2

I have a simple program program in assembly 

.text
.globl _start
_start:
        movl $1, %eax
        movl $1, %ebx
        int $0x80

I have assembled it. I have dumped the content of it as below

root@bt:~# objdump -d out     
out:     file format elf32-i386
Disassembly of section .text:

08048054 <_start>:
 8048054:       b8 01 00 00 00          mov    $0x1,%eax
 8048059:       bb 01 00 00 00          mov    $0x1,%ebx
 804805e:       cd 80                   int    $0x80

Now my question is, can I get back the mnemonics given only the below machine code \xb8\x01\x00\x00\x00\xbb\x01\x00\x00\x00\xcd\x80

vikkyhacks
  • 3,190
  • 9
  • 32
  • 47
  • 1
    x86 is variable instruction length so in general you cannot take any old blob of bytes and decode them. The mnemonics are just that, the machine code is the instruction, the mnemonics are just someones interpretation, a disassembler would normally do this but you can do this yourself using the documentation from the processor vendor. – old_timer Jul 16 '13 at 17:05
  • now that is something very very annoying translating line by line from the doc. I ended up finding the `ndisasm` which is a dis-assembler they say for NASM, but I am using the GAS assembler, anyway to get back to the GAS kinda mnemonic – vikkyhacks Jul 16 '13 at 17:12
  • @dwelch, of course it's possible - you just have to make the assumption that the bytes *are* instructions. – Carl Norum Jul 16 '13 at 17:12
  • possible duplicate of [How do I disassemble raw x86 code?](http://stackoverflow.com/questions/1737095/how-do-i-disassemble-raw-x86-code) – Carl Norum Jul 16 '13 at 17:15
  • Try `ndisasm` - it produces nasm mnemonics. – Kerrek SB Jul 16 '13 at 23:17
  • @Kerrek SB: I tried that, but I am getting nasm mnemonics, I need gas kinda mnemonics !!! – vikkyhacks Jul 17 '13 at 13:20

2 Answers2

5

This is fairly well documented in How do I disassemble raw x86 code?

To do your specific example, this worked for me (on a Linux machine, with the GNU toolchain):

printf '\xb8\x01\x00\x00\x00\xbb\x01\x00\x00\x00\xcd\x80' > /tmp/binary
objdump -D -b binary -mi386 /tmp/binary

With this as the short documentation for the options:

           [-D|--disassemble-all]
           [-b bfdname|--target=bfdname]
           [-m machine|--architecture=machine]

i386 specify the target. I had to remove the addr16 and data16 from the original example command, as otherwise this won't work.

Community
  • 1
  • 1
Eivind Eklund
  • 208
  • 1
  • 4
3

You just need to tell objdump you want to operate on a plain binary file:

$ hexdump -vC binaryFile
00000000  b8 01 00 00 00 bb 01 00  00 00 cd 80              |............|
0000000c
$ objdump -D -b binary -m i386 binaryFile 

binaryFile:     file format binary


Disassembly of section .data:

00000000 <.data>:
   0:   b8 01 00 00 00          mov    $0x1,%eax
   5:   bb 01 00 00 00          mov    $0x1,%ebx
   a:   cd 80                   int    $0x80
Carl Norum
  • 219,201
  • 40
  • 422
  • 469
  • user2258778's answer below is a little cleaner. The objdump tool supports a "binary" format for disassembling raw data. No need to use objcopy to generate an ELF file. – Andy Ross Jul 16 '13 at 17:15
  • Yeah - I updated my answer after reading the objdump man page some more. – Carl Norum Jul 16 '13 at 17:17