I want to disassembly small hex fragment, for example "6a2958996a"
in IDA pro in 64 bit mode?
Is there an easy way to do it?
Or i should create ELF file first and disassembly it?
IDA can also load 'flat' binary file.
Open an empty file with an hex editor and input the required bytes in it.
I prefer to go directly with python 3.x :
>>> with open("c:\\tmp\\tmp_file.bin", "wb") as f:
f.write(bytearray.fromhex("6a2958996a"))
Open IDA (64-bit version) and open the binary file with it.
Keep the default options (or choose the right processor, e.g. '686p'):
Make sure you select 64-bit mode:
By default the code is not disassembled:
Put the cursor on the first byte (0x6a; address 0x00) and then press 'c' to make it code rather than undefined byte:
Well, the example is not a completely valid code (0x6a is awaiting for another byte) but you get the whole idea...
Related
I'm beginner in IAR workbench and any part of embedded s/w.
I suddenly had to compile hex code for controller product.
so that reason, I succeeded in uploading an existing hex file (no error at all.) to the product using the flash loader and i check all the functions working well.
But when i uploaded the hex file that i changed some values for testing in the original file
(cuz, i have to change some values for customer's demanding later),
I can upload but it doesn't work at all.. I think debugging or other value was missing.
In this situation, is there a way to get debugging values or other linker values set in the existing hexa file?
Because the predecessor didn't left any information about setting value, so it's hard to ask original setting value.
I use ewarm, IAR 8.5ver
(no license ver. so i just can use this program for 30days because I failed so many times past IAR versions)
If you have any suggestions or set debugging / linker value please let me know
(I changed configuration file, output in linker)
Thanks for reading this!
Using IAR IDE for building ARM executables from C source, I can see the disassembly, including labels, addresses, opcode and instructions in the relevant window.
I am trying to dump the contents of a range of addresses to a text file, but can't find a way to do that. The window text is not selectable so I cannot use copy/paste. There is no menu associated that enables this.
As an alternative, I can generate the list and assembly files, but these seem to be limited to my code, and do not contain the CRT code or any ROM sections, which I am interested in.
Any way to dump a selected address range?
You want to use ielfdumparm located in your Workbench directory under arm/bin. Here's the help for the tool.
Usage: IElfDump input_file [output_file]
Available command line options:
--all Dump all sections
--code Dump only code sections
--no_header Do not produce a list header
--no_rel_sections
Do not output associated .rel sections
--no_strtab Do not include strtab sections
--output file
-o file Name of text file to create
--raw Use raw text format
--section #|name[,...]
-s #|name[,...] Dump only section(s) with given numbers/names
--source Include source in disassembled code in executables
--use_full_std_template_names
Don't use short names for standard C++ templates
-a All sections, except strtab sections
-f file Read command line options from file
To get a similar output to the debug view, I would suggest --code to avoid dumping your data space, and --source to have it embed your original C woven in with the assembly.
You can specify sections, but it doesn't look like you can specify address range. You may be able to pair this with some of the other ELF tools to extract just a specific address range, and then run this tool on that. Alternatively, this dumps in address order so you could dump the entire ELF file and then just look at the address range you want after the fact.
I use Snagit to capture text that is not selectable.
Snagit is a screen snapshot tool (a very good one). Besides making classic screen shots it supports to capture text and save it as ASCII text. It can also automatically scroll windows to capture long texts.
Maybe it is worth a try. There is a 30-day trial version available.
I got a file and i don't know its type. I tried to run tools to get file type but that was of no use. When I open the file in hex editor it shows 00 hex value from starting to certain address(50 +linse). I know we can find type of file by seeing hex code of the file. But in this case it is showing 00. Can any one help how to find file type using hex value? Is there any way to obscure hex information so that file type can be hide.
If you are using Linux or Unix. You can type
$ file filename
Or you can use HEX signatures of the file. refere this. http://www.garykessler.net/library/file_sigs.html
or use third party library "magic.h" library known as "libmagic" and use if in c++ like this.
#include <stdio.h>
#include "magic.h"
int main() {
magic_t myt = magic_open(MAGIC_CONTINUE|MAGIC_ERROR/*|MAGIC_DEBUG*/|MAGIC_MIME);
magic_load(myt,NULL); printf("magic output: '%s'\n",magic_file(myt,YOURFILENAME));
magic_close(myt);
return 0;
}
No, there is not. The hex editor always shows real content (if it has permission to read the file at all).
Most binary file formats start with magic number, but not all of them. However bunch of nul bytes at the beginning looks more like the file is simply corrupt.
I have zero knowledge of how the ELF format works or how to access its headers and data via code, however I need to check whether an ELF binary has been compressed (packed?) with UPX for Linux.
Checking the binary with strings I saw the string UPX! so I guess I can use that. Hexediting the binary shows the string and for the position in the binary I can assume it's part of one of ELF's headers (please correct me if I am wrong). This is a dump of that:
00000000 .ELF........................4...
00000020 ........4. ...(.................
00000040 ........................#...#...
00000060 #.....................[.UPX!....
00000080 ............T............?d..ELF
I don't know if this looks good, sorry.
Does anyone know how to detect UPX on Linux? If not, how to access the headers and get that UPX! string (name of the header?)?
I did look into the UPX source code but everything is C++, I am looking to code this in C, and it's really hard to follow.
Thank, any help is welcomed.
EDIT: About the bounty. They answer must give a solid example that works since I've tried different approaches and they not always work, like the sample below.
Thank you
These are the tests to detect an UPX compressed file:
>>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed
>>>>(0x3c.l+0xf8) search/0x140 UPX2
>>>(&0x7c.l+0x26) string UPX \b, UPX compressed
>>>&0x26 string UPX \b, UPX compressed
>>85 string UPX \b, UPX compressed
use
man 5 magic
to see how the offsets inside the file are specified.
For example in you program you should:
open the file under test for reading
skip to one of these offsets
check if the expected string is there
repeat until no more offsets
Interestingly enough, in my ubuntu 64bit, UPX compressed files are not detected because this test is missing from /usr/share/misc/magic:
>>180 string UPX! UPX compressed (64-bit)
In the source code to UPX, there's a function int PackW32Pe::canUnpack() which is first ran as a test right when you do a upx -d <file> (unpack executable). It shows which offsets are to be tested to detect if a file was packed with UPX. I found the code clear and easy to follow. I recommend an editor with syntax highlighting.
You can download the source code for UPX on the project site.
I'm trying to figure out how to detect whether a binary has been compressed with UPX. I am using a simple CRC to detect whether my app was in any way changed and if the CRC failed on the size due to a packer I would like to detect that as OK.
Right now I am starting with UPX.
So, is there any marker on the binary? are there any specific JMP or other instructions that I should search?
This will mainly be tested in Windows, but in the future I might add it to Linux as well.
Any help (and code) is appreciated.
ADDED:
I found that in the 10 binaries I checked the
AddressOfEntryPoint
Import Directory RVA
Resouce Directory RVA
either point to UPX or have an offset that is set by UPX. Any information on this?
Thanks
Download upx source code from UPX Homepage and open src/p_w32pe.cpp file; the function you are looking for is;
int PackW32Pe::canUnpack()
This function checks if the file is compressed with win32 upx.
You might try checking the section names of the executable. UPX changes them to UPX0, UPX1, UPX2, I believe.