I know disassemblers for i386 that help me in patching Apple's kexts
IDAPro - commercial
OTX - freeware
HTE - opensource
But all of them i386 only. I have no any x86_64 disasm.
Is there anybody knows other programs?
Full Version: Reversing And Patching X86_64 Codes
OTX is just a GUI frontend to otool, a command line program, which under Snow is x86_64
should already be at /usr/bin/otool
should already be at /usr/bin/otool
CODE
Usage: otool [-fahlLDtdorSTMRIHvVcXm] <object file> ...
-f print the fat headers
-a print the archive header
-h print the mach header
-l print the load commands
-L print shared libraries used
-D print shared library id name
-t print the text section (disassemble with -v)
-p <routine name> start dissassemble from routine name
-s <segname> <sectname> print contents of section
-d print the data section
-o print the Objective-C segment
-r print the relocation entries
-S print the table of contents of a library
-T print the table of contents of a dynamic shared library
-M print the module table of a dynamic shared library
-R print the reference table of a dynamic shared library
-I print the indirect symbol table
-H print the two-level hints table
-v print verbosely (symbolicly) when possible
-V print disassembled operands symbolicly
-c print argument strings of a core file
-X print no leading addresses or headers
-m don't use archive(member) syntax
-B force Thumb disassembly (ARM objects only)
-f print the fat headers
-a print the archive header
-h print the mach header
-l print the load commands
-L print shared libraries used
-D print shared library id name
-t print the text section (disassemble with -v)
-p <routine name> start dissassemble from routine name
-s <segname> <sectname> print contents of section
-d print the data section
-o print the Objective-C segment
-r print the relocation entries
-S print the table of contents of a library
-T print the table of contents of a dynamic shared library
-M print the module table of a dynamic shared library
-R print the reference table of a dynamic shared library
-I print the indirect symbol table
-H print the two-level hints table
-v print verbosely (symbolicly) when possible
-V print disassembled operands symbolicly
-c print argument strings of a core file
-X print no leading addresses or headers
-m don't use archive(member) syntax
-B force Thumb disassembly (ARM objects only)
QUOTE (Slice @ Dec 11 2009, 08:46 AM) 
I know disassemblers for i386 that help me in patching Apple's kexts
IDAPro - commercial
OTX - freeware
HTE - opensource
But all of them i386 only. I have no any x86_64 disasm.
Is there anybody knows other programs?
IDAPro - commercial
OTX - freeware
HTE - opensource
But all of them i386 only. I have no any x86_64 disasm.
Is there anybody knows other programs?
In IDA Pro, use idal64.
otool handles 64 bit binaries just fine.
otool handles 64 bit binaries just fine.
I probably missed something very important.
I am not satisfied.
Click to view attachment
Click to view attachment
Both outputs doesn't contain 64bit codes. Only 32bits while I am sure AppleYukon2 is i386+x86_64
I am not satisfied.
QUOTE (realityiswhere @ Dec 11 2009, 03:57 PM)
OTX is just a GUI frontend to otool, a command line program, which under Snow is x86_64
should already be at /usr/bin/otool
should already be at /usr/bin/otool
Click to view attachment
QUOTE (Kabyl @ Dec 11 2009, 07:07 PM)
In IDA Pro, use idal64.
otool handles 64 bit binaries just fine.
otool handles 64 bit binaries just fine.
Click to view attachment
Both outputs doesn't contain 64bit codes. Only 32bits while I am sure AppleYukon2 is i386+x86_64
CODE
AppleYukon2:
Version: 3.1.14
Last Modified: 12.11.09 17:34
Get Info String: Apple Yukon Ethernet 3.1.14b1, Copyright 2007 Apple Inc., and Marvell
Kind: Intel
Architectures: i386, x86_64
64-Bit (Intel): Yes
Location: /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleYukon2.kext
Kext Version: 3.1.14b1
Load Address: 0x34c5a000
Valid: Yes
Authentic: Yes
Dependencies: Satisfied
Version: 3.1.14
Last Modified: 12.11.09 17:34
Get Info String: Apple Yukon Ethernet 3.1.14b1, Copyright 2007 Apple Inc., and Marvell
Kind: Intel
Architectures: i386, x86_64
64-Bit (Intel): Yes
Location: /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns/AppleYukon2.kext
Kext Version: 3.1.14b1
Load Address: 0x34c5a000
Valid: Yes
Authentic: Yes
Dependencies: Satisfied
OK!
I found new version of OTX (just recompile from 0.1.6 sources)
Click to view attachment
Click to view attachment
I got a result
There is a place to patch MacAddress from 00:11:22:33:44:55 to real one
And also a place to patch device ID if you have something else (4354, 435a, 4560, 4365)
What about other solutions for x86_64?
I found new version of OTX (just recompile from 0.1.6 sources)
Click to view attachment
Click to view attachment
I got a result
CODE
sk98osx_dnet::RomlessInit()
+0 0000000000019dd2 55 pushq %rbp
+1 0000000000019dd3 4889e5 movq %rsp,%rbp
+4 0000000000019dd6 4883ec70 subq $0x70,%rsp
+8 0000000000019dda 48895dd8 movq %rbx,0xd8(%rbp)
+12 0000000000019dde 4c8965e0 movq %r12,0xe0(%rbp)
+16 0000000000019de2 4c896de8 movq %r13,0xe8(%rbp)
+20 0000000000019de6 4c8975f0 movq %r14,0xf0(%rbp)
+24 0000000000019dea 4c897df8 movq %r15,0xf8(%rbp)
+28 0000000000019dee 4989fe movq %rdi,%r14
+31 0000000000019df1 488bbf30320000 movq 0x00003230(%rdi),%rdi
+38 0000000000019df8 488b07 movq (%rdi),%rax
+41 0000000000019dfb 31f6 xorl %esi,%esi
+43 0000000000019dfd ff9080080000 call *0x00000880(%rax)
+49 0000000000019e03 3dab116043 cmpl $0x436011ab,%eax
+54 0000000000019e08 7419 je 0x00019e23
+56 0000000000019e0a 3dab116543 cmpl $0x436511ab,%eax
+61 0000000000019e0f 7412 je 0x00019e23
+63 0000000000019e11 3dab115a43 cmpl $0x435a11ab,%eax
+68 0000000000019e16 740b je 0x00019e23
+70 0000000000019e18 3dab115443 cmpl $0x435411ab,%eax
+75 0000000000019e1d 0f8534010000 jneq 0x00019f57
+81 0000000000019e23 c645c000 movb $0x00,0xc0(%rbp)
+85 0000000000019e27 c645c111 movb $0x11,0xc1(%rbp)
+89 0000000000019e2b c645c222 movb $0x22,0xc2(%rbp)
+93 0000000000019e2f c645c333 movb $0x33,0xc3(%rbp)
+97 0000000000019e33 c645c444 movb $0x44,0xc4(%rbp)
+101 0000000000019e37 c645c555 movb $0x55,0xc5(%rbp)
+105 0000000000019e3b 4531c0 xorl %r8d,%r8d
+108 0000000000019e3e 31c9 xorl %ecx,%ecx
+110 0000000000019e40 31d2 xorl %edx,%edx
+112 0000000000019e42 31f6 xorl %esi,%esi
+114 0000000000019e44 488d3dd4b30000 leaq 0x0000b3d4(%rip),%rdi IODeviceTree:/efi/platform
+0 0000000000019dd2 55 pushq %rbp
+1 0000000000019dd3 4889e5 movq %rsp,%rbp
+4 0000000000019dd6 4883ec70 subq $0x70,%rsp
+8 0000000000019dda 48895dd8 movq %rbx,0xd8(%rbp)
+12 0000000000019dde 4c8965e0 movq %r12,0xe0(%rbp)
+16 0000000000019de2 4c896de8 movq %r13,0xe8(%rbp)
+20 0000000000019de6 4c8975f0 movq %r14,0xf0(%rbp)
+24 0000000000019dea 4c897df8 movq %r15,0xf8(%rbp)
+28 0000000000019dee 4989fe movq %rdi,%r14
+31 0000000000019df1 488bbf30320000 movq 0x00003230(%rdi),%rdi
+38 0000000000019df8 488b07 movq (%rdi),%rax
+41 0000000000019dfb 31f6 xorl %esi,%esi
+43 0000000000019dfd ff9080080000 call *0x00000880(%rax)
+49 0000000000019e03 3dab116043 cmpl $0x436011ab,%eax
+54 0000000000019e08 7419 je 0x00019e23
+56 0000000000019e0a 3dab116543 cmpl $0x436511ab,%eax
+61 0000000000019e0f 7412 je 0x00019e23
+63 0000000000019e11 3dab115a43 cmpl $0x435a11ab,%eax
+68 0000000000019e16 740b je 0x00019e23
+70 0000000000019e18 3dab115443 cmpl $0x435411ab,%eax
+75 0000000000019e1d 0f8534010000 jneq 0x00019f57
+81 0000000000019e23 c645c000 movb $0x00,0xc0(%rbp)
+85 0000000000019e27 c645c111 movb $0x11,0xc1(%rbp)
+89 0000000000019e2b c645c222 movb $0x22,0xc2(%rbp)
+93 0000000000019e2f c645c333 movb $0x33,0xc3(%rbp)
+97 0000000000019e33 c645c444 movb $0x44,0xc4(%rbp)
+101 0000000000019e37 c645c555 movb $0x55,0xc5(%rbp)
+105 0000000000019e3b 4531c0 xorl %r8d,%r8d
+108 0000000000019e3e 31c9 xorl %ecx,%ecx
+110 0000000000019e40 31d2 xorl %edx,%edx
+112 0000000000019e42 31f6 xorl %esi,%esi
+114 0000000000019e44 488d3dd4b30000 leaq 0x0000b3d4(%rip),%rdi IODeviceTree:/efi/platform
There is a place to patch MacAddress from 00:11:22:33:44:55 to real one
And also a place to patch device ID if you have something else (4354, 435a, 4560, 4365)
What about other solutions for x86_64?
16777223 = x86_64
but i havent used the mac version of ida pro, only the windows gui
but i havent used the mac version of ida pro, only the windows gui
IDAPro has a seperate x86_64 executable that installs i believe if you're on x64 windows, havent tried it in linux, and i hear the OS X is GUI-less command line only. Appears you've found the /trunk of OTX.
Some notes/thoughts:
Using IDAPro with x86_64 i noticed that large chunks of i386 executable code was present in x86_64 sections, which IDAPro interprets as data. Not quite sure how to work around this, but it can be a bit of a pain.
Some notes/thoughts:
Using IDAPro with x86_64 i noticed that large chunks of i386 executable code was present in x86_64 sections, which IDAPro interprets as data. Not quite sure how to work around this, but it can be a bit of a pain.
IdaPro Advanced 5.5 + HeyRays 1.1 leaked today. Search in google.
IDA Pro 5.5:
HEX Workshop:
Crossover FTW!
So sad HeyRays is only 32 bit
HEX Workshop:
Crossover FTW!
So sad HeyRays is only 32 bit
class-dump rules !!! , i love it
if you aren't afraid to use windows, hiew 7.51 and up is a good x86_64 disassembler, it can switch on the fly from 32/64 bit code and you can assemble code on the fly too.
Click to view attachment
Click to view attachment
QUOTE (nobb1x @ Apr 19 2010, 11:51 PM)
if you aren't afraid to use windows, hiew 7.51 and up is a good x86_64 disassembler, it can switch on the fly from 32/64 bit code and you can assemble code on the fly too.
Click to view attachment
Click to view attachment
Not free.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.