====== Disassemblar ======
Existem algumas técnicas de como disassemblar. Vou colocar aqui as que já utilizei alguma vez na minha vida.
===== Utilizando objdump para disassemblar uma section do ELF =====
Vamos disassemblar somente a sessão .text.
[root@localhost:~ ]# objdump -dj .text hello2
hello2: file format elf64-x86-64
Disassembly of section .text:
00000000004000b0 <_start>:
4000b0: b8 04 00 00 00 mov $0x4,%eax
4000b5: bb 01 00 00 00 mov $0x1,%ebx
4000ba: b9 d4 00 60 00 mov $0x6000d4,%ecx
4000bf: ba 0a 00 00 00 mov $0xa,%edx
4000c4: cd 80 int $0x80
4000c6: b8 01 00 00 00 mov $0x1,%eax
4000cb: bb 00 00 00 00 mov $0x0,%ebx
4000d0: cd 80 int $0x80
[root@localhost:~ ]#
Vamos olhar o fonte payload.asm
section .data
hello: db "ola mundo", 0xa
section .text
global _start
_start:
mov eax, 4
mov ebx, 1
mov ecx, hello
mov edx, 10
int 0x80
mov eax, 1
mov ebx, 0
int 0x80
===== Disassemblando Online =====
Para disassemblar online utilizo o site
[[https://onlinedisassembler.com/odaweb/|https://onlinedisassembler.com/odaweb/]]
ou
[[https://disassembler.io|https://onlinedisassembler.io]]
===== Utilizando objdump para disassemblar todo o binário ELF =====
root@localhost:~# objdump -D hello2
hello2: file format elf64-x86-64
Disassembly of section .text:
00000000004000b0 <_start>:
4000b0: b8 04 00 00 00 mov $0x4,%eax
4000b5: bb 01 00 00 00 mov $0x1,%ebx
4000ba: b9 d4 00 60 00 mov $0x6000d4,%ecx
4000bf: ba 0a 00 00 00 mov $0xa,%edx
4000c4: cd 80 int $0x80
4000c6: b8 01 00 00 00 mov $0x1,%eax
4000cb: bb 00 00 00 00 mov $0x0,%ebx
4000d0: cd 80 int $0x80
Disassembly of section .data:
00000000006000d4 :
6000d4: 6f outsl %ds:(%rsi),(%dx)
6000d5: 6c insb (%dx),%es:(%rdi)
6000d6: 61 (bad)
6000d7: 20 6d 75 and %ch,0x75(%rbp)
6000da: 6e outsb %ds:(%rsi),(%dx)
6000db: 64 6f outsl %fs:(%rsi),(%dx)
6000dd: 0a .byte 0xa
root@localhost:~#
===== Disassemblar com readelf =====
root@localhost:~# readelf -x .text hello2
Hex dump of section '.text':
0x004000b0 b8040000 00bb0100 0000b9d4 006000ba .............`..
0x004000c0 0a000000 cd80b801 000000bb 00000000 ................
0x004000d0 cd80 ..
root@localhost:~#
===== Visualizar arquivo em formato imagem =====
http://binvis.io/#/