====== Disassemblar ======


Existem algumas técnicas de como disassemblar. Vou colocar aqui as que já utilizei alguma vez na minha vida.

===== Utilizando objdump para disassemblar uma section do ELF =====


Vamos disassemblar somente a sessão .text.

<code bash>
[root@localhost:~ ]# objdump -dj .text hello2

hello2:     file format elf64-x86-64


Disassembly of section .text:

00000000004000b0 <_start>:
  4000b0:       b8 04 00 00 00          mov    $0x4,%eax
  4000b5:       bb 01 00 00 00          mov    $0x1,%ebx
  4000ba:       b9 d4 00 60 00          mov    $0x6000d4,%ecx
  4000bf:       ba 0a 00 00 00          mov    $0xa,%edx
  4000c4:       cd 80                   int    $0x80
  4000c6:       b8 01 00 00 00          mov    $0x1,%eax
  4000cb:       bb 00 00 00 00          mov    $0x0,%ebx
  4000d0:       cd 80                   int    $0x80 
[root@localhost:~ ]#
</code>

Vamos olhar o fonte payload.asm

<code c>

section .data
        hello: db "ola mundo", 0xa 
section .text
global _start
_start:
        mov eax, 4 
        mov ebx, 1 
        mov ecx, hello
        mov edx, 10   
        int 0x80        

        mov eax, 1     
        mov ebx, 0      
        int 0x80        
</code>

===== Disassemblando Online =====

Para disassemblar online utilizo o site

[[https://onlinedisassembler.com/odaweb/|https://onlinedisassembler.com/odaweb/]]

ou

[[https://disassembler.io|https://onlinedisassembler.io]]

===== Utilizando objdump para disassemblar todo o binário ELF =====

<code bash>
root@localhost:~# objdump -D hello2

hello2:     file format elf64-x86-64


Disassembly of section .text:

00000000004000b0 <_start>:
  4000b0:       b8 04 00 00 00          mov    $0x4,%eax
  4000b5:       bb 01 00 00 00          mov    $0x1,%ebx
  4000ba:       b9 d4 00 60 00          mov    $0x6000d4,%ecx
  4000bf:       ba 0a 00 00 00          mov    $0xa,%edx
  4000c4:       cd 80                   int    $0x80
  4000c6:       b8 01 00 00 00          mov    $0x1,%eax
  4000cb:       bb 00 00 00 00          mov    $0x0,%ebx
  4000d0:       cd 80                   int    $0x80

Disassembly of section .data:

00000000006000d4 <hello>:
  6000d4:       6f                      outsl  %ds:(%rsi),(%dx)
  6000d5:       6c                      insb   (%dx),%es:(%rdi)
  6000d6:       61                      (bad)
  6000d7:       20 6d 75                and    %ch,0x75(%rbp)
  6000da:       6e                      outsb  %ds:(%rsi),(%dx)
  6000db:       64 6f                   outsl  %fs:(%rsi),(%dx)
  6000dd:       0a                      .byte 0xa
root@localhost:~#
</code>


===== Disassemblar com readelf =====

<code bash>
root@localhost:~# readelf -x .text hello2

Hex dump of section '.text':
  0x004000b0 b8040000 00bb0100 0000b9d4 006000ba .............`..
  0x004000c0 0a000000 cd80b801 000000bb 00000000 ................
  0x004000d0 cd80                                ..

root@localhost:~#
</code>

===== Visualizar arquivo em formato imagem =====

http://binvis.io/#/