Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-04-2022, 04:24
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
Which ARM64 disassembler engine best to use in a driver?

I'm porting a driver over to ARM64, that driver relays crucially on some un-exported kernel symbols,
it currently finds in exported functions the required addresses, in x86/x64 that's quite nice.
Ho weever the ARM64 ISA seams to be quite a terrible mess in comparison, no way to find there anything "by hand", so to say.
Hence I need a ARM64 disassembler engine that I could use to find what I need,
could anyone here recommend me a reliable lightweight and free ARM64 disassembler engine which I could use?

Cheers
David
Reply With Quote
  #2  
Old 04-04-2022, 16:47
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 179
Rept. Given: 36
Rept. Rcvd 54 Times in 24 Posts
Thanks Given: 49
Thanks Rcvd at 117 Times in 69 Posts
evlncrn8 Reputation: 54
capstone ?
Reply With Quote
  #3  
Old 04-04-2022, 17:08
RamMerLabs RamMerLabs is offline
Family
 
Join Date: Feb 2020
Posts: 54
Rept. Given: 0
Rept. Rcvd 52 Times in 27 Posts
Thanks Given: 9
Thanks Rcvd at 268 Times in 48 Posts
RamMerLabs Reputation: 52
ARM64 code is pretty simple to disassemble: four bytes per instruction, and it is enough to apply a bit mask (and a substraction sometimes, if register is encoded) to distinguish the required instructions.
Reply With Quote
  #4  
Old 04-04-2022, 23:52
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
Yea seams not to be soo bad after all, i went with an approach like this:

Code:
    for (i = 0; i < 0x40; i += 4, ptr += 4) {

        union {
            ULONG OP;
            struct {
                ULONG
                    Rd : 5,
                    immHi : 19,
                    op1 : 5,
                    immLo : 2,
                    op2 : 1;
            };
        } ADRP;

        ADRP.OP = *(ULONG*)ptr;

        if (ADRP.op1 == 0b10000 && ADRP.op2 == 0b1 && ADRP.Rd == 8) // adrp x8, #0x575000
        {
            union {
                ULONG OP;
                struct {
                    ULONG
                        Rd : 5,
                        Rn : 5,
                        imm12 : 12,
                        shift : 2,
                        op1 : 5,
                        S : 1,
                        op2 : 1,
                        sf : 1;
                };
            } ADD;

            ADD.OP = *(ULONG*)(ptr + 4);

            if (ADD.sf == 0b1 && ADD.op2 == 0b0 && ADD.S == 0b0 && ADD.op1 == 0b10001 && ADD.shift == 0 && ADD.Rn == 8 && ADD.Rd == 12) // add  x12, x8, #0xf80
            {
                LONG delta = (ADRP.immHi << 2 | ADRP.immLo) << 12;
                delta += ADD.imm12;

                // Note: ADRP clears the lower 12 bits of the PC
                nt = ((ULONG_PTR)ptr & ~0xFFF) + delta;

         
                return (void*)nt;
            }
        }
    }
Reply With Quote
  #5  
Old 04-29-2022, 03:56
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 158
Rept. Given: 113
Rept. Rcvd 79 Times in 24 Posts
Thanks Given: 458
Thanks Rcvd at 202 Times in 75 Posts
sh3dow Reputation: 79
Capstone would be the most complete, battle proved and standalone disassembler framework that doesn't need to be part of other software to function. it's disassembly/disassembler framework that just works.

Also from its website

Quote:
- Special support for embedding into firmware or OS kernel.

Capstone is designed to be able to easily embed into firmware & OS kernel. The framework can be built to be minimized, and with some special APIs provided by Capstone, the engine can be programmed to use in those special environments. Details are available here.

- reliable [✓]
- lightweight [I don't know, it's it's a framework and support multiple architectures not just ARM64]
- free ARM64 disassembler engine [✓]

Edit:
It look like you can build only selected architectures to suite your need, so lightweight [✓] I guess?
https://www.capstone-engine.org/compile.html
Reply With Quote
  #6  
Old 04-30-2022, 01:52
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
For my use it still seam overkill, a small custom approach worked out great, see attachment.
Attached Files
File Type: txt arm64_asm.h.txt (2.8 KB, 8 views)
Reply With Quote
The Following 3 Users Say Thank You to DavidXanatos For This Useful Post:
niculaita (04-30-2022), sh3dow (04-30-2022)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 17:18.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )