0x042444FF; /* inc dword ptr [esp+4] */
I need this tool to know which part means inc , dword or vice versa.
views:
55answers:
3
+1
A:
You can use the objdump tool to 'decompile' an executable binary back to assembly code, though because of possible optimisations, the resulting assembly code may not be the same as the original assembly (but they should be similar in essence).
Delan Azabani
2010-09-15 09:11:59
Is it possible to pack the assembly code back to executable then?
COMer
2010-09-15 13:02:28
That's what assembly compilation is. You should use `nasm` to do this.
Delan Azabani
2010-09-15 13:07:13
Is it possible to disable all possible optimisations for `objdump`?
COMer
2010-09-18 15:35:46
Well, what you get really depends on how the program was compiled. You can turn off optimisation in `gcc` by using `-O0 -g'.
Delan Azabani
2010-09-19 00:32:52
A:
command line tool that takes that hex number and disassembles it for you. I have not heard of a tool. You could take that number make an elf file from it with those four bytes as the binary then call objdump. With something like that though you could just look it up.
http://ref.x86asm.net/index.html
or
http://ref.x86asm.net/coder32.html
The 0x44 tells you it is an increment. x86 is variable length so some of the other bytes come into play. I wouldnt be surprised if the 0x04 is the offset to esp.
dwelch
2010-09-15 13:45:40
A:
The following is a bit inconvenient, but it works:
$ xxd -r > objdump-test.bin
0000 ff 44 24 04
$ objdump -D --target=binary --architecture i386:intel objdump-test.bin
objdump-test.bin: file format binary
Disassembly of section .data:
0000000000000000 <.data>:
0: ff 44 24 04 inc DWORD PTR [esp+0x4]
xxd is a hexdump utilitity that can work in reverse, it is part of X11. The 0000 is the address of the hex data in the resulting file.
You could use any other tool to create a binary file instead.
starblue
2010-09-15 17:58:04