Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Which ARM64 disassembler engine best to use in a driver? (https://forum.exetools.com/showthread.php?t=20130)

DavidXanatos 04-04-2022 04:24
Which ARM64 disassembler engine best to use in a driver?
 
I'm porting a driver over to ARM64, that driver relays crucially on some un-exported kernel symbols,
it currently finds in exported functions the required addresses, in x86/x64 that's quite nice.
Ho weever the ARM64 ISA seams to be quite a terrible mess in comparison, no way to find there anything "by hand", so to say.
Hence I need a ARM64 disassembler engine that I could use to find what I need,
could anyone here recommend me a reliable lightweight and free ARM64 disassembler engine which I could use?

Cheers
David

evlncrn8 04-04-2022 16:47
capstone ?

RamMerLabs 04-04-2022 17:08
ARM64 code is pretty simple to disassemble: four bytes per instruction, and it is enough to apply a bit mask (and a substraction sometimes, if register is encoded) to distinguish the required instructions.

DavidXanatos 04-04-2022 23:52
Yea seams not to be soo bad after all, i went with an approach like this:

Code:
    for (i = 0; i < 0x40; i += 4, ptr += 4) {

        union {
            ULONG OP;
            struct {
                ULONG
                    Rd : 5,
                    immHi : 19,
                    op1 : 5,
                    immLo : 2,
                    op2 : 1;
            };
        } ADRP;

        ADRP.OP = *(ULONG*)ptr;

        if (ADRP.op1 == 0b10000 && ADRP.op2 == 0b1 && ADRP.Rd == 8) // adrp x8, #0x575000
        {
            union {
                ULONG OP;
                struct {
                    ULONG
                        Rd : 5,
                        Rn : 5,
                        imm12 : 12,
                        shift : 2,
                        op1 : 5,
                        S : 1,
                        op2 : 1,
                        sf : 1;
                };
            } ADD;

            ADD.OP = *(ULONG*)(ptr + 4);

            if (ADD.sf == 0b1 && ADD.op2 == 0b0 && ADD.S == 0b0 && ADD.op1 == 0b10001 && ADD.shift == 0 && ADD.Rn == 8 && ADD.Rd == 12) // add  x12, x8, #0xf80
            {
                LONG delta = (ADRP.immHi << 2 | ADRP.immLo) << 12;
                delta += ADD.imm12;

                // Note: ADRP clears the lower 12 bits of the PC
                nt = ((ULONG_PTR)ptr & ~0xFFF) + delta;

       
                return (void*)nt;
            }
        }
    }

sh3dow 04-29-2022 03:56
Capstone would be the most complete, battle proved and standalone disassembler framework that doesn't need to be part of other software to function. it's disassembly/disassembler framework that just works.

Also from its website

Quote:
- Special support for embedding into firmware or OS kernel.

Capstone is designed to be able to easily embed into firmware & OS kernel. The framework can be built to be minimized, and with some special APIs provided by Capstone, the engine can be programmed to use in those special environments. Details are available here.

- reliable [✓]
- lightweight [I don't know, it's it's a framework and support multiple architectures not just ARM64]
- free ARM64 disassembler engine [✓]

Edit:
It look like you can build only selected architectures to suite your need, so lightweight [✓] I guess?
https://www.capstone-engine.org/compile.html

DavidXanatos 04-30-2022 01:52
1 Attachment(s)
For my use it still seam overkill, a small custom approach worked out great, see attachment.


All times are GMT +8. The time now is 07:20.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX