Shut Up and Hack

I like reading more than writing, and, in fact, I don't write too much.

Kcshell: Assembly/disassembly Shell

I was a bit bored of switching between metasm_shell and nasm_shell every time I had to play with assembly instructions and opcodes during exploit development or reversing code. Also, switching between x86 and x64 wasn’t possible. Since I was already playing with the triforce Keystone, Capstone and Unicorn Python bindings, in a different project, I decided to write a small interactive assembly/disassembly shell for various architectures powered by Keystone/Capstone.

It’s extremely easy to use, and install. To install just type:

1
pip3 install kcshell

You may be wondering, pip3? Yes, I wrote it in Python3 and I really didn’t care about Python2. Why? Well, Python2 will be unsuported in more or less 3 years, so I decided to use Python3.

Usage

By default kcshell starts in ‘assembler’ mode (x86 32 bits). You can change modes with ‘setmode’.

1
2
3
4
5
6
7
8
$ kcshell
-=[ kcshell 0.0.1 ]=-
Default Assembler architecture is x86 (32 bits)
asm> lsmodes
disasm, asm
asm> setmode disasm
Default Disassembler architecture is x86 (32 bits)
disasm>

You can also change the default architecture for both the ‘assembler’ and ‘disassembler’ with ‘setarch’.

1
2
3
4
5
disasm> lsarchs
x86, mips32, arm_t, x64, arm, x16, arm64, mips64
disasm> setarch x64
Disassembler architecture is now x64
disasm>

To assemble instructions just type the instructions in the command line.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
asm> jmp esp
"\xff\xe4"
asm> xor eax, eax
"\x31\xc0"
asm> jmp -500
"\xe9\x07\xfe\xff\xff"
asm> add esp,-1500
"\x81\xc4\x24\xfa\xff\xff"
asm> xor ecx,ecx ; mov ch, 0xc8 ; mov esi, edi ; mov edi, esp ; rep movsb
"\x31\xc9\xb5\xc8\x89\xfe\x89\xe7\xf3\xa4"
asm> setarch x64
Assembler architecture is now x64
asm> inc rax
"\x48\xff\xc0"
asm>

To go from opcodes to instructions just type them in the command line.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
disasm> \xff\xe4
0x00400000:     jmp     esp
disasm> \x31\xc0
0x00400000:     xor     eax, eax
disasm> \x31\xc9\xb5\xc8\x89\xfe\x89\xe7\xf3\xa4
0x00400000:     xor     ecx, ecx
0x00400002:     mov     ch, 0xc8
0x00400004:     mov     esi, edi
0x00400006:     mov     edi, esp
0x00400008:     rep movsb       byte ptr es:[edi], byte ptr [esi]
disasm> setarch x64
Disassembler architecture is now x64
disasm> \x48\xff\xc0
0x00400000:     inc     rax
disasm>

For help just use ‘?’ or ‘help ’.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
asm> ?

Documented commands (type help <topic>):
========================================
EOF  exit  help  lsarchs  lsmodes  quit  setarch  setmode

asm> help lsmodes
Lists current operational modes available.
asm> help lsarchs
List supported Assembler architectures.
asm> help setarch
Set Assembler architecture. To list available options type 'lsarchs'.
asm> help setmode
Sets 'kcshell' operational mode. For available options run 'lsmodes'.
asm> lsarchs
systemz, hexagon, arm, arm64, ppc32, mips32, sparc, x64, x16, sparc64, arm_t, x86, mips64, ppc64

To list all the supported architectures just go to the desired mode and use ‘lsarchs’.

1
2
3
4
5
6
7
8
9
asm> lsarchs
mips64, sparc64, sparc, arm_t, x64, x16, arm64, hexagon, systemz, mips32, ppc64, x86, arm, ppc32
asm> lsmodes
asm, disasm
asm> setmode disasm
Default Disassembler architecture is x86 (32 bits)
disasm> lsarchs
mips64, x16, arm64, mips32, arm_t, x86, arm, x64
disasm>

TODO

I plan to implement a feature to read assembly instructions or opcodes from files soon. So if you find kcshell useful just keep an eye on github. In the meantime, have fun.