I know disassemblers for i386 that help me in patching Apple's kexts
IDAPro - commercial
OTX - freeware
HTE - opensource
But all of them i386 only. I have no any x86_64 disasm.
Is there anybody knows other programs?
| Start a new topic Add Reply |
 Reversing And Patching X86_64 Codes |
Dec 11 2009, 12:46 PM
Post #1
- Advanced Member
- Group: Developer
- Posts: 5,585
- [Less]
QuoteПожалуйста, прочитайте ЧаВо!
i3-2120 GA-H61M-S1, Radeon HD6670, ALC887(VoodooHDA 2.8), OS⌘10.8.3 (12D78),OS⌘ 10.7.5 Clover FakeSMC_plugins RealtekR1000v3 Dec 11 2009, 12:57 PM
Post #2
- Quite Unreal
- Group: Root Administrators
- Posts: 245
- [Less]
OTX is just a GUI frontend to otool, a command line program, which under Snow is x86_64
should already be at /usr/bin/otool
should already be at /usr/bin/otool
CODE
Usage: otool [-fahlLDtdorSTMRIHvVcXm] <object file> ...
-f print the fat headers
-a print the archive header
-h print the mach header
-l print the load commands
-L print shared libraries used
-D print shared library id name
-t print the text section (disassemble with -v)
-p <routine name> start dissassemble from routine name
-s <segname> <sectname> print contents of section
-d print the data section
-o print the Objective-C segment
-r print the relocation entries
-S print the table of contents of a library
-T print the table of contents of a dynamic shared library
-M print the module table of a dynamic shared library
-R print the reference table of a dynamic shared library
-I print the indirect symbol table
-H print the two-level hints table
-v print verbosely (symbolicly) when possible
-V print disassembled operands symbolicly
-c print argument strings of a core file
-X print no leading addresses or headers
-m don't use archive(member) syntax
-B force Thumb disassembly (ARM objects only)
-f print the fat headers
-a print the archive header
-h print the mach header
-l print the load commands
-L print shared libraries used
-D print shared library id name
-t print the text section (disassemble with -v)
-p <routine name> start dissassemble from routine name
-s <segname> <sectname> print contents of section
-d print the data section
-o print the Objective-C segment
-r print the relocation entries
-S print the table of contents of a library
-T print the table of contents of a dynamic shared library
-M print the module table of a dynamic shared library
-R print the reference table of a dynamic shared library
-I print the indirect symbol table
-H print the two-level hints table
-v print verbosely (symbolicly) when possible
-V print disassembled operands symbolicly
-c print argument strings of a core file
-X print no leading addresses or headers
-m don't use archive(member) syntax
-B force Thumb disassembly (ARM objects only)
QUOTE (Slice @ Dec 11 2009, 08:46 AM) 
I know disassemblers for i386 that help me in patching Apple's kexts
IDAPro - commercial
OTX - freeware
HTE - opensource
But all of them i386 only. I have no any x86_64 disasm.
Is there anybody knows other programs?
IDAPro - commercial
OTX - freeware
HTE - opensource
But all of them i386 only. I have no any x86_64 disasm.
Is there anybody knows other programs?
Debian Squeeze: HPM8120N - Q6600, 965 northbridge/ICH8-R south, 9500GT (1GB)
Snow Leopard 10.6.6: Alu Macbook: Core 2 Duo 2.0GHz, 2GB Ram, nVidia 9400M.
Android: Samsung Galaxy S Vibrant (GT-i9000m, Froyo) and Samsung Galaxy Tab (Froyo)
Snow Leopard 10.6.6: Alu Macbook: Core 2 Duo 2.0GHz, 2GB Ram, nVidia 9400M.
Android: Samsung Galaxy S Vibrant (GT-i9000m, Froyo) and Samsung Galaxy Tab (Froyo)
Having trouble posting? Have you taken the Quiz yet? --------------------------- If you see spam, report it!
Dec 11 2009, 04:07 PM
Post #3
- Advanced Member
- Group: Staff
- Posts: 109
- [Less]
In IDA Pro, use idal64.
otool handles 64 bit binaries just fine.
otool handles 64 bit binaries just fine.
Dec 16 2009, 09:25 AM
Post #4
- Advanced Member
- Group: Developer
- Posts: 5,585
- [Less]
I probably missed something very important.
I am not satisfied.
Screen_shot_2009_12_16_at_12.14.03.png ( 30.6K )
Number of downloads: 143
Screen_shot_2009_12_16_at_11.43.06.png ( 90.78K )
Number of downloads: 121
Both outputs doesn't contain 64bit codes. Only 32bits while I am sure AppleYukon2 is i386+x86_64
I am not satisfied.
QUOTE (realityiswhere @ Dec 11 2009, 03:57 PM)
OTX is just a GUI frontend to otool, a command line program, which under Snow is x86_64
should already be at /usr/bin/otool
should already be at /usr/bin/otool
Screen_shot_2009_12_16_at_12.14.03.png ( 30.6K )
Number of downloads: 143QUOTE (Kabyl @ Dec 11 2009, 07:07 PM)
In IDA Pro, use idal64.
otool handles 64 bit binaries just fine.
otool handles 64 bit binaries just fine.
Screen_shot_2009_12_16_at_11.43.06.png ( 90.78K )
Number of downloads: 121Both outputs doesn't contain 64bit codes. Only 32bits while I am sure AppleYukon2 is i386+x86_64
CODE
AppleYukon2:
Version: 3.1.14
Last Modified: 12.11.09 17:34
Get Info String: Apple Yukon Ethernet 3.1.14b1, Copyright 2007 Apple Inc., and Marvell
Kind: Intel
Architectures: i386, x86_64
64-Bit (Intel): Yes
Location: /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleYukon2.kext
Kext Version: 3.1.14b1
Load Address: 0x34c5a000
Valid: Yes
Authentic: Yes
Dependencies: Satisfied
Version: 3.1.14
Last Modified: 12.11.09 17:34
Get Info String: Apple Yukon Ethernet 3.1.14b1, Copyright 2007 Apple Inc., and Marvell
Kind: Intel
Architectures: i386, x86_64
64-Bit (Intel): Yes
Location: /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleYukon2.kext
Kext Version: 3.1.14b1
Load Address: 0x34c5a000
Valid: Yes
Authentic: Yes
Dependencies: Satisfied
Пожалуйста, прочитайте ЧаВо!
i3-2120 GA-H61M-S1, Radeon HD6670, ALC887(VoodooHDA 2.8), OS⌘10.8.3 (12D78),OS⌘ 10.7.5 Clover FakeSMC_plugins RealtekR1000v3 Dec 16 2009, 01:02 PM
Post #5
- Advanced Member
- Group: Developer
- Posts: 5,585
- [Less]
OK!
I found new version of OTX (just recompile from 0.1.6 sources)
Screen_shot_2009_12_16_at_15.56.03.png ( 28.09K )
Number of downloads: 120
otx.app.zip ( 273.32K )
Number of downloads: 157
I got a result
There is a place to patch MacAddress from 00:11:22:33:44:55 to real one
And also a place to patch device ID if you have something else (4354, 435a, 4560, 4365)
What about other solutions for x86_64?
I found new version of OTX (just recompile from 0.1.6 sources)
Screen_shot_2009_12_16_at_15.56.03.png ( 28.09K )
Number of downloads: 120
otx.app.zip ( 273.32K )
Number of downloads: 157I got a result
CODE
sk98osx_dnet::RomlessInit()
+0 0000000000019dd2 55 pushq %rbp
+1 0000000000019dd3 4889e5 movq %rsp,%rbp
+4 0000000000019dd6 4883ec70 subq $0x70,%rsp
+8 0000000000019dda 48895dd8 movq %rbx,0xd8(%rbp)
+12 0000000000019dde 4c8965e0 movq %r12,0xe0(%rbp)
+16 0000000000019de2 4c896de8 movq %r13,0xe8(%rbp)
+20 0000000000019de6 4c8975f0 movq %r14,0xf0(%rbp)
+24 0000000000019dea 4c897df8 movq %r15,0xf8(%rbp)
+28 0000000000019dee 4989fe movq %rdi,%r14
+31 0000000000019df1 488bbf30320000 movq 0x00003230(%rdi),%rdi
+38 0000000000019df8 488b07 movq (%rdi),%rax
+41 0000000000019dfb 31f6 xorl %esi,%esi
+43 0000000000019dfd ff9080080000 call *0x00000880(%rax)
+49 0000000000019e03 3dab116043 cmpl $0x436011ab,%eax
+54 0000000000019e08 7419 je 0x00019e23
+56 0000000000019e0a 3dab116543 cmpl $0x436511ab,%eax
+61 0000000000019e0f 7412 je 0x00019e23
+63 0000000000019e11 3dab115a43 cmpl $0x435a11ab,%eax
+68 0000000000019e16 740b je 0x00019e23
+70 0000000000019e18 3dab115443 cmpl $0x435411ab,%eax
+75 0000000000019e1d 0f8534010000 jneq 0x00019f57
+81 0000000000019e23 c645c000 movb $0x00,0xc0(%rbp)
+85 0000000000019e27 c645c111 movb $0x11,0xc1(%rbp)
+89 0000000000019e2b c645c222 movb $0x22,0xc2(%rbp)
+93 0000000000019e2f c645c333 movb $0x33,0xc3(%rbp)
+97 0000000000019e33 c645c444 movb $0x44,0xc4(%rbp)
+101 0000000000019e37 c645c555 movb $0x55,0xc5(%rbp)
+105 0000000000019e3b 4531c0 xorl %r8d,%r8d
+108 0000000000019e3e 31c9 xorl %ecx,%ecx
+110 0000000000019e40 31d2 xorl %edx,%edx
+112 0000000000019e42 31f6 xorl %esi,%esi
+114 0000000000019e44 488d3dd4b30000 leaq 0x0000b3d4(%rip),%rdi IODeviceTree:/efi/platform
+0 0000000000019dd2 55 pushq %rbp
+1 0000000000019dd3 4889e5 movq %rsp,%rbp
+4 0000000000019dd6 4883ec70 subq $0x70,%rsp
+8 0000000000019dda 48895dd8 movq %rbx,0xd8(%rbp)
+12 0000000000019dde 4c8965e0 movq %r12,0xe0(%rbp)
+16 0000000000019de2 4c896de8 movq %r13,0xe8(%rbp)
+20 0000000000019de6 4c8975f0 movq %r14,0xf0(%rbp)
+24 0000000000019dea 4c897df8 movq %r15,0xf8(%rbp)
+28 0000000000019dee 4989fe movq %rdi,%r14
+31 0000000000019df1 488bbf30320000 movq 0x00003230(%rdi),%rdi
+38 0000000000019df8 488b07 movq (%rdi),%rax
+41 0000000000019dfb 31f6 xorl %esi,%esi
+43 0000000000019dfd ff9080080000 call *0x00000880(%rax)
+49 0000000000019e03 3dab116043 cmpl $0x436011ab,%eax
+54 0000000000019e08 7419 je 0x00019e23
+56 0000000000019e0a 3dab116543 cmpl $0x436511ab,%eax
+61 0000000000019e0f 7412 je 0x00019e23
+63 0000000000019e11 3dab115a43 cmpl $0x435a11ab,%eax
+68 0000000000019e16 740b je 0x00019e23
+70 0000000000019e18 3dab115443 cmpl $0x435411ab,%eax
+75 0000000000019e1d 0f8534010000 jneq 0x00019f57
+81 0000000000019e23 c645c000 movb $0x00,0xc0(%rbp)
+85 0000000000019e27 c645c111 movb $0x11,0xc1(%rbp)
+89 0000000000019e2b c645c222 movb $0x22,0xc2(%rbp)
+93 0000000000019e2f c645c333 movb $0x33,0xc3(%rbp)
+97 0000000000019e33 c645c444 movb $0x44,0xc4(%rbp)
+101 0000000000019e37 c645c555 movb $0x55,0xc5(%rbp)
+105 0000000000019e3b 4531c0 xorl %r8d,%r8d
+108 0000000000019e3e 31c9 xorl %ecx,%ecx
+110 0000000000019e40 31d2 xorl %edx,%edx
+112 0000000000019e42 31f6 xorl %esi,%esi
+114 0000000000019e44 488d3dd4b30000 leaq 0x0000b3d4(%rip),%rdi IODeviceTree:/efi/platform
There is a place to patch MacAddress from 00:11:22:33:44:55 to real one
And also a place to patch device ID if you have something else (4354, 435a, 4560, 4365)
What about other solutions for x86_64?
Пожалуйста, прочитайте ЧаВо!
i3-2120 GA-H61M-S1, Radeon HD6670, ALC887(VoodooHDA 2.8), OS⌘10.8.3 (12D78),OS⌘ 10.7.5 Clover FakeSMC_plugins RealtekR1000v3 Dec 16 2009, 01:12 PM
Post #6
- Member
- Group: Staff
- Posts: 41
- [Less]
16777223 = x86_64
but i havent used the mac version of ida pro, only the windows gui
but i havent used the mac version of ida pro, only the windows gui
I have decided to leave the OSX86 scene, but if there are any particularities you need to address arising from my contributions, you may contact me on voodoo@superhai.com
If you want to work on any of my sources or projects, or if you are interested in hosting the files I provided you may use the same address to arrange a way to get hold of them. Any requests or questions for unrelated support, or other unrelated requests will be blacklisted, banned or regarded as an abuse and dealt with accordingly.
Of course community friends may also use the address and you know who you are.
If you want to work on any of my sources or projects, or if you are interested in hosting the files I provided you may use the same address to arrange a way to get hold of them. Any requests or questions for unrelated support, or other unrelated requests will be blacklisted, banned or regarded as an abuse and dealt with accordingly.
Of course community friends may also use the address and you know who you are.
Dec 17 2009, 04:44 PM
Post #7
- Member
- Group: Comrade
- Posts: 26
- [Less]
IDAPro has a seperate x86_64 executable that installs i believe if you're on x64 windows, havent tried it in linux, and i hear the OS X is GUI-less command line only. Appears you've found the /trunk of OTX.
Some notes/thoughts:
Using IDAPro with x86_64 i noticed that large chunks of i386 executable code was present in x86_64 sections, which IDAPro interprets as data. Not quite sure how to work around this, but it can be a bit of a pain.
Some notes/thoughts:
Using IDAPro with x86_64 i noticed that large chunks of i386 executable code was present in x86_64 sections, which IDAPro interprets as data. Not quite sure how to work around this, but it can be a bit of a pain.
Dec 18 2009, 12:03 PM
Post #8
- Advanced Member
- Group: Comrade
- Posts: 146
- [Less]
IdaPro Advanced 5.5 + HeyRays 1.1 leaked today. Search in google.
Dec 30 2009, 06:20 PM
Post #9
- Advanced Member
- Group: Staff
- Posts: 714
- [Less]
IDA Pro 5.5:
HEX Workshop:
Crossover FTW!
So sad HeyRays is only 32 bit
HEX Workshop:
Crossover FTW!
So sad HeyRays is only 32 bit
Mar 25 2010, 09:22 PM
Post #10
- Smooth Criminal
- Group: Comrade
- Posts: 42
- [Less]
Intel Xeon CPU E3-1245 V2 @ 3.40GHz, GA-Z77-DS3H, 16 Go of ram 1600 Mhz , Gigabyte GTX 650 2048 Mo OC
Apr 19 2010, 07:51 PM
Post #11
- Initiate
- Group: Comrade
- Posts: 11
- [Less]
if you aren't afraid to use windows, hiew 7.51 and up is a good x86_64 disassembler, it can switch on the fly from 32/64 bit code and you can assemble code on the fly too.
snap.PNG ( 57.28K )
Number of downloads: 125
snap.PNG ( 57.28K )
Number of downloads: 125 May 26 2011, 12:54 PM
Post #12
- Advanced Member
- Group: Developer
- Posts: 5,585
- [Less]
QUOTE (nobb1x @ Apr 19 2010, 11:51 PM)
if you aren't afraid to use windows, hiew 7.51 and up is a good x86_64 disassembler, it can switch on the fly from 32/64 bit code and you can assemble code on the fly too.
snap.PNG ( 57.28K )
Number of downloads: 125
snap.PNG ( 57.28K )
Number of downloads: 125Not free.
Пожалуйста, прочитайте ЧаВо!
i3-2120 GA-H61M-S1, Radeon HD6670, ALC887(VoodooHDA 2.8), OS⌘10.8.3 (12D78),OS⌘ 10.7.5 Clover FakeSMC_plugins RealtekR1000v3| Add Reply Start a new topic |
0 Members:
