aquynh
commented
6 years ago I have some binary files which i want to disasemble. I've try Capstone. I now encounter some problems:
- I dont know what's parameters hardware architecture and hardware mode of these binary file are (it is required by Capstone). I 've try binwalk https://github.com/ReFirmLabs/binwalk with option --disasm, but it return something like "ARM executable code, 16-bit (Thumb), little endian, at least 778 valid instructions". Is there any way to get hardware architecture and hardware mode parameters from this to use in Capstone?
For binary blob, i dont know any public tool that can figure out the CPU arch + mode. But for legit file, you can look at fileformat and find out.
- Capstone require only machine code. How to extract machine code from binary file? I've try objdump but it return "objdump: [binary_file_name]: File truncated", like this screenshot https://i.stack.imgur.com/lbvmb.png image. Here https://github.com/kcsmta/malware_sample are the link contain some binary sample file.
For legit file, such as ELF, PE, MachO, you need to understand the format to extract the code out. Find docs on these formats, and see how. Besides, it is good to look at sample projects to see how people did this.
kcsmta
but i think the reason is because i trying to run an executable compiled for an ARM architecture on an x86-64 architecture (when i run command file [file_name], i got the information: "ELF 32-bit LSB executable, ARM, version 1, statically linked, not stripped" like this
.
How to get machine code from these file? Plz give me some advices
E3V3A
radare
I have some binary files which i want to disasemble. I've try Capstone. I now encounter some problems: