I'm running an ARM virtual machine using QEMU, and I wanted to disassemble the bytecode from some standard /bin functions, such as mount, mkdir etc, to get the assembly instructions.
What I have done is first do an object copy:
objcopy -O binary --only-section=.text mkdir mkdir.bin
Then disassemble:
objdump -m ARM -b binary -D mkdir.bin
However, the assembly code I get is rubbish, with several undefined instructions errors.
I've also tried disassembling forcing thumb-mode:
arm-linux-gnueabi-objdump -m ARM -b binary -D -Mforce-thumb mkdir.bin
And here again, the instructions seem to be rubbish.
What I mean by rubbish is instructions which, although technically correct, make no sense.
I'm lost as to why this is happening, and I'm not sure where the problem comes from. Is it the commands which are wrong? Should I not expect to get ARM assembly instructions?
Note: This is the tutorial I've followed to install QEMU https://translatedcode.wordpress.com/2016/11/03/installing-debian-on-qemus-32-bit-arm-virt-board/
Just try it:
so.s
.globl _start
_start:
add r0,r1,r2
add r1,r2,r3
ldr r3,=skip
bx r3
.word 0x12345678
.hword 0xaaaa
.thumb
.thumb_func
skip:
add r0,r1,r2
add r1,r2,r3
and try it:
arm-linux-gnueabi-as so.s -o so.o
arm-linux-gnueabi-objdump -D so.o
so.o: file format elf32-littlearm
Disassembly of section .text:
00000000 <_start>:
0: e0810002 add r0, r1, r2
4: e0821003 add r1, r2, r3
8: e59f300c ldr r3, [pc, #12] ; 1c <skip+0x6>
c: e12fff13 bx r3
10: 12345678 eorsne r5, r4, #120, 12 ; 0x7800000
14: 1888aaaa stmne r8, {r1, r3, r5, r7, r9, fp, sp, pc}
00000016 <skip>:
16: 1888 adds r0, r1, r2
18: 18d1 adds r1, r2, r3
1a: 00000000 andeq r0, r0, r0
...
Disassembly of section .ARM.attributes:
00000000 <.ARM.attributes>:
0: 00001541 andeq r1, r0, r1, asr #10
4: 61656100 cmnvs r5, r0, lsl #2
8: 01006962 tsteq r0, r2, ror #18
c: 0000000b andeq r0, r0, fp
10: 01080206 tsteq r8, r6, lsl #4
14: Address 0x0000000000000014 is out of bounds.
Yes, objdump disassembles everything, including data and other sections, but oh well. Notice how it got thumb vs arm...
Can be a linked binary as well.
arm-linux-gnueabi-ld -Ttext=0x8000 so.o -o so.elf
arm-linux-gnueabi-objdump -D so.elf
so.elf: file format elf32-littlearm
Disassembly of section .text:
00008000 <_start>:
8000: e0810002 add r0, r1, r2
8004: e0821003 add r1, r2, r3
8008: e59f300c ldr r3, [pc, #12] ; 801c <skip+0x6>
800c: e12fff13 bx r3
8010: 12345678 eorsne r5, r4, #120, 12 ; 0x7800000
8014: 1888aaaa stmne r8, {r1, r3, r5, r7, r9, fp, sp, pc}
00008016 <skip>:
8016: 1888 adds r0, r1, r2
8018: 18d1 adds r1, r2, r3
801a: 80170000 andshi r0, r7, r0
...
Yes, this is going to be a mess in general:
arm-linux-gnueabi-objcopy -O binary so.elf so.bin
arm-linux-gnueabi-objdump -m ARM -b binary -D so.bin
so.bin: file format binary
Disassembly of section .data:
00000000 <.data>:
0: e0810002 add r0, r1, r2
4: e0821003 add r1, r2, r3
8: e59f300c ldr r3, [pc, #12] ; 0x1c
c: e12fff13 bx r3
10: 12345678 eorsne r5, r4, #120, 12 ; 0x7800000
14: 1888aaaa stmne r8, {r1, r3, r5, r7, r9, fp, sp, pc}
18: 000018d1 ldrdeq r1, [r0], -r1 ; <UNPREDICTABLE>
1c: 00008017 andeq r8, r0, r7, lsl r0
It got the arm ones right but not the thumb ones, and won't. Make it thumb only, it will get the thumb ones but not the arm and never will.