I'd like to disassemble the MBR (first 512 bytes) of a bootable x86 disk that I have. I have copied the MBR to a file using
dd if=/dev/my-device of=mbr bs=512 count=1
Any suggestions for a Linux utility that can disassemble the file mbr?
You can use objdump. According to this article the syntax is:
objdump -D -b binary -mi386 -Maddr16,data16 mbr
The GNU tool is called objdump, for example:
objdump -D -b binary -m i8086 <file>
-m i386 or -Mintel,x86-64. i8086 is an old architecture and using it for modern code may yield unexpected results. Furthermore, specifying x86-64 to -M might be a good idea nowadays since many machines are 64-bit. Passing intel to -M changes the syntax to Intel-style instead of the default AT&T style, which you may or may not want.
I like ndisasm for this purpose. It comes with the NASM assembler, which is free and open source and included in the package repositories of most linux distros.
ndisasm -b16 -o7c00h -a -s7c3eh mbr
Explanation - from ndisasm manpage
-b = Specifies 16-, 32- or 64-bit mode. The default is 16-bit mode.
-o = Specifies the notional load address for the file. This option causes ndisasm to get the addresses it lists down the left hand margin, and the target addresses of PC-relative jumps and calls, right.
-a = Enables automatic (or intelligent) sync mode, in which ndisasm will attempt to guess where synchronisation should be performed, by means of examining the target addresses of the relative jumps and calls it disassembles.
-s = Manually specifies a synchronisation address, such that ndisasm will not output any machine instruction which encompasses bytes on both sides of the address. Hence the instruction which starts at that address will be correctly disassembled.
mbr = The file to be disassembled.
-b specifies 16-, 32- or 64-bit mode. The default is 16-bit mode. -o is the notional load address for the file. This option causes ndisasm to get the addresses it lists down the left hand margin, and the target addresses of PC-relative jumps and calls, right. -s specifies a synchronisation address, such that ndisasm will not output any machine instruction which encompasses bytes on both sides of the address. Hence the instruction which starts at that address will be correctly disassembled.
starblue and hlovdal both have parts of the canonical answer. If you want to disassemble raw i8086 code, you usually want Intel syntax, not AT&T syntax, too, so use:
objdump -D -Mintel,i8086 -b binary -m i386 mbr.bin
objdump -D -Mintel,i386 -b binary -m i386 foo.bin # for 32-bit code
objdump -D -Mintel,x86-64 -b binary -m i386 foo.bin # for 64-bit code
If your code is ELF (or a.out (or (E)COFF)), you can use the short form:
objdump -D -Mintel,i8086 a.out # disassembles the entire file
objdump -d -Mintel,i8086 a.out # disassembles only code sections
For 32-bit or 64-bit code, omit the ,8086; the ELF header already includes this information.
ndisasm, as suggested by jameslin, is also a good choice, but objdump usually comes with the OS and can deal with all architectures supported by GNU binutils (superset of those supported by GCC), and its output can usually be fed into GNU as (ndisasm’s can usually be fed into nasm though, of course).
Peter Cordes suggests that “Agner Fog's objconv is very nice. It puts labels on branch targets, making a lot easier to figure out what the code does. It can disassemble into NASM, YASM, MASM, or AT&T (GNU) syntax.”
Multimedia Mike already found out about --adjust-vma; the ndisasm equivalent is the -o option.
To disassemble, say, sh4 code (I used one binary from Debian to test), use this with GNU binutils (almost all other disassemblers are limited to one platform, such as x86 with ndisasm and objconv):
objdump -D -b binary -m sh -EL x
The -m is the machine, and -EL means Little Endian (for sh4eb use -EB instead), which is relevant for architectures that exist in either endianness.
gcc -O3 -masm=intel -fverbose-asm -S -o- | less, since I'm usually trying to tweak C source into compiling to good asm.
Try this command:
sudo dd if=/dev/sda bs=512 count=1 | ndisasm -b16 -o7c00h -
Follow WeChat
Success story sharing
Want to stay one step ahead of the latest teleworks?
Subscribe Now相似问题
- Quickly create a large file on a Linux system
- How do I profile C++ code running on Linux?
- Shell command to tar directory excluding certain files/folders
- How to change permissions for a folder and its subfolders/files in one step
- How to recursively find and list the latest modified files in a directory with subdirectories and times
- How can I use grep to show just filenames on Linux? [closed]
- How do I achieve the theoretical maximum of 4 FLOPs per cycle?
- Where can I find php.ini?
- What is the runtime performance cost of a Docker container?
- Replacing a 32-bit loop counter with 64-bit introduces crazy performance deviations with _mm_popcnt_u64 on Intel CPUs
--targetinstead of-b.-Dis "disassemble the contents of all sections";-b bfdnameor--target=bfdnamewill force reading as specified object-code format (not elf but raw binary in our case);-m machinewill specify the architecture to use (in our file there is no header with arch info).-M optionsare options of disassembler;addr16,data16are used to "specify the default address size and operand size" (treat code as i8086 one in the universal x86 disasm engine)