前两篇说了capstone/beaengine,这节一起用一用经典的udis86;
github:https://github.com/vmt/udis86
0x01:udis86相比于前面两个,用起来还是比较简单的,使用文档如下所示:
Getting Started
===============
Building and Installing udis86
------------------------------
udis86 is developed for unix-like environments, and like most software,
the basic steps towards building and installing it are as follows.
.. code::
$ ./configure
$ make
$ make install
Depending on your choice of install location, you may need to have root
privileges to do an install. The install scripts copy the necessary header
and library files to appropriate locations in your system.
Interfacing with libudis86: A Quick Example
-------------------------------------------
The following is an example of a program that interfaces with libudis86
and uses the API to generate assembly language output for 64-bit code,
input from STDIN.
.. code-block:: c
#include <stdio.h>
#include <udis86.h>
int main()
{
ud_t ud_obj;
ud_init(&ud_obj);
ud_set_input_file(&ud_obj, stdin);
ud_set_mode(&ud_obj, 64);
ud_set_syntax(&ud_obj, UD_SYN_INTEL);
while (ud_disassemble(&ud_obj)) {
printf("\t%s\n", ud_insn_asm(&ud_obj));
}
return 0;
}
To compile the program (using gcc):
.. code::
$ gcc -ludis86 example.c -o example
This example should give you an idea of how this library can be used. The
following sections describe, in detail, the complete API of libudis86.
0x02:那就按照这个步骤来,关键你会发现,master文件夹中并没有configure文件,再看看README,先要配置好build环境;
Autotools Build
---------------
You need autotools if building from sources cloned form version control
system, or if you need to regenerate the build system. The wrapper
script 'autogen.sh' is provided that'll generate the build system.
//执行 ./autogen.sh报错 --> 原因是没有安装autoreconf
curits@curits-virtual-machine:~ /Desktop/udis86-master$ sudo ./autogen.sh
./autogen.sh: line 4: autoreconf: command not found
autogen: autoreconf -i failed.
//安装
curits@curits-virtual-machine:~/Desktop/udis86-master$ sudo apt-get install autoconf automake libtool
//然后再执行./autogen.sh --> 生成build环境
curits@curits-virtual-machine:~/Desktop/udis86-master$ ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I build/m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --copy --force
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build'.
libtoolize: copying file 'build/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'build/m4'.
libtoolize: copying file 'build/m4/libtool.m4'
libtoolize: copying file 'build/m4/ltoptions.m4'
libtoolize: copying file 'build/m4/ltsugar.m4'
libtoolize: copying file 'build/m4/ltversion.m4'
libtoolize: copying file 'build/m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:43: installing 'build/compile'
configure.ac:24: installing 'build/config.guess'
configure.ac:24: installing 'build/config.sub'
configure.ac:34: installing 'build/install-sh'
configure.ac:34: installing 'build/missing'
libudis86/Makefile.am: installing 'build/depcomp'
autoreconf: Leaving directory `.'
//接下来就是三板斧 ./configure --> make --> sudo make install (安装时使用root权限)
然后将example的代码拷贝下来,按照给定的方法进行方式进行编译,报错,究竟为啥没编译成功不太清楚;
curits@curits-virtual-machine:~/Desktop/udis86-master$ g++ -ludis86 example.c -o example
/tmp/ccXcpvEg.o: In function `main':
example.c:(.text+0x25): undefined reference to `ud_init'
example.c:(.text+0x3e): undefined reference to `ud_set_input_file'
example.c:(.text+0x52): undefined reference to `ud_set_mode'
example.c:(.text+0x60): undefined reference to `ud_translate_intel'
example.c:(.text+0x6b): undefined reference to `ud_set_syntax'
example.c:(.text+0x7a): undefined reference to `ud_disassemble'
example.c:(.text+0x92): undefined reference to `ud_insn_asm'
collect2: error: ld returned 1 exit status
解决办法:从make install 的打印信息可以看出,把编译出来的动态库拷贝到了/user/local/lib下;
curits@curits-virtual-machine:/usr/local/lib$ ls
libudis86.la libudis86.so libudis86.so.0 libudis86.so.0.0.0 python2.7 python3.6
索性直接把example.c文件夹拷贝到当前目录,直接用编译出来的libudis86.so动态库;
//成功编译出二进制文件、
curits@curits-virtual-machine:/usr/local/lib$ export LD_LIBRARY_PATH=./
curits@curits-virtual-machine:/usr/local/lib$ sudo g++ -o example example.c libudis86.so
curits@curits-virtual-machine:/usr/local/lib$ ls
example example.c libudis86.la libudis86.so libudis86.so.0 libudis86.so.0.0.0 python2.7 python3.6
//执行example,从stdin中输入opencode
curits@curits-virtual-machine:/usr/local/lib$ ./example
65 67 89 87 76 65 54 56 78 89 09 00 90
sub eax, 0x35360a78
and [rsi], dh
invalid
and [rax], bh
cmp [rax], esp
cmp [rdi], dh
and [rdi], dh
and [ss:rsi], dh
xor eax, 0x20343520
xor eax, 0x38372036
and [rax], bh
cmp [rax], esp
xor [rcx], bh
and [rax], dh
xor [rax], ah
cmp [rax], esi
虽然生成了反汇编代码,但是结果却是有问题的,具体什么问题,还得研究研究源码;
从官网查看相应API:http://udis86.sourceforge.net/manual/libudis86.html#setup-input
//对input函数 ud_set_input_file的相关说明
void ud_set_input_file(ud_t*, FILE* filep)
Sets the input source to a file pointed to by a given standard library FILE pointer. Note that libudis86 does not perform any checks, and assumes that the file pointer is properly initialized and open for reading.
//example代码初始化
ud_set_input_file(&ud_obj, stdin);
修改example.c代码,给ud_set_input_file()传一个文件指针:
#include <stdio.h>
#include <udis86.h>
#define FILENAME "/home/curits/Desktop/ins.txt"
int main()
{
ud_t ud_obj;
FILE * filep;
filep = fopen( FILENAME, "rb+");
if(!filep)
{
printf("Can not open file\n");
return 0;
}
ud_init(&ud_obj);
// ud_set_input_file(&ud_obj, stdin);
ud_set_input_file(&ud_obj, filep);
ud_set_mode(&ud_obj, 64);
ud_set_syntax(&ud_obj, UD_SYN_INTEL);
while (ud_disassemble(&ud_obj)) {
printf("\t%s\n", ud_insn_asm(&ud_obj));
}
fclose(filep);
return 0;
}
编译执行:
//成功将ins.txt文件反汇编
curits@curits-virtual-machine:/usr/local/lib$ ./example
nop [rax+rax]
push rbp
mov rbp, rsp
pop rbp
ret
nop [rax+rax]
//与intel-xed反汇编比较
curits@curits-virtual-machine:~/Desktop/xed-master/obj/wkit/bin$ ./xed -ir /home/curits/Desktop/ins.txt -64
XDIS 0: WIDENOP BASE 0F1F440000 nop dword ptr [rax+rax*1], eax
XDIS 5: PUSH BASE 55 push rbp
XDIS 6: DATAXFER BASE 4889E5 mov rbp, rsp
XDIS 9: POP BASE 5D pop rbp
XDIS a: RET BASE C3 ret
XDIS b: WIDENOP BASE 0F1F440000 nop dword ptr [rax+rax*1], eax
# end of text section.
# Errors: 0
#XED3 DECODE STATS
#Total DECODE cycles: 1071003
#Total instructions DECODE: 6
#Total tail DECODE cycles: 1071003
#Total tail instructions DECODE: 6
#Total cycles/instruction DECODE: 178500.50
#Total tail cycles/instruction DECODE: 178500.50
更多功能可以基于这个开发;