what is it?
A disassembler -- or, more appropriately, a disassembly environment. The idea is that you have an interpreter, much as you would in Perl or Python, which allows you to load files, disassemble them, dump the disassembly, write/run macros, and various other operations. The x86 instruction disassembler written for this project has been packaged seperately as libdisasm, and is intended to be used in other open source projects.
This interpreter can be used interactively, it can be fed commands via STDIN [just like a scripting interpreter], and it can be communicated with via a pair of FIFOs. Now, on top of this any number of UI front ends can be stacked -- ncurses console front ends, Gtk X front-ends, Tk front ends, etc. It is the reponsibility of the front-ends to display the information obtained by querying the disassembler, supplying syntax highlighting, displaying strings, xrefs, etc; however the disassembler will retain all of this information, do all of the 'brute' processing, and will provide any of the information when requested.
The disassembler relies on two foreign components:
The default user interface, a console-mode program that acts as an interpreter
and is extremely unpopular, requires libreadline -- since most linux distros
do not install libreadline header files by default, it is important to point
this out. The other front-ends [bda, sob, lgb, qbastard] have their own
requirements as well.
what platforms does it support?
The bastard currently runs on x86 Linux and FreeBSD [CVS version]. It can disassemble x86 ELF, a.out, and PE files as well as flat binary files [.com, .bin].
Future releases will support additional file formats and CPU architectures.
what does it look like?
The bastard is a console-mode program which currently has no usable front-ends; however its command-line interface is functional enough to allow full interaction with the disassembler, and read-only direct access to the database representing the target.
The following text files are dumps of standard disassembly sessions for different targets; the text is unretouched, with only the default disassembly actions applied to the targets. A list of the commands used in each session follows the link.
Last but not least, the screenshots:
how does it work?
The bastard can be used in any of three ways:
/home/work: 94%>bastard ================================================================================ B A S T A R D disassembly environment brought to you by the proud folks at the HCU linux forum #l /bin/cat Disassembling named symbols. Instruction stack: Disassembling forward from entry point. Instruction stack: Disassembling remainder of code section. Sections: ------------(.init)|--(.text)|-(.fini)|--------- Performing post-disassembly passes Fixing 0- and 1-byte long functions ~305 functions; this can take 2 minutes or more Detecting subroutines in section .fini Detecting subroutines in section .init Detecting subroutines in section .text Guessing arguments and return values for subroutines Creating Strings and Arrays Generating names for autodetected functions (not really ;) Generating Intermediate Code for all functions #d | grep start __gmon_start__: __gmon_start__: str___gmon_start__: 08048431 5F 5F 67 6D 6F 6E 5F 73 + ;(Addr of 14 bytes) ; String: "__gmon_start__" str___libc_start_main: 08048555 5F 5F 6C 69 62 63 5F 73 + ;(Addr of 17 bytes) ; String: "__libc_start_main" 0804873C E8 BF 78 FB F7 call __gmon_start__ ;(0x0 was -134514497) __libc_start_main: ; -------------------------- Subroutine _start _start: 0804894C E8 03 FF FF FF call __libc_start_main ;(0x8048854 was -253) ; xrefs: >08048854[x] #q Saving DB to cat.bdb... DB saved You bastard!
/home/work: 94%>bastard -- < /bin/cat > /tmp/cat.lst /home/work: 94%>cat /bin/ls | bastard -- > /tmp/ls.lst /home/work: 94%>bastard -b hexdump.cmd -- < /bin/cat | head 00000000 : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 .ELF............ 00000010 : 02 00 03 00 01 00 00 00 30 89 04 08 34 00 00 00 ........0...4... 00000020 : 04 22 00 00 00 00 00 00 34 00 20 00 06 00 28 00 ."......4. ...(. 00000030 : 18 00 17 00 06 00 00 00 34 00 00 00 34 80 04 08 ........4...4... 00000040 : 34 80 04 08 C0 00 00 00 C0 00 00 00 05 00 00 00 4............... 00000050 : 04 00 00 00 03 00 00 00 F4 00 00 00 F4 80 04 08 ................ 00000060 : F4 80 04 08 13 00 00 00 13 00 00 00 04 00 00 00 ................ 00000070 : 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 ................ 00000080 : 00 80 04 08 C7 1F 00 00 C7 1F 00 00 05 00 00 00 ................ 00000090 : 00 10 00 00 01 00 00 00 C8 1F 00 00 C8 AF 04 08 ................ /home/work: 94%>bastard -b header.cmd -- < /bin/ls File Format: ELF CLASS32 DATA2LSB Type: ET_EXEC Machine: EM_386 Entry: 08049180 Section Table: 00009BD0 Program Header: 00000034 __Section_Table___________________ --- SHT_NULL Offset 0 VA 00000000 Size 0 .interp -a- SHT_PROGBITS Offset F4 VA 080480F4 Size 13 .note.ABI-tag -a- SHT_NOTE Offset 108 VA 08048108 Size 20 .hash -a- SHT_HASH Offset 128 VA 08048128 Size 230 .dynsym -a- SHT_DYNSYM Offset 358 VA 08048358 Size 470 .dynstr -a- SHT_STRTAB Offset 7C8 VA 080487C8 Size 2D1 .gnu.version -a- SHT_HIOS Offset A9A VA 08048A9A Size 8E .gnu.version_r -a- unknown Offset B28 VA 08048B28 Size 30 .rel.got -a- SHT_REL Offset B58 VA 08048B58 Size 8 .rel.bss -a- SHT_REL Offset B60 VA 08048B60 Size 30 .rel.plt -a- SHT_REL Offset B90 VA 08048B90 Size 1E0 .init -ax SHT_PROGBITS Offset D70 VA 08048D70 Size 31 .plt -ax SHT_PROGBITS Offset DA4 VA 08048DA4 Size 3D0 .text -ax SHT_PROGBITS Offset 1180 VA 08049180 Size 590C .fini -ax SHT_PROGBITS Offset 6A8C VA 0804EA8C Size 1C .rodata -a- SHT_PROGBITS Offset 6AC0 VA 0804EAC0 Size 2DE0 .data wa- SHT_PROGBITS Offset 98A0 VA 080528A0 Size 9C .eh_frame wa- SHT_PROGBITS Offset 993C VA 0805293C Size 4 .ctors wa- SHT_PROGBITS Offset 9940 VA 08052940 Size 8 .dtors wa- SHT_PROGBITS Offset 9948 VA 08052948 Size 8 .got wa- SHT_PROGBITS Offset 9950 VA 08052950 Size 100 .dynamic wa- SHT_DYNAMIC Offset 9A50 VA 08052A50 Size A0 .bss wa- SHT_NOBITS Offset 9B00 VA 08052B00 Size 288 .shstrtab --- SHT_STRTAB Offset 9B00 VA 00000000 Size CE __Program_Header_Table____________ 0: PT_PHDR x-r Offset 34 VA 08048034 Size C0 1: PT_INTERP --r Offset F4 VA 080480F4 Size 13 2: PT_LOAD x-r Offset 0 VA 08048000 Size 98A0 3: PT_LOAD -wr Offset 98A0 VA 080528A0 Size 4E8 4: PT_DYNAMIC -wr Offset 9A50 VA 08052A50 Size A0 5: PT_NOTE --r Offset 108 VA 08048108 Size 20 __Notes_________________________ .init routine at 08048D70 .fini routine at 0804EA8C Symbol hash table at 08048128 Target requires libc.so.6 PLT size: 000001E0 reloc: 08048B90 rva: 08052950 REL size: 00000038 entry size: 00000008 rva: 08048B58
/home/work/: 94%>cat disasm.sh
#!/usr/local/bin/bastard -b
{{
struct DISASM_TGT *t;
char buf[PATH_MAX];
t = env_get_target();
if ( t->info.name[0] ) {
sprintf( buf, "%s/%s", t->info.path, t->info.name );
target_load(buf);
} else {
printf("Error: no target specified!\n");
return(-1);
}
}}
target_set_format("ELF", 0);
target_set_arch("i386", 0);
target_set_asm("intel", 0);
target_set_comp("gcc", 0);
target_set_os("linux", 0);
target_set_lang("C", 0);
disasm_target("full", NULL );
d
q
/home/work/bastard: 94%>./disasm.sh /bin/cat | head
Section: .shstrtab Start Address: 00000000 End Address: 000000CE
-------------------------------------------------------------------------
__gmon_start__:
00000000 00 2E
str__symtab:
00000001 2E 73 79 6D 74 61 62 ; String: ".symtab"
00000008 00
str__strtab:
00000009 2E 73 74 72 74 61 62 ; xrefs: >00000080[x] ; String: ".strtab"
what is the status?
Back-burnered. In order to meet revised features requirements, a great deal of rewrite is needed. This is current under progress, beginning with libdisasm and continuing with the 'binary generic object' backend. Eventually this will show up in CVS under bastard2.
Status on the CVS version can be found in the news page.
Basic disassembly is working. Libopcodes has been abandoned in favor of the in-house "libi386", an x86 disassembly library written in C using no OS-specific code [hint, hint]; libi386 supports MMX and FPU instructions, and can generate binary signatures for code instructions by replacing variant bytes [with 0xF4, natch].
The current architecture supports the addition of file format parsers [BC scripts located in $BASTARD_HOME/formats], CPU libraries [.so's in $BASTARD_HOME/arch], assembly language generators [.so's in $BASTARD_HOME/asm], compiler-specific libraries [.so's in $BASTARD_HOME/comp], high-level-language output generators [.so's in $BASTARD_HOME/lang], OS-specific libraries [.so's in $BASTARD_HOME/os], plugin disassemblers [BC scripts or .so's in $BASTARD_HOME/plugins], plugin output file formats [BC scripts of .so's in $BASTARD_HOME/plugins], generic binary plugins [.so files in $BASTARD_HOME/plugins], generic BC scripts [.bc files in $BASTARD_HOME/scripts], and bastard batch files [.cmd files in $BASTARD_HOME/scripts/macros].
With the current release, subroutines, strings, and system calls are all recognized. Cross-references are generated for read, write, and execute accesses to program addresses. The target is translated to an intermediate code format [a RISC-like platform-independent assembly language]
where are the files?
The bastard is distributed in source and binary tarball form; the source package is recommended. Note that these packages contain everything -- including EiC and Typhoon -- so there is no need to download Typhoon and friends separately. The current version is 0.16 .
The x86 disassembler library used by the bastard can be downloaded on its own by the curious:
Finally, source tarballs of the Typhoon RDBM are provided for the extra-extra-curious:
The files are archived in releases on the sourceforge project page; previous releases may be found there.
The development or 'bleeding edge' code is in CVS; you need to be a registered sourceforge user to access the CVS repository directly. The CVS source tree can be checked out with the following commands:
CVS_RSH=ssh
export CVS_RSH
mkdir bastard
cd bastard
cvs -dusername@cvs.bastard.sourceforge.net:/cvsroot/bastard co .
Alternatively, anyone can download the nightly tarball of the CVS tree at
http://cvs.sourceforge.net/cvstarballs/bastard-cvsroot.tar.bz2 .Documentation is included with all tarballs, and is also available online in Release [or "older"] and Development [or "more complete"] versions.
what about support?
A true bastard never needs software support. For the neophyte bastard, a few options are available:
why is it called the Bastard?
Ever read the old Bastard!! manga? No relation. The name of the program more or less describes the type of person that would use it. Besides, 'MilkMan Dan' implied some serious copyright infringement...
The official beer of the bastard project has provided a fitting slogan in their 2002 bottling :
who's behind it?
