有一个arm elf文件经过objcopy -O binary 命令处理生成bin文件
进行反汇编:
指令1:
arm_v5t_le-objdump -b binary -m armv5te -D u-boot.bin|head
指令2:
arm-linux-objdump -D -b binary test.bin --architecture=arm > /tmp/raw.txt
http://linux.chinaunix.net/bbs/thread-1145255-1-1.html
http://chdk.wikia.com/wiki/GPL_Disassembling
Meanwhile I wrote a perl script, which does all the jobs. Also it lookup references and add this to the disassemble output.
[edit ] Disassembling with GNU/GPL tools
The gnu/gpl tools are not made for analysing alien binary dumps because we usually have the source code if we need to debug. This is not really an replacement for IDA but for me it's was sufficient.
Installing software is not explained in this tutorials.
Prerequisites:
- You have a raw binary firmware dump to look at. I'll use here "dump.bin"
- You have set up arm-gcc/binutils toolchain. (Get it from GNUARM.org , download: http://www.gnuarm.com/bu-2.15_gcc-3.4.3-c-c++-java_nl-1.12.0_gi-6.1.tar.bz2 for example)
In this toybox we have:
arm-elf-objcopy | arm-linux-gnu-objcopy
arm-elf-objdump | arm-linux-gnu-objdump
Here we go:
strings -t x dump.bin > dump.strings
hexdump -C dump.bin > dump.hex
arm-linux-gnu-objdump -m arm -b binary -D dump.bin > dump.dis
However, theres a problem: all files start with an offset of 0x00. Here comes my renumber.pl script:
strings -t x dump.bin | ./renumber.pl 0xff810000 > dump.strings
hexdump -C dump.bin |./renumber.pl 0xff810000 > dump.hex
Before we disassemble the dump, we pack it into elf format. This meat is good for feeding gdb and the IDA demo version ;)
arm-linux-gnu-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf
arm-linux-gnu-objcopy --set-section-flags .data=code dump.elf
Verify the elf file:
arm-linux-gnu-objdump -x dump.elf
Disassemble:
arm-linux-gnu-objdump -d dump.elf > dump.dis
So finally we have 3 ascii files to stare at:
- dump.dis
- dump.strings
- dump.hex
and
- dump.elf for gdb and qemu
[edit ] Putting all together
Meanwhile I wrote GPL:disassemble.pl perl script, which does all the jobs. Also it lookup references and add this to the disassemble output.
disassemble.pl 0xff810000 dump.bin
e.g. output:
NSTUB(Capture.Create, 0xff938368):
ff938368: e92d4010 stmdb sp!, {r4, lr}
ff93836c: e59f0020 ldr r0, [pc, #32] ; ff938394: (ffac13cc)
ff938370: ebfcc3fd bl ff86936c <_binary_dump_bin_start+0x5936c -847876>
ff938374: eb01cf03 bl ff9abf88 <_binary_dump_bin_start+0x19bf88 +474132>
ff938378: e3a00000 mov r0, #0 ; 0x0
ff93837c: e8bd8010 ldmia sp!, {r4, pc}
// this is obviously an entry point, because ^^ is a "return"
ff938380: e24f1020 sub r1, pc, #32 ; ff938368: (e92d4010)
ff938384: e28f000c add r0, pc, #12 ; ff938398: (74706143) *"Capture.Create"
ff938388: eafcc355 b ff8690e4 <_binary_dump_bin_start+0x590e4 -848548>
// another
ff93838c: e28f0004 add r0, pc, #4 ; ff938398: (74706143) *"Capture.Create"
ff938390: eafcc355 b ff8690ec <_binary_dump_bin_start+0x590ec -848548>
// this is data, referenced from 0xff93836c followed by some text
ff938394: ffac13cc undefined instruction 0xffac13cc
"Capture.Create":
ff938398: 74706143 ldrvcbt r6, [r0], #-323
ff93839c: 2e657275 mcrcs 2, 3, r7, cr5, cr5, {3}
ff9383a0: 61657243 cmnvs r5, r3, asr #4
ff9383a4: 00006574 andeq r6, r0, r4, ror r5
Note: The entire disassembled file is shown as instructions, including strings and numeric constants. Strings are identified where referenced, as shown above, but the corresponding address still has disassembled (nonsense) instructions. If the instructions you are looking at don't make any sense, they are probably data.
[edit ] using gcc/gas
Another way to create an elf file with symbols from chdk's stub files: forum However, the disassemble script makes a better format but this one is very good for gdb+qemu ;)
2717
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
