Hello World!", 0xa, 0xd

	LEN   : equ $-STRING


segment .text

	global _start

_start:

	mov eax, 0x4

	xor ebx, ebx

	mov ecx, STRING

	mov edx, LEN

	int 0x80

	

	mov eax, 0x1

	xor ebx, ebx

	int 0x80

.. and used these commands to assemble and link it:

nasm -f elf HELLO.ASM

ld -o HELLO HELLO.o

The program works properly, but when I disassemble it, the output seems to have no connection to the code I've written (of course I have to search the code part, but there are hardly any similarities).
Does somebody know how I can solve this problem (or do you know a disassembler that uses NASM's style)?

Greets,
artificial

[Alexander]

Quote

but when I disassemble it, the output seems to have no connection to the code I've written

You can forget about getting similarities of the original sources when you compile assemblies on a modern compiler especially with NASM's reputation for efficiency tweeking, it optimises the code far enough that only the most absolute basic operations will resemble eachother (if at all).

[artificial]

Thanks for your reply, Nullw0rm.
I hope that there's an option to turn off tweaking. I'll google that.
What about other assemblers like FASM which (more or less) use NASM's style. Can I solve my problem by using them?

Nullw0rm said:

You can forget about getting similarities of the original sources when you compile assemblies on a modern compiler

When I try it with MASM, it works fine (Windows). I just wondered why it's so "strange" on Linux.

Greets,
artificial

[Alexander]

What are you using to disassemble MASM on Windows, IDA Pro or something? I bet it's an interactive assembler which will translate for you, cross-reference link sections and attempt to make it look its original. You just won't get assemblers today that will write as is, in my opinion you should not assume what you write can be disassembled back into itself; When it is translated into hex in the end the format it's just lost.

[artificial]

On Windows, I tried IDA Pro Free and Microsoft's Debug. Both returned my code.
Is there any interactive disassembler available for Linux? I don't like MASM and its style, so I'd like to keep on using NASM.

Greets,
artificial

[Alexander]

The only one worth it is named BASTARD, which you can download from here:
Download The Bastard from SourceForge.net

I linked to the binary because the source seems to not play well, but you can download it if it doesn't try, you may need to do some symlinking in order for it to work.

I tested it for you, with this command on the linked ELF binary:

/bin/bastard -- < ./helloworld

Which outputs the following after preprocessor garbage:

Section: .text    Start Address: 08048080    End Address: 0804809C
-------------------------------------------------------------------------

; -------------------------- Subroutine _start
_start:
08048080 B8 04 00 00 00               mov    eax , 0x4  
08048085 31 DB                        xor    ebx , ebx  
08048087 B9 9C 90 04 08               mov    ecx , 0x804909C  
0804808C BA 0E 00 00 00               mov    edx , 0xE  
08048091 CD 80                        int    0x80  ;write() 
08048093 B8 01 00 00 00               mov    eax , 0x1  
08048098 31 DB                        xor    ebx , ebx  
0804809A CD 80                        int    0x80  ;exit() 


Section: .data    Start Address: 0804909C    End Address: 080490AA
-------------------------------------------------------------------------
STRING:
0804909C 48 65 6C 6C 6F 20 57 6F +    ;(Addr of 14 bytes)         ; String: "Hello World!\n"

As you're learning, remember: Machine code is simply a long string of hex, and disassemblers cannot distinguish code from strings. Assembly mnemonics can be mapped to processor opcodes (operands), and be translated back and forth. What the disassembler does not know, is what a string is, so it incorrectly translates the string into an improper assembly product. An interactive disassembler attempts to distinguish the strings and omit them to better produce something more relevant to your original source, so what I just showed you is the best you'll get.

[artificial]

Thanks a lot, Nullw0rm! :)
That program is just what I've been looking for.

Nullw0rm said:

As you're learning, remember: Machine code is simply a long string of hex, and disassemblers cannot distinguish code from strings.

Well, I'm not an absolute beginner. I know that the disassembler doesn't know the difference, but I thought that it would translate the code part correctly. At least, I know now why it's not like that.

Greets,
artificial

[dargueta]

@Artificial: Disable optimizations just like in GCC, by passing -O0, like so

"Untweaked"

nasm -felf -O0 -o blah.o blah.asm


Tweaked-ish

nasm -felf -o blah.o blah.asm (depends on version)

nasm -felf -O1 -o blah.o blah.asm

nasm -felf -O2 -o blah.o blah.asm (more tweaked than 1)


Heavily optimized

nasm -felf -O3 -o blah.o blah.asm

Edit:
You can also try using objdump. Basic usage:

objdump -d blah.o > disasm.asm

This'll dump it using hideous AT&T syntax, so I'd recommend

objdump -d -Mintel-mnemonics blah.o > disasm.asm

[artificial]

Thanks at all! :)

Another program I found is ht. One can use it like this:

hte foo

Then one has to skip to disassembly-mode and that's it.

Greets,
artificial