bastard

The Bastard Disassembly Environment

news

links




what is it?

A disassembler -- or, more appropriately, a disassembly environment. The idea is that you have an interpreter, much as you would in Perl or Python, which allows you to load files, disassemble them, dump the disassembly, write/run macros, and various other operations. The x86 instruction disassembler written for this project has been packaged seperately as libdisasm, and is intended to be used in other open source projects.

This interpreter can be used interactively, it can be fed commands via STDIN [just like a scripting interpreter], and it can be communicated with via a pair of FIFOs. Now, on top of this any number of UI front ends can be stacked -- ncurses console front ends, Gtk X front-ends, Tk front ends, etc. It is the reponsibility of the front-ends to display the information obtained by querying the disassembler, supplying syntax highlighting, displaying strings, xrefs, etc; however the disassembler will retain all of this information, do all of the 'brute' processing, and will provide any of the information when requested.

The disassembler relies on two foreign components:

  • Typhoon RDMS, for keeping track of the disassembled instructions n such;
  • EiC, for an embedded C-Style scripting language These choices were made because 1) linking to the typhoon library will allow other apps to access the bastard DB [.bdb] files natively, 2) EiC makes life a bit easier.


    The default user interface, a console-mode program that acts as an interpreter and is extremely unpopular, requires libreadline -- since most linux distros do not install libreadline header files by default, it is important to point this out. The other front-ends [bda, sob, lgb, qbastard] have their own requirements as well.


    what platforms does it support?

    The bastard currently runs on x86 Linux and FreeBSD [CVS version]. It can disassemble x86 ELF, a.out, and PE files as well as flat binary files [.com, .bin].

    Future releases will support additional file formats and CPU architectures.


    what does it look like?

    The bastard is a console-mode program which currently has no usable front-ends; however its command-line interface is functional enough to allow full interaction with the disassembler, and read-only direct access to the database representing the target.

    The following text files are dumps of standard disassembly sessions for different targets; the text is unretouched, with only the default disassembly actions applied to the targets. A list of the commands used in each session follows the link.

  • /usr/bin/tr Version: .09 Commands: l /usr/bin/tr; DumpStrings( ); DumpLibs( ); DumpImports( ); DumpExports( ); h; d; q
  • tr [sstrip'ed] Version: .09 Commands: l /usr/bin/tr; DumpStrings( ); DumpLibs( ); DumpImports( ); DumpExports( ); h; d; q

  • the-binary Version: .16 Commands: l the-binary; target_save_lst("the-binary.txt"); q

    Last but not least, the screenshots:

  • 3 on E. This demonstrates three concurrent bastard sessions: the upper left shows the start of a typical disassembly session, the upper right shows the experimental 'color' mode, and the bottom shows a standard disassembly using the "| more" command extension. Version: .09
  • bda . The BDA ncurses front-end to the bastard. Version: .17
  • bda disasm. The BDA disassembly options. Version: .17
  • bda asm. The BDA asm screen. Version: .17
  • bda hexdump. The BDA hex screen. Version: .17
  • bda find. The BDA find menu. Version: .17
  • bda menu. The BDA target:functions menu. Version: .17
  • bda plugins. The BDA plugins screen. Version: .17
  • bda terminal. The BDA console. Version: .17
  • sob load. The sob "load target" dialog, and initial startup state. The sob program is a Gtk program wich uses libbastard.so as a backend; it is currently under heavy development. Version: .16
  • sob code. An example of the disassembly of the target as viewed in the sob "asm" tab. Version: .16
  • sob int_code. The "intermediate code" [or "meta-asm"] representation of the target can be viewed. Version: .16
  • sob functions. The functions page lists procedures found in the program, the addresses referenced within each procedure, and addresses that call or reference the procedure. Version: .16
  • sob strings. The Strings page lists the ASCII strings detected in the program, and references to them. Version: .16
  • sob script editor. An integrated editor allows BC scripts to be written and executed. Version: .16
  • sob DB browser. The .bdb can be browsed directly using the integrated DB Browser. Version: .16
  • lgb. A look at the little grey bastard, a quick Tk hack that is ornery and featureless, but gives some of the less hardy users a warm fuzzy feeling. Version: .10


    how does it work?

    The bastard can be used in any of three ways:

  • Interactive If run with no parameters, the bastard enters interactive mode.

    	/home/work: 94%>bastard
    	================================================================================
       	B A S T A R D                    disassembly environment
       	brought to you by the proud folks at the HCU linux forum
    	#l /bin/cat
    	Disassembling named symbols. Instruction stack:
    	Disassembling forward from entry point. Instruction stack:
    	Disassembling remainder of code section. Sections:
    	------------(.init)|--(.text)|-(.fini)|---------
    	Performing post-disassembly passes
    	Fixing 0- and 1-byte long functions
    	~305 functions; this can take 2 minutes or more
    	Detecting subroutines in section .fini
    	Detecting subroutines in section .init
    	Detecting subroutines in section .text
    	Guessing arguments and return values for subroutines
    	Creating Strings and Arrays
    	Generating names for autodetected functions (not really ;)
    	Generating Intermediate Code for all functions
    	#d | grep start
    	__gmon_start__:
    	__gmon_start__:
    	str___gmon_start__:
    	08048431 5F 5F 67 6D 6F 6E 5F 73 +      ;(Addr of 14 bytes)             ; String: "__gmon_start__"
    	str___libc_start_main:
    	08048555 5F 5F 6C 69 62 63 5F 73 +      ;(Addr of 17 bytes)             ; String: "__libc_start_main"
    	0804873C E8 BF 78 FB F7                 call    __gmon_start__  ;(0x0 was -134514497) 
    	__libc_start_main:
    	; -------------------------- Subroutine _start
    	_start:
    	0804894C E8 03 FF FF FF                 call    __libc_start_main  ;(0x8048854 was -253) ;  xrefs: >08048854[x]
    	#q
    	Saving DB to cat.bdb...
    	DB saved
    	
    	You bastard!
    
    
  • Command-line The bastard can be invoked from the command line like other UNIX utilities; the "--" parameter allows it to read the target from STDIN, and the optional "-b" parameter specifies a batch file of bastard commands to run on the target.

    	/home/work: 94%>bastard -- < /bin/cat > /tmp/cat.lst
    
    	/home/work: 94%>cat /bin/ls | bastard -- > /tmp/ls.lst
    
    	/home/work: 94%>bastard -b hexdump.cmd -- < /bin/cat | head
    	00000000 : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00      .ELF............
    	00000010 : 02 00 03 00 01 00 00 00 30 89 04 08 34 00 00 00      ........0...4...
    	00000020 : 04 22 00 00 00 00 00 00 34 00 20 00 06 00 28 00      ."......4. ...(.
    	00000030 : 18 00 17 00 06 00 00 00 34 00 00 00 34 80 04 08      ........4...4...
    	00000040 : 34 80 04 08 C0 00 00 00 C0 00 00 00 05 00 00 00      4...............
    	00000050 : 04 00 00 00 03 00 00 00 F4 00 00 00 F4 80 04 08      ................
    	00000060 : F4 80 04 08 13 00 00 00 13 00 00 00 04 00 00 00      ................
    	00000070 : 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08      ................
    	00000080 : 00 80 04 08 C7 1F 00 00 C7 1F 00 00 05 00 00 00      ................
    	00000090 : 00 10 00 00 01 00 00 00 C8 1F 00 00 C8 AF 04 08      ................
    
    	/home/work: 94%>bastard -b header.cmd -- < /bin/ls        
    	File Format: ELF CLASS32 DATA2LSB       Type: ET_EXEC   Machine: EM_386
    	Entry: 08049180 Section Table: 00009BD0 Program Header: 00000034
    
    
    	__Section_Table___________________
    	                ---     SHT_NULL        Offset        0 VA 00000000 Size 0
    	 .interp         -a-    SHT_PROGBITS    Offset       F4 VA 080480F4 Size 13
    	 .note.ABI-tag   -a-    SHT_NOTE        Offset      108 VA 08048108 Size 20
    	 .hash           -a-    SHT_HASH        Offset      128 VA 08048128 Size 230
    	 .dynsym         -a-    SHT_DYNSYM      Offset      358 VA 08048358 Size 470
    	 .dynstr         -a-    SHT_STRTAB      Offset      7C8 VA 080487C8 Size 2D1
    	 .gnu.version    -a-    SHT_HIOS        Offset      A9A VA 08048A9A Size 8E
    	 .gnu.version_r  -a-    unknown         Offset      B28 VA 08048B28 Size 30
    	 .rel.got        -a-    SHT_REL         Offset      B58 VA 08048B58 Size 8
    	 .rel.bss        -a-    SHT_REL         Offset      B60 VA 08048B60 Size 30
    	 .rel.plt        -a-    SHT_REL         Offset      B90 VA 08048B90 Size 1E0
    	 .init           -ax    SHT_PROGBITS    Offset      D70 VA 08048D70 Size 31
    	 .plt            -ax    SHT_PROGBITS    Offset      DA4 VA 08048DA4 Size 3D0
    	 .text           -ax    SHT_PROGBITS    Offset     1180 VA 08049180 Size 590C
    	 .fini           -ax    SHT_PROGBITS    Offset     6A8C VA 0804EA8C Size 1C
    	 .rodata         -a-    SHT_PROGBITS    Offset     6AC0 VA 0804EAC0 Size 2DE0
    	 .data           wa-    SHT_PROGBITS    Offset     98A0 VA 080528A0 Size 9C
    	 .eh_frame       wa-    SHT_PROGBITS    Offset     993C VA 0805293C Size 4
    	 .ctors          wa-    SHT_PROGBITS    Offset     9940 VA 08052940 Size 8
    	 .dtors          wa-    SHT_PROGBITS    Offset     9948 VA 08052948 Size 8
    	 .got            wa-    SHT_PROGBITS    Offset     9950 VA 08052950 Size 100
    	 .dynamic        wa-    SHT_DYNAMIC     Offset     9A50 VA 08052A50 Size A0
    	 .bss            wa-    SHT_NOBITS      Offset     9B00 VA 08052B00 Size 288
    	 .shstrtab       ---    SHT_STRTAB      Offset     9B00 VA 00000000 Size CE
    
    	__Program_Header_Table____________
    	 0:     PT_PHDR         x-r Offset       34     VA 08048034 Size C0
    	 1:     PT_INTERP       --r Offset       F4     VA 080480F4 Size 13
    	 2:     PT_LOAD         x-r Offset        0     VA 08048000 Size 98A0
    	 3:     PT_LOAD         -wr Offset     98A0     VA 080528A0 Size 4E8
    	 4:     PT_DYNAMIC      -wr Offset     9A50     VA 08052A50 Size A0
    	 5:     PT_NOTE         --r Offset      108     VA 08048108 Size 20
    
    
    	__Notes_________________________
    	.init routine at 08048D70
    	.fini routine at 0804EA8C
    	Symbol hash table at 08048128
    	Target requires libc.so.6
    	PLT size: 000001E0 reloc: 08048B90 rva: 08052950
    	REL size: 00000038 entry size: 00000008 rva: 08048B58
    
    
  • Interpreter A script which uses "bastard -b" as its interpreter can be run as a standalone program, in a manner similar to awk, perl, and shells.

    	/home/work/: 94%>cat disasm.sh 
    	#!/usr/local/bin/bastard -b
    
    	{{
    	        struct DISASM_TGT *t;
    	        char buf[PATH_MAX];
    
    	        t = env_get_target();
    	        if ( t->info.name[0] ) {
    	            sprintf( buf, "%s/%s", t->info.path, t->info.name );
    	        	target_load(buf);
    	        } else {
    		  	printf("Error: no target specified!\n");
    			return(-1);
    	        }
    	}}
    	target_set_format("ELF", 0);
    	target_set_arch("i386", 0);
    	target_set_asm("intel", 0);
    	target_set_comp("gcc", 0);
    	target_set_os("linux", 0);
    	target_set_lang("C", 0);
    	disasm_target("full", NULL );
    	d
    	q
    
    	/home/work/bastard: 94%>./disasm.sh /bin/cat | head
    	Section: .shstrtab      Start Address: 00000000 End Address: 000000CE
    	-------------------------------------------------------------------------
    	__gmon_start__:
    	00000000 00 2E                           
    	str__symtab:
    	00000001 2E 73 79 6D 74 61 62                           ; String: ".symtab"
    	00000008 00                              
    	str__strtab:
    	00000009 2E 73 74 72 74 61 62            ;  xrefs: >00000080[x]         ; String: ".strtab"
    	
    


    what is the status?

    Back-burnered. In order to meet revised features requirements, a great deal of rewrite is needed. This is current under progress, beginning with libdisasm and continuing with the 'binary generic object' backend. Eventually this will show up in CVS under bastard2.

    Status on the CVS version can be found in the news page.

    Basic disassembly is working. Libopcodes has been abandoned in favor of the in-house "libi386", an x86 disassembly library written in C using no OS-specific code [hint, hint]; libi386 supports MMX and FPU instructions, and can generate binary signatures for code instructions by replacing variant bytes [with 0xF4, natch].

    The current architecture supports the addition of file format parsers [BC scripts located in $BASTARD_HOME/formats], CPU libraries [.so's in $BASTARD_HOME/arch], assembly language generators [.so's in $BASTARD_HOME/asm], compiler-specific libraries [.so's in $BASTARD_HOME/comp], high-level-language output generators [.so's in $BASTARD_HOME/lang], OS-specific libraries [.so's in $BASTARD_HOME/os], plugin disassemblers [BC scripts or .so's in $BASTARD_HOME/plugins], plugin output file formats [BC scripts of .so's in $BASTARD_HOME/plugins], generic binary plugins [.so files in $BASTARD_HOME/plugins], generic BC scripts [.bc files in $BASTARD_HOME/scripts], and bastard batch files [.cmd files in $BASTARD_HOME/scripts/macros].

    With the current release, subroutines, strings, and system calls are all recognized. Cross-references are generated for read, write, and execute accesses to program addresses. The target is translated to an intermediate code format [a RISC-like platform-independent assembly language]


    where are the files?

    The bastard is distributed in source and binary tarball form; the source package is recommended. Note that these packages contain everything -- including EiC and Typhoon -- so there is no need to download Typhoon and friends separately. The current version is 0.16 .

  • bastard v0.16 source
  • bastard v.0.16 bin

    The x86 disassembler library used by the bastard can be downloaded on its own by the curious:

  • libdisasm v.0.16

    Finally, source tarballs of the Typhoon RDBM are provided for the extra-extra-curious:

  • typhoon v1.11.0 source

    The files are archived in releases on the sourceforge project page; previous releases may be found there.

    The development or 'bleeding edge' code is in CVS; you need to be a registered sourceforge user to access the CVS repository directly. The CVS source tree can be checked out with the following commands:

        CVS_RSH=ssh
        export CVS_RSH
        mkdir bastard
        cd bastard
        cvs -dusername@cvs.bastard.sourceforge.net:/cvsroot/bastard co .
    
    Alternatively, anyone can download the nightly tarball of the CVS tree at http://cvs.sourceforge.net/cvstarballs/bastard-cvsroot.tar.bz2 .

    Documentation is included with all tarballs, and is also available online in Release [or "older"] and Development [or "more complete"] versions.


    what about support?

    A true bastard never needs software support. For the neophyte bastard, a few options are available:

  • Submit a bug
  • Complain on the forum
  • Mail the coder


    why is it called the Bastard?

    Ever read the old Bastard!! manga? No relation. The name of the program more or less describes the type of person that would use it. Besides, 'MilkMan Dan' implied some serious copyright infringement...

    The official beer of the bastard project has provided a fitting slogan in their 2002 bottling :

    Ye shall know the Bastard, and the Bastard shall set you free.


    who's behind it?

  • mammon_, mere coder
  • ReZiDeNt, Militant Dairy Activist
  • The Grugq, Chief Makefile Architect
  • MO_K, MIA Libi386 Enthusiast
  • a_p, Invisible Tester
  • fbj, Visible Tester