KENJI’S BLOG このページをアンテナに追加 RSSフィード

Freezed...

2009-09-09

PowerPC環境がないけどPowerPC用バイナリを逆アセンブルしたい場合は…

もちろんPowerPC環境があるに越したことはないのですが、仮に無くても逆アセンブルさえできればなんとかなるので、radareのppcオプションで頑張れます。

http://radare.nopcode.org/new/

# rasm -h
Usage: rasm [-elvV] [-f file] [-s offset] [-a arch] [-d bytes] "opcode"|-
 if 'opcode' is '-' reads from stdin
  -v           enables debug
  -d [bytes]   disassemble from hexpair bytes
  -f [file]    compiles assembly file to 'file'.o
  -s [offset]  offset where this opcode is suposed to be
  -a [arch]    selected architecture (x86, olly, ppc, arm, java, rsc)
  -e           use big endian
  -l           list all supported opcodes and architectures
  -V           show version information
#

x86はもちろんですが、対応アーキテクチャにppcやarmも入っています。試しにppc用バイナリを読ませると

# radare sample
open ro sample
> Importing file information...
[Information]
ELF class:       ELF32
Data enconding:  2's complement, big endian
OS/ABI name:     linux
Machine name:    PowerPC
Architecture:    ppc
File type:       EXEC (Executable file)
Stripped:        Yes
Static:          No
Base address:    0x10000000
> Importing symbols...
7 imports added
1 symbols added
29 sections added
2 strings added
> Analyzing code...
  [/] 02:01:02:00 ==
strings: 2
functions: 1
structs: 0
data_xrefs: 0
code_xrefs: 0
[0x100003E0]>V(←入力)
[ 0x100003e0 (bs=512 mark=0x0) (null) ] entrypoint,section._text
[.________#______________________________________________________________________________________]
          ; [12] 0x100003e0 size=00005568 align=0x00000010 -r-x .text
          ; args = 0
          ; vars = 0
          ; drefs = 0
          0x100003e0, / entrypoint,section._text:
          0x100003e0, |           7c290b78        mr      r9,r1
          0x100003e4, |           54210036        rlwinm  r1,r1,0,0,27
          ; syscall (todo)
          0x100003e8, |           38000000        li      r0,0
          0x100003ec, |           9421fff0        stwu    r1,-16(r1)
          0x100003f0, |           7c0803a6        mtlr    r0
          0x100003f4, |           90010000        stw     r0,0(r1)
          ; syscall (todo)
          0x100003f8, |           3d001000        lis     r8,4096
          0x100003fc, |           85a819d8        lwzu    r13,6616(r8)
          0x10000400, |           480014f0        b       0x100018f0  ; 1 = 0x100018f0
          0x10000404, |           00000000        .long 0x0
          0x10000408, |           00000000        .long 0x0
          0x1000040c, |           00000000        .long 0x0
          0x10000410, |           9421ffe0        stwu    r1,-32(r1)
          0x10000414, |           7c0802a6        mflr    r0
          0x10000418, |           93810010        stw     r28,16(r1)
          0x1000041c, |           93a10014        stw     r29,20(r1)
          ; syscall (todo)
          0x10000420, |           3f801001        lis     r28,4097
          0x10000424, |           90010024        stw     r0,36(r1)
          0x10000428, |           93c10018        stw     r30,24(r1)
          ; syscall (todo)
          0x1000042c, |           3bdc2020        addi    r30,r28,8224
          0x10000430, |           93e1001c        stw     r31,28(r1)
          0x10000434, |           881c2020        lbz     r0,8224(r28)
          0x10000438, |           2f800000        cmpwi   cr7,r0,0

問題なしっぽい?

ちなみにarmも読めるけど、arm読むためならIDAProのデモ版の方がよい感じ。

http://www.hex-rays.com/idapro/idadowndemo.htm