disarm - Quick & (very) dirty command line instruction lookup for ARM64
What is this?
A simple command line utility that takes as an argument a 32-bit hexadecimal number, and parses it as an ARM-64 instruction, providing the disassembly. I found myself using otool -j -tV | grep ... on random binaries too many times while looking for opcodes (especially in ARM64 injected code, like CydiaSubstrate's, see below), so I refactored my disassembler with a simple main() - and the result is presented herein. I'm making this available for OS X, iOS, Linux, and Android.
Edit: The download link is right here - Tar containing OS X/iOS (ARM64) Linux (ELF32/64) and Android
Though this is a part of jtool's functionality (my OSX/iOS tool, which only works on Mach-O), disarm as a standalone tool can come in handy for anyone reversing ARM64 - on Android as well, and theoretically any ARM64-based OS. At some point I hope to integrate this into DexTRA so the latter can also disassemble ART's poorly generated native code.
For example, consider manually crafted code, e.g CydiaSubstrate:
As you can see, jtool can figure out the values, but can't actually "understand" that's injected code, so it won't disassemble those further. With disarm, you could decipher the instructions like so:
v0.2: File disassembly
Added an option to dump arbitrary files and attempt to disassemble. This is super useful for dumped bootloaders (e.g. iBoot, or Samsung S6, as shown here):
Also added an Android Binary. ARMv7 binary, only because it was quicker to compile - will also work on ARM64 devices, of course.
Note, that there's a greater chance of unrecognized instructions in bootloaders (ISB, DSB, etc). If you find any (DCDs...) just let me know, and I'll add them in
v0.3: Register following
Also added most ARM64 ELx registers. Whew
disarming a file will automatically figure out printable string arguments on calls (i.e. BL instructions), and print them out. This is really useful for finding panic, printf and the like in pretty much any binary of any OS - boot loader, kernel, or arbitrary user mode - provided it is ARM64 (for now). All you need to do is grep quotes ("). A few examples:
Disarm can now look for gadgets - just specify -g with a string of comma separated mnemonics, and disarm will find them for you. This is super useful with jtool2. For example, the following gets you _realhost on iOS kernels:
As usual, I don't filter, but let grep(1) do it for me. For example, to find ADD X0, X0, ... gadgets:
New -f switch will find a string in a file, display all instances with offsets
MOVZ followed by MOVK.. will now show up as one MOVZ[K[K[K]]] pseudo-instruction. I had that in jtool v1 forever, and now it's also in jtool2
Magic constants which happen to be ASCII readable are now displayed when MOV[Z[K*] are followed
Plenty. I don't support all the ARM64 instruction set. I admit - I'm weak. I couldn't read through the entire 5,000 pages of the ARMv8 Reference document. To see what I do support, run the tool with "opcodes".
This is not meant to be a complete tool, and you may end up just getting your input echoed back at you as a DCD 0x..... If you think those instructions are useful, and want to help me improve this tool, just drop me a note - preferably through The book forum.
Any plans to support ARM32/Thumb? - I initially sank myself into the quagmire of disassembly with ARMv7, and jtool does perform (very) rudimentary disassembly on ARM32/thumb. To be honest, however, I gave up on that assembly. Simply too many cases to cover, and I don't know what the ARM-folk were injesting/injecting/imbibing/smoking when they figured out those bitmasks.. Seriously, ARM32/Thumb is genius/sick. If you really want support, let me know and I'll provide what I have.
What are the offsets I see? - Raw file offsets. You can use -base to emulate a virtual memory address. Otherwise these are just in the file itself. Because ARM64 code is relocatable, that's all the CPU - and the reverser - usually need to know.
Why not use Capstone/IDA Python/libopcodes/<fill in your favorite open source disassembly engine here> - Because. I write my own tools, with my own code, period. In the case of disassembly, the only way to really gain proficiency is to grind bits, till you get to know every instruction. Please don't email me suggestions about using IDA/Capstone/Radare/etc. If you find bugs, help me improve the tool and report them!
Any plans to open source disarm and/or jtool? - Does the world need yet another GitHub repository and a disassembler? Besides, my tools remain free.
Are you still on track for MOXiI 2? - Volume III is out.
04/23/2019 - v0.9
02/13/2019 - v0.8 Back with a vengeance.. and gadget locating
06/12/2016 - v0.4 stable
04/04/2016 - added Android binary (disarm.armv7.ELF), and file disarming