Term paper DisassemblersNAME- Jyoti CLASS- B.Tech C.S.C ROLLNO- A15 REG.NO-10901555 SUBMITTED TO - Er. Harjit Singh A disassembler differs from a decompiler. Disassembly. a disassembler operating on the machine code would . INTRODUCTION A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. while recording its structure at the molecular level. A system of nanomachines able to take an object apart a few atoms at a time.Acknowledgement As usual large number of people deserves my thanks for the help they provided me for the preparation for this term paper. First of all I would like to thanks my teacher Mr. Harjeet Singh for her support during the preparation of this topic. which targets a high-level language rather than an assembly language. Assembly language source code generally permits the use of constants and programmer comments. A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. I am very thankful for her guidance. which targets a high-level language rather than an assembly language. reproduce the target program. If so. is often formatted for human-readability rather than suitability for input to an assembler. These are usually removed from the assembled machine code by the assembler. A computer program that examines another computer program and attempts to generate assembly language source code that would. Information about the topic they provided to me during my effort to prepare this topic. making it principally a reverse-engineering tool. the output of a disassembler. A disassembler differs from a decompiler. in theory. Disassembly is not an exact science: On CISC platforms with variable-width instructions. Types of disassemblers Any interactive debugger will include some way of viewing the disassembly of the program being debugged.is a Free. For example. Generally in every executable file there are several sections. Interactive. objdump. SIMON. a test/debugger/animator with integrated dis-assembler for Assembler. 32bit disassembler and windows PE file analyzer.produce disassembly lacking these constants and comments. or in the presence of self-modifying code. the same disassembly tool will be packaged as a standalone disassembler distributed along with the debugger. it is possible for a single program to have two or more reasonable disassemblies. unPIC is a disassembler for PIC microcontrollers CODE ANALYSIS Compiled program is saved into executable file. Multi-CPU disassembler.NET Framework SDK. The Interactive Disassembler allow the human user to make up mnemonic symbols for values or regions of code in an interactive session: human insight applied to the disassembly process often parallels human creativity in the code writing process. COBOL and PL/1 Texe -. is related to the interactive debugger gdb. OllyDbg is a 32-bit assembler level analysing debugger PVDasm is a Free. some . There are several different formats of executable files. • • • • • • • IDA ILDASM is a tool contained in the . the disassembled output becomes more difficult for a human to interpret than the original annotated source code. It can be used to disassemble PE files containing Common Intermediate Language code. Determining which instructions would actually be encountered during a run of the program reduces to the proven-unsolvable halting problem. Some sections contain instructions. Often. part of GNU Binutils. Some of them are usable only for some operating systems. Some disassemblers make use of the symbolic debugging information present in object files such as ELF. a Belgian company. until it becomes clear what it does. knowledge of parameters of API calls. rename. who improved it and sold it under the name IDA Pro. A decompiler plugin for programs compiled with a C/C++ compiler is available at extra cost. the second is executable section—section containing instructions for processor. The first type is data section. Interactive Disassembler The Interactive Disassembler. It also can be used as a debugger for Windows PE.contain data. constant data etc. . an earlier and less capable version is available for download free of charge (version 4. In 2007 Guilfanov founded Hex-Rays to pursue the development of the Hex-Rays Decompiler IDA extension.9 as of May 2010)[2]. The first part solves the access to the sections of input file. which can be either in hexadecimal text format or in binary format. In disassembler it is important to distinguish two types of sections. annotate. the second part is a symbol table and the last one deals with instruction decoding according to instruction sets. Created as a shareware application by Ilfak Guilfanov. Mac OS X Mach-O. Data section is disassembled into simple output of its content. using cross-references between code sections. The latest full version of Ida Pro is commercial software. is a disassembler used for reverse engineering. We used design patterns [1] and UML (Unified Modeling Language [2]) during object-oriented design of this program. more commonly known as simply IDA. In January 2008 HexRays assumed the development and support of Datarescue's IDA Pro. IDA has interactive functionality to aid in improving the disassembly. and a great deal of human intervention is necessarily required. and Linux ELF executables. IDA was later sold as a commercial product by DataRescue. and otherwise add information to the listing. DESIGN OF DISASSEMBLER Disassembler consists of three main parts. IDA performs much automatic code analysis. and other information. It supports a variety of executable formats for different processors and operating systems. A typical IDA user will begin with an automatically generated disassembly listing and then convert sections from code to data and viceversa. However the nature of disassembly precludes total accuracy. or in addition to. Add your own comments to each Instruction Line. XDASM .Scripting in Disassemblers "IDC scripts" make it possible to extend the operation of the disassembler. IDC. There are websites devoted to IDA scripts and offer assistance for frequently arising problems.3.3 for $49. XDASM . Substitute assigned Labels using your own label name.4. more TAG file commands.5) comes preinstalled with IDA Pro. For example. MS/DOS® based Program Disassembler which is used to reconstruct or debug source level code for various processor types. Its unique table-driven structure and output format adaptability.x customers can upgrade to version 3. More disassembly options. New. IdaRUB supports Ruby and IDAPython adds support for Python. Most frequently scripts are used for extra modification of the generated code. As of version 5. IDAPython (dependent on Python 2. XDASM 2. Some helpful scripts are provided. in Version 3. Up to five Cross-Reference lists can be generated. makes XDASM the most universal program disassembler available. which can serve as the basis for user written scripts.Cross-Disassembler V3. Users have created plugins that allow other common scripting languages to be used instead of. Motorola S and binary file formats Creates "Assembler-ready" code for your favorite assembler Uses manufacturer's assembly language mnemonics . More processor tables.Universal Cross Disassembler XDASM is a powerful.3 • • • • Generates assembly language source code from ROM/EPROM Accepts Intel hex. external symbol tables can be loaded thereby using the function names of the original source code. At Least. nested if & for loops.e. comment hexdump and cross-reference lists Deblocks source code into subroutines User can substitute Label Names User can insert Instruction Line comments Full control of disassembly with TAG file Users may create tables for other processor types Maximum input file size of 64K (0-65535) Source code for all CPU tables provided Requires MS/DOS® PC with at least 640K RAM Contents Required For Hardware: Supports. machine code of JVM to its actual source code i. Limitations It only displays variables & their initializations. if loop. the java program. A few function which are added in our main program which reads the class file. The Dissassembler is not a separate program. The Following Processors 1802-1806 3870 4004 6301/6303 64180 65816 8031-8040 89700 COP400 COP800 TMS7000 TMS9900/95 TMS320C1x 6800-6809 8048-8052 68HC08 68HC11 78C1x 8080/8085 8086/8088 PIC16C5x TMS320C2x 8096/80196 SUPER8 Z8 It basically converts the byte codes of a class file i. airthematic operations on these variables .strings. their signatures. methods. But you can very well incorporate other unicodes in the methods to convert into .e. Thus this is the right time to understand what these functions do. for loop.• • • • • • • • • • User configurable assembler directives Creates labels. . The resulting value is zero-extended.e. The code for this function is pretty simple. 12) Note that hi_bit and lo_bit are zero-based (i. It does the following. we would call this function as follows. • Until the end-of-file is reached. • Outputs a . • Opens (for reading) a file specified on the command line. they must be between 0 and 15).ORIG address (more on this later). so we provide it. • Reads the first 2 bytes from the file to determine the . to get the opcode of an instruction in ir. Functions Function: main() This is the entry point into the disassembler. For example.java code. • Outputs a .END assembler directive. so we've provided it for you. . • Closes the file. This is an attempt made by us to make people understand how a java Dissassembler can be written. This code is really quite tricky. int hi_bit. int lo_bit) This function gets the value of the bit field in integer bits beginning with bit hi_bit and ending with bit lo_bit. 15. opcode = get_zext_field(ir. reads each 2-byte instruction from the file and calls print_instruction() on it. Please look at the code and try to understand the logic.ORIG assembler directive with the address computed above. Function: get_zext_field(int bits. in the case for the ADD instruction.6) to get the first source operand register. we must call get_zext_field(ir.g. We provide this code. Function: print_instruction(int pc. We provide this code.. This code is also tricky. representing an LC-3 instruction. It then switches on that opcode. int ir) This is the core of the disassembler. For example.). we call get_zext_field(ir.8. but take a look at it in order to understand it. representing an address in the LC-3 machine and (ii) an integer (ir) that may have a value from 0x0000 to 0xffff. Function: get_word_from_file(FILE* f) This function extracts the next 16-bit word from the input file. BR.3) and we check that the . but you will want to use get_sext_field() to select signed immediate fields (e. If bit 5 is 0 (i. Next it must examine bit 5 (via get_bit(ir. DR. except that it sign extends the resulting field. register operand).4. ADD. etc. In fact.Function: get_sext_field(int bits. SR1. You will want to use get_zext_field() to select unsigned values like opcodes or register fields (e. int bit_number) This function is similar to get_zext_field() except that it selects and returns a single zero-extended bit. etc...g. Each case examines additional instruction bits (determined by the opcode) and prints an appropriate string representing the instruction. it's implemented by calling get_zext_field() with hi_bit and lo_bit set to the same value (bit_number).). int lo_bit) This function is very similar to get_zext_field().5)) in order to determine whether the final operand is an immediate or register. AND. The instruction ir is located in memory at address pc (the pc value is useful for computing pc-relative addresses).g. We provide this code..e.g. imm5) or signed PC offset fields (e. This function is passed two things: (i) an integer (pc) that may have a value from 0x000 to 0xffff. This function calls get_zext_field() to extract the opcode from the instruction. PCoffset9).9) to get the destination register and get_zext_field(ir. JMP. int hi_bit.11.. Within the switch there is a case for each opcode (e. Function: get_bit(int bits. 0) to get the second source operand register. Begin by creating a directory to work in and copying the files we provide. the ADD assembly instruction is printed via printf().2. If you want to redirect the output to a file use > as follows. If bit 5 is 1. . and we print the ADD instruction.0) to get the imm5 field.FILL assembler directive for this word./lc3dis foo. Otherwise. You'll want to update your path just as you did in homework 6 (and 7).FILL assembler directive. cd ~ mkdir cse240hw8 cd cse240hw8 cp ~cse240/project/hw/hw8/* This will give you a bunch of .c to use as a starting point. Also.asm files to use in testing (below).obj > newfoo.e. Note that the output of your disassembler is not another file. we use get_zext_field(ir. it will give you a file called lc3dis. we use get_sext_field(ir. If bits 4 and 3 are not 0. this is not a legal ADD instruction.asm .result is 0 (i. Finally. Some of this code is provided to get you started. bits 4 and 3 are 0). so we call print_fill(ir) to generate a . Function: print_fill(int ir) This function prints a . It simply prints the disassembled instructions to the display.. Output. How It Works Getting started.4. This will allow you to access lc3as for testing. call print_fill() to generate a . Appendix A and the table on the inside back cover of your textbook will be extremely useful! You will find all answer there! Immediate fields. Do not try to generate assembly code that contains labels! This would make things much harder. It's not any instruction. it is not an ADD instruction at all. so you can specify negatives). bits 5 to 0 must be 0. If none of them are.Resources. For example. it is not a BR instruction (i. This is necessary so our automatic testing scripts will not get confused.FILL assembler directive. And in a NOT instruction. It you discover that you are looking at data (not an instruction). the following is fine. R2. For example. xA Make sure you check the fixed fields in instructions. or p fields in a BR instruction must be set. bits 5 to 0 must be 1. in a JMP instruction. if the PCoffset of some LD instruction is -17 (and the destination register is R1). it must be data and print_fill() should be called).. it will not be accepted by our testing scripts. Similarly. One or more of the n. you would generate the following assembly instruction. For example. LD R1. simply specify your PC-relative offsets directly (in base 10. #-17 . in an ADD immediate instruction. so it must be data. LDR R1. LDR R1. If they are not. R2. PC-relative offsets. z. bits 4 and 3 must be 0.e. Instead. #10 While the following is equivalent to the above. Please output all of your immediate fields in decimal (rather then hexadecimal). asm newt1. the two files are the same.edu to build your code.obj >newt1. You may want to use the -o flag to specify the name of the generated program.asm files you can use to test your disassembler (but your should also generate your own test cases). For the curious. If the files are different. Subsequent byte pairs (16 bits) encode each instruction in the program.asm (in simulator) . You'll have to confirm that the addresses your disassembler generates are correct.upenn. The first 2 bytes contain the . Use gcc on the Moore 100 machines or eniac-l./lc3dis foo.ORIG address of the program.seas./lc3dis t1.obj file format.asm Object file format. Here's an example. Diff -w -i t1. diff will indicate how they are different (type "man diff" for more information on diff).asm. Note that if your original . Also note that the output of the disassembler cannot be directly assembled because the assembler doesn't know what to do with absolute addresses (it wants labels). Features . Then disassemble them with your lc3dis. gcc -o lc3dis lc3dis. assemble each of these files with the as command in the simulator. Testing We will provide a number of .asm file contained labels. these naturally won't appear in the corresponding disassembled code.c . Note that -w instructs diff to ignore whitespace and -i instruct it to ignore case.asm and newt1. Save the output of lc3dis in a file via redirection.Compiling.asm If diff produces no output. we'll describe the .obj > newfoo. First.asm Now in order to confirm that your code is correct use the Unix diff utility to compare t1. as t1. ROM. This feature is used as an educational tool and as a medium of communication between developers. Format is similar to that of the Resource Mover.• Symbol dictionaries of the Rom names and global symbols (0 . Macs bug. hackers. • Selective list of procedures in a file by procedure name or substring. etc. CDEF procedures come with the MacSupplement. resource type references. • References to the symbols are collected and may be selectively viewed. trap (rom) calls. • A built-in mini editor to view files without leaving Nosy. etc).jrnl” file (in text format) for later playback. • MacNosy records its input on a “.list” or “. constant or string references. • Ability to reformat data in its “natural format” via directives.asm” format).$B00) along with value to symbol substitution in appropriate places. but you get more information with less work. Note that source listing of the WDEF. INIT. References . • Ability to search the program file for references to selected address’s. • Ability to translate the segment relative address of an instruction to the disk file relative address for code patching purposes. CDEF. PACK. Facts and Specifications It is capable of disassembling the resource fork of any application file. WDEF. • Ability to place the disassembled output on a file in assembler listing output or assembler input format (MDS “. • A full or selective listing of the resources in a file. This is in addition to the automatic recognition of various character string formats. and various resource types in the System file (DRVR. debian-administrator.com/cpp .wikipedia.google.com www.org/articles/492--disassemblers • http://www.turboexplorer.• • • www.com www.