Menu
▾
▴
Re: [Capstone-users] sharedObject Files
|
From: derrek <der...@ya...> - 2015-08-20 10:12:14
|
Hi Philipp, as Nguyen Anh Quynh already said, a .text section contains both, executable instructions anddata (e.g. data pools used by functions). If you are reading the disassembly of your code you will noticePC-relative reads which load constants from such a data pool. Some of this data might be executablein theory, but when looking at your code again you will see an unconditional branch instruction rightbefore the start of that pool, so execution actually never flows into that part of the binary. Regards,-derrek On Wed, Aug 19, 2015 at 8:19 PM, Philipp Roskosch <phi...@si...> wrote: Hi again, I investigated my shared-object file a little bit more with different tools which are using capstone. On www.CEnigma.org my problem can be reproduced: Settings: Arm, Little Endian Code: 04 00 9F E5 00 00 8F E0 E7 FF FF EA C8 23 00 00 00 00 50 E3 08 40 2D E9 08 80 BD 08 30 FF 2F E1 08 80 BD E8 00 10 A0 E1 0C 20 9F E5 0C 00 9F E5 02 20 8F E0 00 00 8F E0 D8 FF FF EA 9C 23 00 00 D4 FF FF FF 08 B5 03 48 78 44 00 F0 4F FF 01 20 08 BD C0 46 70 11 00 00 03 68 00 B5 5A 00 03 D5 After the instruction "D4 FF FF FF" the output just stops. Move this instruction to the beginning and it tells you "Error: Failed to disassemble! Invalid input?". D4 FF FF FF is not a valid instruction, so you need to look closer into your binary file. the reason is that your assumption that bytes come from .text must be code is wrong. thanks. I do not know if this is a bug or working as intended. Fact is that these byte sequence is present in my shared object file's .text section. It is a sharedObject file created with the Android NDK. the reason is that your assumption that bytes come from .text must be code is wrong. you can always find in .text section data & rubbish. thanks. Any comments or suggestions on this? Thanks! Philipp On 14.08.2015 15:35, Philipp Roskosch wrote: > Hello, > > I am trying to reverse native libraries for Android (ARM). I used > capstone (with java) and disassembled ARM executables which worked very > good. Doing the same thing with a shared library (created with the > Android NDK) isn't working. Capstone only returns the code for the first > function and ignores all following commands. Am I missing something? > > Thanks! > > ------------------------------------------------------------------------------ > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > ------------------------------------------------------------------------------ _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users ------------------------------------------------------------------------------ _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users |
