Contents

Introduction...........................................................................................................................................2
Requirements.........................................................................................................................................3
History...................................................................................................................................................4
Warranty................................................................................................................................................5
Credits...................................................................................................................................................6
Contact...................................................................................................................................................7
Keyboard shortcuts................................................................................................................................8
Structure tutorial....................................................................................................................................9
Command reference.............................................................................................................................11
ba.....................................................................................................................................................11
bp....................................................................................................................................................11
bpdll................................................................................................................................................12
del_struct.........................................................................................................................................12
dup..................................................................................................................................................13
help.................................................................................................................................................13
extnd...............................................................................................................................................14
fold..................................................................................................................................................14
unfold..............................................................................................................................................15
lstruct..............................................................................................................................................15
ls......................................................................................................................................................15
sym..................................................................................................................................................16
struct...............................................................................................................................................16
py....................................................................................................................................................16
undefine..........................................................................................................................................17
Introduction

ArkDasm is a 64-bit interactive disassembler and debugger for Windows.

Supported file types: PE64, raw binary files.

Supported processor: x64 architecture (Intel x64 and AMD64)

ArkDasm is released as Freeware. Copyrighted by cyberbob.

Requirements

Visual Studio 2013 run-times (msvcp120.dll, msvcr112.dll).

vcredist_x64.exe
http://www.microsoft.com/en-us/download/details.aspx?id=40784
History

v1.1.0
• added debugger memory snapshot feature
• added debugger exception handling settings
• added new command: bpdll
• improvements, bug fixes

v1.0.0
• added debugger capabilities
• added new commands: bp, ba
• switched to the Capstone disasm engine
• updated Qt to 5.4.0
• switched to Visual Studio 2013

v0.8.0

• added python script support

• added command line support
• added new command: py
• minor improvements, bug fixes

v0.7.0

• added new commands: extnd, lst, fold, unfold

• minor improvements, bug fixes

v0.6.0

• added structure support for global data

• added new commands: del_struct, struct, ls
• updated Qt to 5.2.1
• minor improvements, bug fixes
Warranty

This software is provided as-is, without warranty of ANY KIND, either expressed or implied, including
but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
The author shall NOT be held liable for ANY damage to you, your computer, or to anyone or anything
else, that may result from its use, or misuse.

Use it at YOUR OWN RISK

Credits

This software uses:

• Qt 5 framework - www.qt.io
• Capstone disassembly framework - www.capstone-engine.org
Contact

In case of bugs, problems, feature request, etc. feel free to contact me.

Regards,
cyberbob

arkdasm@gmail.com
Keyboard shortcuts

Disassembly Window

Navigation

Jump to previous view ________________________________ Esc

Jump to next view ____________________________________ `
Goto to address ______________________________________ g
Jump to entrypoint ___________________________________ Ctrl + e
Add bookmark ______________________________________ Alt + m
Show bookmarks ____________________________________ Ctrl + m

Edit

Make code _________________________________________ c

Make data __________________________________________ d
Make procedure______________________________________ p
Make byte array _____________________________________ Shift + 8
Make ASCII string ___________________________________ a
Make UTF-16 string __________________________________ w
Undefine ___________________________________________ u
Rename ____________________________________________ n

Miscellaneous

Enter comment ______________________________________ ;

Show xref to address__________________________________ x

Application shortcut

Toggle hex code on/off ________________________________ F6

Structure tutorial

Go to edit – create structure (Ctrl+t) and define assembly structure e.g:

account_t struct
code db ?
id dd ?
name db 32 dup(?)
dataPtr dq ?
account_t ends

Press “Create new” to define the structure. Finally use struct command to mark an address as structure.
Struct command syntax: struct <struct name> <variable name> <address>

For example:
struct account_t account 0000000140003020
Before

After
Command reference

ba

Syntax: ba <rw | w | e>size <address>

Description: set hardware breakpoint on access (on data execute, write, read/write).
Monitored address can be a range of 1, 2, 4, or 8 bytes, except breakpoint on execution which must be
1 byte.

Example:

ba w4 0000000140001040
ba e1 0000000140001010
ba rw8 0000000140001020
ba r8 0000000140001020 (the same as ba rw8 command)

bp

Syntax: bp <address>

Description: set software breakpoint on execution

Example:

bp 0000000140001040
bpdll

Syntax: bpdll <dll path>

Description: sets breakpoint on dll load (entrypoint).

Example:

bpdll c:\windows\system32\psapi.dll

To break on all dll's loaded from c:\program files\ use the command:
bpdll c:\program files\*

To break on all dll's ending with deadbeef.dll use the command:

bpdll *deadbeef.dll

del_struct

Syntax: del_struct <struct name>

Description: Delete structure and undefine all variables associated with the struct.

Example:

del_struct client_t
dup

Syntax: dup <address> <range hex>

Description: create byte array (duplicate byte). For the command to succeed bytes must be unexplored
and have same the value. If this command fail bytes are most likely mark as resource in this case use
undefine command and then dup command.

Example:

dup 00000001400030a0 400

dup 00000001400030a0 00000001400030a4-00000001400030a0

help

Syntax: help

Description: shows list of commands.

extnd

Syntax: extnd <section nr>

Description: extend section data size from raw size to virtual size and reload.
Use ls (list segments) command to find the section number.

By default ArkDasm loads only raw data from PE section, however it may happen that some variables
are present in section virtual space hence some commands will fail e.g. struct command will fail,
if the variable is not present in section raw data. Extnd command solves this issue.

Example:

extnd 2

fold

Syntax: fold <address> <range>

Description: fold address range.

Tip: Range will be align up to the next instruction so to fold one instruction it's enough to set it to 1

Example:

fold 0000000000011000 20
fold 0000000000011000 0000000000011020-0000000000011000
unfold

Syntax: unfold <address>

Description: unfold address

unfold 0000000000011000

lstruct

Syntax: lstruct <* | structure name>

Description: list available structures

lstruct *
lstruct Conte*

ls

Syntax: ls

Description: list segments

sym

Syntax: sym <* | pattern>

Description: list debug symbol matching pattern.

Example:

sym *@8
sym *Load*

struct

Syntax: struct <struct name> <variable name> <address>

Description: mark data as structure

Example:

struct client_t client 0000000140003020

py

Syntax: py <script file>

Description: execute python script

Example:

py script.py
undefine

Syntax: undefine <address> <range hex>

Description: mark address range as unexplored.

If the range ends in the middle of instruction it will be align up to the next instruction.

Example:

undefine 0000000140001000 1000

undefine 0000000140001000 10*1000