ArkDasm
 

Hi,

Here is my new project ArkDasm http://www.arkdasm.com

Its a 64-bit interactive disassembler. Its pre-alpfa version and still a lot of work left but IMHO basic functionality is finished.
I did not bother with context menu so please use keybord shortcuts instead.
Keyboard shortcuts are pretty standard n(rename), x(show xref), ;(add comment), c(make code), d(make data), u(undefine) and more for a full list of shortcuts look into readme.pdf

The binary itself is 64-bit and vs2012 runtimes are required http://www.microsoft.com/en-us/download/details.aspx?id=30679

Nice project.
Keep it going.

What do we need another disassembler for?

There were 96 crappy disassemblers before, now there are 97.

ONE good disassembler would be of much more use than 97 crappy ones!

aldente, you need to be more respectful for the hard work that cyberbob has placed into coding this disassembler. If his software does not meet your requirements, I suggest that you code your own disassembler instead of criticizing his application. Cyberbob coded this disassembler to meet his requirements, not your own.

aldente, I don't know you as I don't know cyberbob. So I will simply express my personal opinion. Each disassembler was once one of many. But some of them became real kings on reversing scene. How do you know that a new star isn't born right now?

96 ? wow I didn't know there was so many, let's hope we can make it a 100 before the end of this year.

NO, that is the WORST thing to do! That would only lead to one more useless disassembler!

The is one really good disassembler: IDA

There would be room for another disassembler, an open source tool. Instead of starting 97 disassembler projects, which only have rudimentary features and will die soon because of a lack of support, all these authors should contribute to the same project.

Look at webbrowser engines: There are only THREE major engines: Trident (Internet Explorer), Gecko (Firefox, SeaMonkey, ...) and WebKit (Safari, Opera, Chrome, ...). The two open source engines Gecko and WebKit are great products, because thousands of developers contribute to each one.

Imagine if each of these developers startet to write his own engine instead. There would be hundreds of crappy webbrowser engines out there, none of which would be even close to Gecko or WebKit quality-wise.

NOBODY should start writing a new disassembler! It just doesn't make any sense!
The reverse engineering scene lacks good, coordinated software development. Right now, everybody is just wasting his time. The goal should be to creating something bigger, together, just like the open source guys.

Agreed.


Some screenshots of yet another product were floating around in some IRC channels recently. it looked very, very promising and the dude mentioned a fairly large team was in charge of maintaining it.

No further information, though, havnt seen the guy anywhere since.

really depends on the actual task at hand, if its for documentation ida is pretty much the best (albeit its slow.. even slower with pdb processing), if its for disasm->edit->reasm then its not really that useful i find

I heard about this too, do you still have the screenshots?

@aldente: actually I don't agree with you, from making your own stuff you can learn a lot. I'm currently making a 64 bit debugger, can't say its the best now but I can say I learned hundreds of things of it. Obviously my product isn't going to compete with olly or ida, but I like to do things the way I like it with a very select few who agree with my ideas. A big project (let's say for the whole reversing community) can be a good thing, but when it's wild and new everybody just tries to push their ideas into it and eventually it will suck.

Just my two cents

edit: just for the record: I'm not building from ground up, I use TitanEngine for the debugger and BeaEngine for the disassembler part, QT for the GUI soon..

I agree with mr.exodia that we can learn a lot from own projects.

Also, I think we need more encouragement for most of the own project persons.
We do not want to kill a new star before it starts to shine and flash.

small update, alpha version released:

+ added local debug symbols (PDB file) loading
+ added new command: sym

Unfortunately, no. Still waiting for that guy to surface somewhere.

Maybe someone else does?

This project looks promising.
Keep up the good work!

beta version released, it's one small step in development but one giant leap in usability

+ added save, load database

A Python scripting interface would be good, with breakpoints that can trigger scripts at certain points in execution. Good job on the debugger though.

v0.4.0 released

+ added File ¨C Produce assembly text file
+ added possibility to create byte array type
+ added new command: dup
+ minor improvements

v0.5.0 released

added possibility to create subroutine
added subroutine stack data (arguments, local variables) recognition
added hex view window
minor bugfixes and usability improvements

Here is a screenshot how stack data recognition may look like http://arkdasm.com/stackdata.png

It's possible to rename stack data after pressing n key.

v0.6.0 released

What's new:
added structure support for global data
added new commands: del_struct, struct, ls
updated Qt to 5.2.1
minor improvements, bug fixes

ArkDasm v0.7.0
2014-04-06

Changelog:
Download:

Are you planning to release the source code one day?

sorry, at the moment no plans to release the source code

ArkDasm v0.8.0
2014-09-28

Main features:
- parsing PE32+ imports, exports, resources
- subroutine stack data (arguments, local variables) recognition
- loading local debug symbols (.pdb file) using IDA
- multiline comments support
- bookmarks support
- python script support
- possibility to save, load database

Changelog:
Download:

v.1.0.0 released - www.arkdasm.com

+ added debugger capabilities
+ added new commands: bp, ba
+ switched to the Capstone disasm engine
+ updated Qt to 5.4.0
+ switched to Visual Studio 2013
+ minor improvements, bug fixes

switched to Visual Studio 2013 so run-times (msvcp120.dll, msvcr112.dll) are required http://www.microsoft.com/en-us/download/details.aspx?id=40784

Hey,

Nice seeing you added debugger capabilities! I have a few questions if you don't mind :)

What is this 'DIA' thing you are talking about to load symbols? Is it open source? I could not find it anywhere (though maybe my search terms were off).

And could you maybe give me some pointers as to how you recognize functions and local variables? Do you scan all instructions and populate a nice graph or do you do a linear scan with some algorithms to detect functions or maybe a combination? I am interested in this because I want to implement some of this in x64dbg :)

Another small thing, is the arrow location just 'wrong' or is is placed between instructions for a reason? See this screenshot: http://prntscr.com/6ukf81

On and before I forget it, could you share some insight on how you implemented these python functions? I saw the python libs, but do you have some trick to auto generate the required function definitions or is it all manual work?

Greetings

it's open source, comes with Visual Studio you should have it in VS path e.g. "c:\Program Files (x86)\Microsoft Visual Studio 12.0\DIA SDK\Samples"

first I scan to find begin and the end of the function (it's not always an easy task) and then just 'walk' the function marking, recording instructions related to stack pointer.

there is no reason, it's calculated based on QFontMetrics lineSpacing. Please change font to get hopefully more accurate position but personally it did not bother me that its a millimeter off.

it's manual work but you could use SWIG if you have a lot of functions.

Cheers

I forgot what it's called or where I read this but there are 2 methods in which you can analyse the binary to find all the functions. The first method is to scan each and every function then link them together, but the other method is to analyse the instruction line by line and when you identify a function you check for calls inside of it and then go into that new function (inside of the main function) and then repeat the process. This means that if you had something like :

;function prologue
call xxx
;function epilogue

it would follow the call, identify the function and if it had another function the keep repeating it. In the end it would return back to the main function then continue line by line analysis.

What method do you use for this?

Sorry if this sounds vague or confusing.

Btw I saw this project on /r/reverseengineering first so it's getting around a lot. good job :)

I use the second method (if I understood you correctly). I follow call instructions.

I plan on combining both linear search and a recursive search to also detect unused functions (and maybe evade some techniques like below). The problem I'm having is how to represent the instructions as a data structure...

Good to see this project is still going! Good work cyberbob.

v.1.1.0 released - www.arkdasm.com

+ added debugger memory snapshot feature
+ added debugger exception handling settings
+ added new command: bpdll
+ improvements, bug fixes

Hi.
I see that the debugger do a analysis like IDA do before starting to debug itself the target.
That analysis is done each time the executable is loaded even is the same and not modified. Can you do a file that keep the analysis and if the CRC change analyse again else is a waste of time to wait each time for the analysis to complete.
Or i am wrong?

Hi giv, you're wrong cause its not analysis its mostly rebasing hash maps (comments, labels, xref, etc.) to new imagebase, creating a new debugger database and stashing the current one cause it will be restored when debugger exits (assuming you don't use memory snapshot feature). Full analysis is done only at the beginning that is when you load a new file into disassembly.

Oh i see.
I have made a quick test.
Load a file twice.
But it seems that ASLR is the fault witch make the program rebase all times the hash maps.
The hash maps are stored relative to VA or RVA of the file or is another pointer?

VA but if your file is big and it takes too much time to rebase I'd suggest to use another debugger

VA is a bad option concerning ASLR.
I have made a simple test.
Load Total Commander 64 bit executable.
It have few MB as you may know.
The process take about one minute one a Core 2 Quad Q6666 at 2.4x4Mhz and 6 Gb RAM under Win 8.1.
The rebasing is done every time i load the file even is small.
The referencing to the RVA as pointer will avoid this issue IMHO.

well, it all depends on your hardware I just check totalcmd64.exe on my 4 year old laptop i7-2620M @ 2.70 Ghz, 8 GB RAM Win7 it takes about 3-4 seconds.

Ah.
I have a i7 3.3Ghz quad laptop with Win 8.1 X64, 12 GB DDR3 and 256GB SSD but i did not tested because is only for Tom&Jerry kids games.
I thougth is not suitable to reverse on a laptop.
And my 2.4 Ghz Q6660 Quad is suitable for reverse a 3 MB program....
I will test on the laptop when is free and i will tell you the result.
:)

Even if nothing changed, re-uploaded on 2018-08-04.
Never forget this tool!

@cyberbob
Did you stop developing ArkDasm. It was a nice project. Why no updates?