disassembly-tools.md (1177B)
1 +++ 2 title = 'Disassembly tools' 3 +++ 4 5 # Disassembly tools 6 7 Tools: 8 - objdump is often preinstalled 9 - tools with UI: IDA Pro, Ghidra (free, comes from the NSA) 10 - Hopper for Mac 11 - radare2 12 13 objdump: 14 - linear sweep disassembler, assumes everything is code 15 - no analysis 16 - assumes headers are correct, likely won't be in malicious binaries 17 - flags: `-M intel` (intel syntax), `-d` (disassemble executable sections), `-D` (disassemble all sections) 18 19 IDA Pro: 20 - recursive traversal disassembler 21 - interactive and scriptable, with built-in debugger 22 - it's expensive if you want the Hex-Rays decompiler 23 - it's inconvenient to use, based in the DOS days 24 - there's no undo (in free and older versions) 25 26 Ghidra: 27 - also recursive traversal 28 - released by NSA in 2019 29 - open source, free 30 - has a decompiler, supports undo 31 32 ## Binary patching 33 - modify instructions 34 - `nop` code to disable it 35 - modify data 36 - you can only replace bytes bu: 37 - too small: pad replacement with `nop`s 38 - too large: jump elsewhere with more space, jump back later 39 - to export from ghidra: script manager, need a script for this 40 - to patch data, go window→bytes and click the pencil button at the top