Welcome to ODA! ODA stands for Online DisAssembler. ODA is a general purpose machine code disassembler that supports a myriad of machine architectures. Built on the shoulders of libbfd and libopcodes (part of binutils), ODA allows you to explore an executable by dissecting its sections, strings, symbols, raw hex, and machine level instructions. ODA is meant to be a lightweight, online service for when you don’t have the time, resources, or requirements to use a heavier-weight alternative.
You can use ODA for a variety of purposes such as:
- Visualizing the control flow of a group of instructions
- Disassembling a few bytes of an exception handler that is going off into the weeds
- Reversing the first few bytes of a Master Boot Record (MBR) that may be corrupt
- Debugging an embedded systems device driver
- Malware analysis
- Vulnerability research
- Developing a jailbreak for the latest iPhone
- Satisying your own intellectual curiosity (Does there exist some sequence of bytes that disassembles to the same logical operation for two separate platforms?)
ODA is a BETA release that is limited by the resource constraints of the server on which it is hosted and the spare time of its creators. If you find ODA useful, have a feature request, or want to comment in any way, please drop us a line!
The first step is to upload some data. This can be done through a file upload or by copying and pasting ASCII hex bytes into Live View.
Method 1: File Upload
ODA recognizes several object file formats, including ELF (Linux), Mach-O (Apple products), and PE (Windows executables). ODA can also disassemble a raw binary image. After uploading data, you must select your platform options. If ODA recognizes the object file format, it will select the machine architecture for you and allow you to select the other platform options. If ODA does not recognize the object file format, it will allow you to continue disassembling the file as a raw binary image. In this case, you must tell ODA which machine architecture to use.
Method 2: Live View
Live View is a convenient alternative to file upload when you only have a few byte to disassemble. In Live View, you type or copy/paste ASCII hex bytes into the Live View text area, and ODA dynamically disassembles those bytes using the platform selected.
The Disassembly View and Hex View both support infinite scrolling. This means that new data will be uploaded dynamically to the page as you scroll. This prevents having to load the entire disassembly or hex data for you executable into your browser all at the same time.
The address bar lets you easily navigate the address space of large executables. The line separators in the bar represent distinct code sections. You can either click on the bar at your desired location or drag the arrow indicator to to your desired location.
You can also use the ‘g’ shortcut to bring up the “Go to address…” dialog.
The Disassembly View is the main window showing the disassembled code.
The Hex View provides a byte-level view of your data. As you hover over bytes in Hex View, the status bar at the bottom of the screen updates to show you the byte address, hex value, and ASCII representation of the byte highlighted.
The Sections View shows a list of the sections in the executable along with the corresponding section properties.
The File Info View provides some basic information about the uploaded file.
The symbols are listed in the sidebar on the left. If the symbols are defined in the executable (as opposed to imported symbols that are defined in external libraries), then the symbol appears as a clickable link.
A list of all strings found in the data is also displayed in the sidebar on the left. The offset corresponding to the strings listed is a file offset, not an address in the executable’s address space.
ODA provides several features to aid in code analysis.
Branch and jump target addresses are clickable links that take you to the target location. You can use your browser’s “Back” and “Forward” buttons to navigate through your analysis history.
ODA draws branch target lines to the left of the addressess. These lines form a connection between the instruction that is branching/jumping and the target location.
You can add comments to the right of the disassembly by clicking in the general area or by pressing the semi-colon key (‘;’) while the line is highlighted.
At the head of each function is a list of cross reference links. These links take you to the addresses of instructions that call this function.