ArkDasm
Hi,
Here is my new project ArkDasm http://www.arkdasm.com Its a 64-bit interactive disassembler. Its pre-alpfa version and still a lot of work left but IMHO basic functionality is finished. I did not bother with context menu so please use keybord shortcuts instead. Keyboard shortcuts are pretty standard n(rename), x(show xref), ;(add comment), c(make code), d(make data), u(undefine) and more for a full list of shortcuts look into readme.pdf The binary itself is 64-bit and vs2012 runtimes are required http://www.microsoft.com/en-us/download/details.aspx?id=30679 |
Nice project.
Keep it going. |
What do we need another disassembler for?
There were 96 crappy disassemblers before, now there are 97. ONE good disassembler would be of much more use than 97 crappy ones! |
aldente, you need to be more respectful for the hard work that cyberbob has placed into coding this disassembler. If his software does not meet your requirements, I suggest that you code your own disassembler instead of criticizing his application. Cyberbob coded this disassembler to meet his requirements, not your own.
|
aldente, I don't know you as I don't know cyberbob. So I will simply express my personal opinion. Each disassembler was once one of many. But some of them became real kings on reversing scene. How do you know that a new star isn't born right now?
|
Quote:
|
Quote:
The is one really good disassembler: IDA There would be room for another disassembler, an open source tool. Instead of starting 97 disassembler projects, which only have rudimentary features and will die soon because of a lack of support, all these authors should contribute to the same project. Look at webbrowser engines: There are only THREE major engines: Trident (Internet Explorer), Gecko (Firefox, SeaMonkey, ...) and WebKit (Safari, Opera, Chrome, ...). The two open source engines Gecko and WebKit are great products, because thousands of developers contribute to each one. Imagine if each of these developers startet to write his own engine instead. There would be hundreds of crappy webbrowser engines out there, none of which would be even close to Gecko or WebKit quality-wise. NOBODY should start writing a new disassembler! It just doesn't make any sense! The reverse engineering scene lacks good, coordinated software development. Right now, everybody is just wasting his time. The goal should be to creating something bigger, together, just like the open source guys. |
Agreed.
Some screenshots of yet another product were floating around in some IRC channels recently. it looked very, very promising and the dude mentioned a fairly large team was in charge of maintaining it. No further information, though, havnt seen the guy anywhere since. |
really depends on the actual task at hand, if its for documentation ida is pretty much the best (albeit its slow.. even slower with pdb processing), if its for disasm->edit->reasm then its not really that useful i find
|
Quote:
@aldente: actually I don't agree with you, from making your own stuff you can learn a lot. I'm currently making a 64 bit debugger, can't say its the best now but I can say I learned hundreds of things of it. Obviously my product isn't going to compete with olly or ida, but I like to do things the way I like it with a very select few who agree with my ideas. A big project (let's say for the whole reversing community) can be a good thing, but when it's wild and new everybody just tries to push their ideas into it and eventually it will suck. Just my two cents edit: just for the record: I'm not building from ground up, I use TitanEngine for the debugger and BeaEngine for the disassembler part, QT for the GUI soon.. |
I agree with mr.exodia that we can learn a lot from own projects.
Also, I think we need more encouragement for most of the own project persons. We do not want to kill a new star before it starts to shine and flash. |
small update, alpha version released:
+ added local debug symbols (PDB file) loading + added new command: sym |
Quote:
Maybe someone else does? |
This project looks promising.
Keep up the good work! |
beta version released, it's one small step in development but one giant leap in usability
+ added save, load database |
A Python scripting interface would be good, with breakpoints that can trigger scripts at certain points in execution. Good job on the debugger though.
|
v0.4.0 released
+ added File ¨C Produce assembly text file + added possibility to create byte array type + added new command: dup + minor improvements |
v0.5.0 released
added possibility to create subroutine added subroutine stack data (arguments, local variables) recognition added hex view window minor bugfixes and usability improvements Here is a screenshot how stack data recognition may look like http://arkdasm.com/stackdata.png It's possible to rename stack data after pressing n key. |
v0.6.0 released
What's new: added structure support for global data added new commands: del_struct, struct, ls updated Qt to 5.2.1 minor improvements, bug fixes |
ArkDasm v0.7.0
2014-04-06 Changelog: Quote:
Quote:
|
Are you planning to release the source code one day?
|
Quote:
|
ArkDasm v0.8.0
2014-09-28 Main features: - parsing PE32+ imports, exports, resources - subroutine stack data (arguments, local variables) recognition - loading local debug symbols (.pdb file) using IDA - multiline comments support - bookmarks support - python script support - possibility to save, load database Changelog: Quote:
Quote:
|
v.1.0.0 released - www.arkdasm.com
+ added debugger capabilities + added new commands: bp, ba + switched to the Capstone disasm engine + updated Qt to 5.4.0 + switched to Visual Studio 2013 + minor improvements, bug fixes switched to Visual Studio 2013 so run-times (msvcp120.dll, msvcr112.dll) are required http://www.microsoft.com/en-us/download/details.aspx?id=40784 |
Hey,
Nice seeing you added debugger capabilities! I have a few questions if you don't mind :) What is this 'DIA' thing you are talking about to load symbols? Is it open source? I could not find it anywhere (though maybe my search terms were off). And could you maybe give me some pointers as to how you recognize functions and local variables? Do you scan all instructions and populate a nice graph or do you do a linear scan with some algorithms to detect functions or maybe a combination? I am interested in this because I want to implement some of this in x64dbg :) Another small thing, is the arrow location just 'wrong' or is is placed between instructions for a reason? See this screenshot: http://prntscr.com/6ukf81 On and before I forget it, could you share some insight on how you implemented these python functions? I saw the python libs, but do you have some trick to auto generate the required function definitions or is it all manual work? Greetings |
Quote:
Quote:
Quote:
Quote:
Cheers |
I forgot what it's called or where I read this but there are 2 methods in which you can analyse the binary to find all the functions. The first method is to scan each and every function then link them together, but the other method is to analyse the instruction line by line and when you identify a function you check for calls inside of it and then go into that new function (inside of the main function) and then repeat the process. This means that if you had something like :
;function prologue call xxx ;function epilogue it would follow the call, identify the function and if it had another function the keep repeating it. In the end it would return back to the main function then continue line by line analysis. What method do you use for this? Sorry if this sounds vague or confusing. Btw I saw this project on /r/reverseengineering first so it's getting around a lot. good job :) |
Quote:
|
I plan on combining both linear search and a recursive search to also detect unused functions (and maybe evade some techniques like below). The problem I'm having is how to represent the instructions as a data structure...
|
Good to see this project is still going! Good work cyberbob.
|
v.1.1.0 released - www.arkdasm.com
+ added debugger memory snapshot feature + added debugger exception handling settings + added new command: bpdll + improvements, bug fixes |
Hi.
I see that the debugger do a analysis like IDA do before starting to debug itself the target. That analysis is done each time the executable is loaded even is the same and not modified. Can you do a file that keep the analysis and if the CRC change analyse again else is a waste of time to wait each time for the analysis to complete. Or i am wrong? |
Hi giv, you're wrong cause its not analysis its mostly rebasing hash maps (comments, labels, xref, etc.) to new imagebase, creating a new debugger database and stashing the current one cause it will be restored when debugger exits (assuming you don't use memory snapshot feature). Full analysis is done only at the beginning that is when you load a new file into disassembly.
|
Oh i see.
I have made a quick test. Load a file twice. But it seems that ASLR is the fault witch make the program rebase all times the hash maps. The hash maps are stored relative to VA or RVA of the file or is another pointer? |
Quote:
|
VA is a bad option concerning ASLR.
I have made a simple test. Load Total Commander 64 bit executable. It have few MB as you may know. The process take about one minute one a Core 2 Quad Q6666 at 2.4x4Mhz and 6 Gb RAM under Win 8.1. The rebasing is done every time i load the file even is small. The referencing to the RVA as pointer will avoid this issue IMHO. |
well, it all depends on your hardware I just check totalcmd64.exe on my 4 year old laptop i7-2620M @ 2.70 Ghz, 8 GB RAM Win7 it takes about 3-4 seconds.
|
Ah.
I have a i7 3.3Ghz quad laptop with Win 8.1 X64, 12 GB DDR3 and 256GB SSD but i did not tested because is only for Tom&Jerry kids games. I thougth is not suitable to reverse on a laptop. And my 2.4 Ghz Q6660 Quad is suitable for reverse a 3 MB program.... I will test on the laptop when is free and i will tell you the result. :) |
Even if nothing changed, re-uploaded on 2018-08-04.
Never forget this tool! |
@cyberbob
Did you stop developing ArkDasm. It was a nice project. Why no updates? |
All times are GMT +8. The time now is 13:53. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX