Intel XED (disassembler) -as [Address to start disassembling] option doesn't work

1
votes

This one works fine yet provides all of the machine addresses as beginning at zero: 

xed -i Halt7.obj

I really need the machine addresses to begin at their COFF object file offsets.

Here is what I have tried: They give me the help message (list of options) indicating a syntax error in my specification of options. 

xed -i  -as 0xb4              Halt7.obj
xed -ir -as 0xb4              Halt7.obj
xed -i  -as 0xb4 -ae 0x121    Halt7.obj
xed -ir -as 0xb4 -ae 0x121    Halt7.obj

One of the following is required:

    -i input_file             (decode pecoff-format file)
    -ir raw_input_file        (decode a raw unformatted binary file)

Optional arguments:

    -as addr      (Address to start disassembling.
                   Use 0x for hex addresses)
    -ae addr      (Address to end   disassembling.
                   Use 0x for hex addresses)

This correct answer provided by Peter Cordes shown below

This option disassembled the file correctly yet showed the addresses beginning at offset zero.
xed -i Halt7.obj

XDIS  0: PUSH      BASE       55                       push ebp
XDIS  1: DATAXFER  BASE       8BEC                     mov ebp, esp
XDIS  3: PUSH      BASE       51                       push ecx
XDIS  4: DATAXFER  BASE       C745FC00000000           mov dword ptr [ebp-0x4], 0x0
XDIS  b: DATAXFER  BASE       8B45FC                   mov eax, dword ptr [ebp-0x4]
XDIS  e: PUSH      BASE       50                       push eax
XDIS  f: CALL      BASE       E80C000000               call 0x20
XDIS 14: BINARY    BASE       83C404                   add esp, 0x4
XDIS 17: DATAXFER  BASE       B801000000               mov eax, 0x1
XDIS 1c: DATAXFER  BASE       8BE5                     mov esp, ebp
XDIS 1e: POP       BASE       5D                       pop ebp
XDIS 1f: RET       BASE       C3                       ret

This is what I wanted to achieve and the syntax was provided by Peter Cordes shown below
xed -i Halt7.obj -b 0xb4 

XDIS b4: PUSH      BASE       55                       push ebp
XDIS b5: DATAXFER  BASE       8BEC                     mov ebp, esp
XDIS b7: PUSH      BASE       51                       push ecx
XDIS b8: DATAXFER  BASE       C745FC00000000           mov dword ptr [ebp-0x4], 0x0
XDIS bf: DATAXFER  BASE       8B45FC                   mov eax, dword ptr [ebp-0x4]
XDIS c2: PUSH      BASE       50                       push eax
XDIS c3: CALL      BASE       E80C000000               call 0xd4
XDIS c8: BINARY    BASE       83C404                   add esp, 0x4
XDIS cb: DATAXFER  BASE       B801000000               mov eax, 0x1
XDIS d0: DATAXFER  BASE       8BE5                     mov esp, ebp
XDIS d2: POP       BASE       5D                       pop ebp
XDIS d3: RET       BASE       C3                       ret
1
inteldisassemblyxed

1 Answers

1
votes

-i -as tells it the input file is -as. And then there are stray arguments 0xb4 and Halt7.obj which aren't the args to any options.

You have to keep the file name as the next option after -i or -ir.

xed -as 0xb4 -ae 0x121  -i Halt7.obj

I think -as and -ae just limit the range of which instructions get disassembled. They don't change what address gets printed next to any instruction that is disassembled.

I think what you actually want is to set the base address with -b:

xed -i a.out  -b 0x55000

produces disassembly like this for a Linux PIE executable.

# SECTION 13                     .text addr 10e0 offset 10e0 size 1541
XDIS 560e0: WIDENOP   BASE       F30F1EFA                 nop edx, edi
XDIS 560e4: LOGICAL   BASE       31ED                     xor ebp, ebp
XDIS 560e6: DATAXFER  BASE       4989D1                   mov r9, rdx
XDIS 560e9: POP       BASE       5E                       pop rsi
XDIS 560ea: DATAXFER  BASE       4889E2                   mov rdx, rsp
XDIS 560ed: LOGICAL   BASE       4883E4F0                 and rsp, 0xfffffffffffffff0
XDIS 560f1: PUSH      BASE       50                       push rax
XDIS 560f2: PUSH      BASE       54                       push rsp
XDIS 560f3: MISC      BASE       4C8D05E6050000           lea r8, ptr [rip+0x5e6] <__libc_csu_fini+0x55000>
XDIS 560fa: MISC      BASE       488D0D6F050000           lea rcx, ptr [rip+0x56f] <__libc_csu_fini+0x54f90>
XDIS 56101: MISC      BASE       488D3D62010000           lea rdi, ptr [rip+0x162] <__libc_csu_fini+0x54b8a>
XDIS 56108: CALL      BASE       FF15D22E0000             call qword ptr [rip+0x2ed2] <__libc_csu_fini+0x57900>
XDIS 5610e: SYSTEM    BASE       F4                       hlt

...

Without the -b option, the image base is 0 (and the .text section starts 0x10e0 into the file) so we get

# SECTION 13                     .text addr 10e0 offset 10e0 size 1541

SYM _start:
XDIS 10e0: WIDENOP   BASE       F30F1EFA                 nop edx, edi
XDIS 10e4: LOGICAL   BASE       31ED                     xor ebp, ebp
XDIS 10e6: DATAXFER  BASE       4989D1                   mov r9, rdx
XDIS 10e9: POP       BASE       5E                       pop rsi
XDIS 10ea: DATAXFER  BASE       4889E2                   mov rdx, rsp
XDIS 10ed: LOGICAL   BASE       4883E4F0                 and rsp, 0xfffffffffffffff0
XDIS 10f1: PUSH      BASE       50                       push rax
XDIS 10f2: PUSH      BASE       54                       push rsp
XDIS 10f3: MISC      BASE       4C8D05E6050000           lea r8, ptr [rip+0x5e6] <__libc_csu_fini>
XDIS 10fa: MISC      BASE       488D0D6F050000           lea rcx, ptr [rip+0x56f] <__libc_csu_init>
XDIS 1101: MISC      BASE       488D3D62010000           lea rdi, ptr [rip+0x162] <main>
XDIS 1108: CALL      BASE       FF15D22E0000             call qword ptr [rip+0x2ed2] <__libc_csu_fini+0x2900>
XDIS 110e: SYSTEM    BASE       F4                       hlt
XDIS 110f: NOP       BASE       90                       nop

...

It seems the -b option messes up symbol info. Without it, the output is broken up into functions.

But with -b, it's just flat with no marker at the top of a function.