size_t eat_instructions(void *func, size_t target) { csh handle; cs_insn *insn; size_t cnt; size_t len_cnt = 0; #ifdef __x86_64__ if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) return 0; #elif __i386__ if (cs_open(CS_ARCH_X86, CS_MODE_32, &handle) != CS_ERR_OK) return 0; #endif cnt = cs_disasm(handle, func, 0xF, 0x0, 0, &insn); for (int k = 0; k < 0xF || !(len_cnt >= target); k++) { if (len_cnt < target) { len_cnt+=insn[k].size; } } if (len_cnt < target) { return 0; } return len_cnt; }
bool init_plugin(void *self) { #if defined(TARGET_I386) if (cs_open(CS_ARCH_X86, CS_MODE_32, &cs_handle_32) != CS_ERR_OK) #if defined(TARGET_X86_64) if (cs_open(CS_ARCH_X86, CS_MODE_64, &cs_handle_64) != CS_ERR_OK) #endif #elif defined(TARGET_ARM) if (cs_open(CS_ARCH_ARM, CS_MODE_ARM, &cs_handle_32) != CS_ERR_OK) #elif defined(TARGET_PPC) if (cs_open(CS_ARCH_PPC, CS_MODE_32, &cs_handle_32) != CS_ERR_OK) #endif return false; // Need details in capstone to have instruction groupings cs_option(cs_handle_32, CS_OPT_DETAIL, CS_OPT_ON); #if defined(TARGET_X86_64) cs_option(cs_handle_64, CS_OPT_DETAIL, CS_OPT_ON); #endif panda_cb pcb; panda_enable_memcb(); panda_enable_precise_pc(); pcb.after_block_translate = after_block_translate; panda_register_callback(self, PANDA_CB_AFTER_BLOCK_TRANSLATE, pcb); pcb.after_block_exec = after_block_exec; panda_register_callback(self, PANDA_CB_AFTER_BLOCK_EXEC, pcb); pcb.before_block_exec = before_block_exec; panda_register_callback(self, PANDA_CB_BEFORE_BLOCK_EXEC, pcb); return true; }
static void _capstone_init() { #if __x86_64__ cs_open(CS_ARCH_X86, CS_MODE_64, &g_capstone); #else cs_open(CS_ARCH_X86, CS_MODE_32, &g_capstone); #endif }
void Capstone::GlobalInitialize() { #ifdef _WIN64 cs_open(CS_ARCH_X86, CS_MODE_64, &mHandle); #else //x86 cs_open(CS_ARCH_X86, CS_MODE_32, &mHandle); #endif //_WIN64 cs_option(mHandle, CS_OPT_DETAIL, CS_OPT_ON); }
static int disassemble(RAsm *a, RAsmOp *op, const ut8 *buf, int len) { cs_insn* insn = NULL; cs_mode mode = 0; int ret, n = 0; csh cd; mode = (a->bits==16)? CS_MODE_THUMB: CS_MODE_ARM; if (a->big_endian) mode |= CS_MODE_BIG_ENDIAN; else mode |= CS_MODE_LITTLE_ENDIAN; if (a->cpu && strstr (a->cpu, "m")) mode |= CS_MODE_MCLASS; if (a->cpu && strstr (a->cpu, "v8")) mode |= CS_MODE_V8; op->size = 4; op->buf_asm[0] = 0; ret = (a->bits==64)? cs_open (CS_ARCH_ARM64, mode, &cd): cs_open (CS_ARCH_ARM, mode, &cd); if (ret) { ret = -1; goto beach; } if (a->syntax == R_ASM_SYNTAX_REGNUM) { cs_option (cd, CS_OPT_SYNTAX, CS_OPT_SYNTAX_NOREGNAME); } else cs_option (cd, CS_OPT_SYNTAX, CS_OPT_SYNTAX_DEFAULT); cs_option (cd, CS_OPT_DETAIL, CS_OPT_OFF); n = cs_disasm (cd, buf, R_MIN (4, len), a->pc, 1, &insn); if (n<1) { ret = -1; goto beach; } if (insn->size<1) { ret = -1; goto beach; } op->size = insn->size; snprintf (op->buf_asm, R_ASM_BUFSIZE, "%s%s%s", insn->mnemonic, insn->op_str[0]?" ":"", insn->op_str); r_str_rmch (op->buf_asm, '#'); cs_free (insn, n); beach: cs_close (&cd); if (!op->buf_asm[0]) strcpy (op->buf_asm, "invalid"); return op->size; }
static int disassemble(RAsm *a, RAsmOp *op, const ut8 *buf, int len) { static int omode = 0; int mode, n, ret; ut64 off = a->pc; cs_insn* insn; mode = (a->bits==64)? CS_MODE_64: (a->bits==32)? CS_MODE_32: 0; if (handle && mode != omode) { cs_close (&handle); handle = 0; } op->size = 0; omode = mode; if (handle == 0) { ret = cs_open (CS_ARCH_PPC, mode, &handle); if (ret) return 0; } cs_option (handle, CS_OPT_DETAIL, CS_OPT_OFF); n = cs_disasm_ex (handle, (const ut8*)buf, len, off, 1, &insn); if (n>0) { if (insn->size>0) { op->size = insn->size; snprintf (op->buf_asm, R_ASM_BUFSIZE, "%s%s%s", insn->mnemonic, insn->op_str[0]?" ":"", insn->op_str); } cs_free (insn, n); } return op->size; }
static int disassemble(RAsm *a, RAsmOp *op, const ut8 *buf, int len) { csh handle; cs_insn* insn; int mode, n, ret = -1; mode = a->big_endian? CS_MODE_BIG_ENDIAN: CS_MODE_LITTLE_ENDIAN; if (a->cpu && *a->cpu) { if (!strcmp (a->cpu, "v9")) { mode |= CS_MODE_V9; } } memset (op, 0, sizeof (RAsmOp)); op->size = 4; ret = cs_open (CS_ARCH_SPARC, mode, &handle); if (ret) goto fin; cs_option (handle, CS_OPT_DETAIL, CS_OPT_OFF); n = cs_disasm (handle, (ut8*)buf, len, a->pc, 1, &insn); if (n<1) { strcpy (op->buf_asm, "invalid"); op->size = 4; ret = -1; goto beach; } else ret = 4; if (insn->size<1) goto beach; op->size = insn->size; snprintf (op->buf_asm, R_ASM_BUFSIZE, "%s%s%s", insn->mnemonic, insn->op_str[0]? " ": "", insn->op_str); // TODO: remove the '$'<registername> in the string cs_free (insn, n); beach: cs_close (&handle); fin: return ret; }
static int disassemble(RAsm *a, RAsmOp *op, const ut8 *buf, int len) { static int omode = 0; int mode, n, ret; ut64 off = a->pc; cs_insn* insn = NULL; mode = CS_MODE_BIG_ENDIAN; if (cd && mode != omode) { cs_close (&cd); cd = 0; } op->size = 0; omode = mode; if (cd == 0) { ret = cs_open (CS_ARCH_SYSZ, mode, &cd); if (ret) return 0; cs_option (cd, CS_OPT_DETAIL, CS_OPT_OFF); } n = cs_disasm (cd, (const ut8*)buf, len, off, 1, &insn); if (n>0) { if (insn->size>0) { op->size = insn->size; char *ptrstr; snprintf (op->buf_asm, R_ASM_BUFSIZE, "%s%s%s", insn->mnemonic, insn->op_str[0]?" ":"", insn->op_str); ptrstr = strstr (op->buf_asm, "ptr "); if (ptrstr) { memmove (ptrstr, ptrstr+4, strlen (ptrstr+4)+1); } } cs_free (insn, n); } return op->size; }
static int disassemble(RAsm *a, RAsmOp *op, const ut8 *buf, int len) { static int omode = 0; int n, ret; ut64 off = a->pc; cs_insn* insn; int mode = (a->big_endian)? CS_MODE_BIG_ENDIAN: CS_MODE_LITTLE_ENDIAN; if (handle && mode != omode) { cs_close (&handle); handle = 0; } op->size = 0; omode = mode; op->buf_asm[0] = 0; if (handle == 0) { ret = cs_open (CS_ARCH_PPC, mode, &handle); if (ret) return 0; } cs_option (handle, CS_OPT_DETAIL, CS_OPT_OFF); n = cs_disasm (handle, (const ut8*)buf, len, off, 1, &insn); op->size = 4; if (n > 0 && insn->size > 0) { snprintf (op->buf_asm, R_ASM_BUFSIZE, "%s%s%s", insn->mnemonic, insn->op_str[0]?" ":"", insn->op_str); cs_free (insn, n); return op->size; } //op->size = -1; cs_free (insn, n); return 4; }
// One time init at runtime per thread we bring into monitoring PExecutionBlock InitBlock(ULONG ID) { PExecutionBlock pCtx = &CtxTable[ID]; pCtx->TID = ID; pCtx->InternalID = ID; pCtx->SEQ = 0; pCtx->hThr = INVALID_HANDLE_VALUE; pCtx->BlockFrom = 0; cs_opt_skipdata skipdata = { "db", }; if (cs_open(CS_ARCH_X86, CS_MODE_64, &pCtx->handle) != CS_ERR_OK) return NULL; cs_option(pCtx->handle, CS_OPT_SYNTAX, CS_OPT_SYNTAX_INTEL); cs_option(pCtx->handle, CS_OPT_DETAIL, CS_OPT_ON); cs_option(pCtx->handle, CS_OPT_SKIPDATA, CS_OPT_ON); cs_option(pCtx->handle, CS_OPT_SKIPDATA_SETUP, (size_t)&skipdata); pCtx->insn = cs_malloc(pCtx->handle); pCtx->csLen = 32; pCtx->Hooks = HooksConfig; pCtx->HookCnt = HookCount; return pCtx; }
void disasm(uint64_t addr, uint32_t offset, size_t size, cs_arch arch, cs_mode mode, uint8_t *data) { int i; csh handle = 0; cs_insn *insn; const uint8_t *code; if (cs_open(arch, mode, &handle) != CS_ERR_OK) { printf("ERROR: Failed to initialize engine!\n"); exit(EXIT_FAILURE); } cs_option(handle, CS_OPT_SKIPDATA, CS_OPT_ON); cs_option(handle, CS_OPT_SYNTAX, CS_OPT_SYNTAX_ATT); printf("Disassembly of section .text:\n"); for (i = offset; i < offset + size; i++) { code = &data[i]; insn = cs_malloc(handle); while(cs_disasm_iter(handle, &code, &size, &addr, insn)) { printf("0x%"PRIx64":\t%s\t\t%s\n", insn->address, insn->mnemonic, insn->op_str); } cs_free(insn, 1); } cs_close(&handle); }
struct asm_handle *asm_initialize(cs_arch arch, cs_mode mode) { struct asm_handle *asm_handle = malloc(sizeof(struct asm_handle)); if (!asm_handle) { error("memory error"); return NULL; } asm_handle->pending.size = 0; asm_handle->pending.advance = 0; if (cs_open(arch, mode, &asm_handle->handle) != CS_ERR_OK) { error("cannot initialize asm module"); free(asm_handle); return NULL; } asm_handle->arch = arch; asm_handle->mode = mode; cs_option(asm_handle->handle, CS_OPT_DETAIL, CS_OPT_ON); stdout_use_colors = colors_supported(fileno(stdout)); return asm_handle; }
static bool open_capstone() { cs_err res = cs_open(CS_ARCH_ARM64, CS_MODE_ARM, &cshandle); if (res != CS_ERR_OK) error("Error opening Capstone engine: %s", cs_strerror(res)); return (res == CS_ERR_OK); }
/* Init the disassembler */ int r_disa_init(r_disa_s *dis, r_binfmt_arch_e arch) { int cs_mode; int cs_arch; assert(dis != NULL); memset(dis, 0, sizeof(*dis)); if(arch == R_BINFMT_ARCH_X86_64) { cs_mode = CS_MODE_64; cs_arch = CS_ARCH_X86; } else if(arch == R_BINFMT_ARCH_X86) { cs_mode = CS_MODE_32; cs_arch = CS_ARCH_X86; }else if(arch == R_BINFMT_ARCH_ARM) { cs_mode = CS_MODE_ARM; cs_arch = CS_ARCH_ARM; } else if(arch == R_BINFMT_ARCH_ARM64) { cs_mode = CS_MODE_ARM; cs_arch = CS_ARCH_ARM64; } else { return 0; } if(cs_open(cs_arch, cs_mode, &dis->handle) != CS_ERR_OK) return 0; dis->arch = arch; dis->flavor = R_DISA_FLAVOR_INTEL; return 1; }
unsigned int HookFw::GetAlignedOpcodeForHook() { csh cshHandle; cs_insn *pInsn; unsigned int uiIndex; unsigned int uiCount; unsigned int uiSizeOfStolenOpcode; uiSizeOfStolenOpcode = 0; if (cs_open(CS_ARCH_X86, ARCH_MODE, &cshHandle) != CS_ERR_OK) { return ERR_CANNOT_RESOLVE_ASM; } uiCount = (unsigned int)cs_disasm(cshHandle, (unsigned char *)this->pvSrc, 0x50, 0x100, 0, &pInsn); if (uiCount > 0) { uiIndex = 0; while ((this->nHookLen > uiSizeOfStolenOpcode) && (uiCount >= uiIndex)) { uiSizeOfStolenOpcode += pInsn[uiIndex++].size; } } else return ERR_CANNOT_RESOLVE_ASM; return uiSizeOfStolenOpcode; }
void PLH::AbstractDetour::Initialize(cs_mode Mode) { if (cs_open(CS_ARCH_X86, Mode, &m_CapstoneHandle) != CS_ERR_OK) XTrace("Error Initializing Capstone x86\n"); cs_option(m_CapstoneHandle, CS_OPT_DETAIL, CS_OPT_ON); }
static int analop(RAnal *a, RAnalOp *op, ut64 addr, const ut8 *buf, int len) { csh handle; cs_insn *insn; int mode, n, ret; mode = CS_MODE_BIG_ENDIAN; if (!strcmp (a->cpu, "v9")) mode |= CS_MODE_V9; ret = cs_open (CS_ARCH_XCORE, mode, &handle); op->type = R_ANAL_OP_TYPE_NULL; op->size = 0; op->delay = 0; r_strbuf_init (&op->esil); if (ret == CS_ERR_OK) { cs_option (handle, CS_OPT_DETAIL, CS_OPT_ON); // capstone-next n = cs_disasm (handle, (const ut8*)buf, len, addr, 1, &insn); if (n<1) { op->type = R_ANAL_OP_TYPE_ILL; } else { op->size = insn->size; switch (insn->id) { case XCORE_INS_DRET: case XCORE_INS_KRET: case XCORE_INS_RETSP: op->type = R_ANAL_OP_TYPE_RET; break; case XCORE_INS_DCALL: case XCORE_INS_KCALL: case XCORE_INS_ECALLF: case XCORE_INS_ECALLT: op->type = R_ANAL_OP_TYPE_CALL; op->jump = INSOP(0).imm; break; /* ??? */ case XCORE_INS_BL: case XCORE_INS_BLA: case XCORE_INS_BLAT: case XCORE_INS_BT: case XCORE_INS_BF: case XCORE_INS_BU: case XCORE_INS_BRU: op->type = R_ANAL_OP_TYPE_CALL; op->jump = INSOP(0).imm; break; case XCORE_INS_SUB: case XCORE_INS_LSUB: op->type = R_ANAL_OP_TYPE_SUB; break; case XCORE_INS_ADD: case XCORE_INS_LADD: op->type = R_ANAL_OP_TYPE_ADD; break; } } cs_free (insn, n); cs_close (&handle); } return op->size; }
static void test() { #define M68K_CODE "\xf0\x10\xf0\x00\x48\xaf\xff\xff\x7f\xff\x11\xb0\x01\x37\x7f\xff\xff\xff\x12\x34\x56\x78\x01\x33\x10\x10\x10\x10\x32\x32\x32\x32\x4C\x00\x54\x04\x48\xe7\xe0\x30\x4C\xDF\x0C\x07\xd4\x40\x87\x5a\x4e\x71\x02\xb4\xc0\xde\xc0\xde\x5c\x00\x1d\x80\x71\x12\x01\x23\xf2\x3c\x44\x22\x40\x49\x0e\x56\x54\xc5\xf2\x3c\x44\x00\x44\x7a\x00\x00\xf2\x00\x0a\x28\x4E\xB9\x00\x00\x00\x12\x4E\x75" struct platform platforms[] = { { CS_ARCH_M68K, (cs_mode)(CS_MODE_BIG_ENDIAN | CS_MODE_M68K_040), (unsigned char*)M68K_CODE, sizeof(M68K_CODE) - 1, "M68K", }, }; uint64_t address = 0x01000; cs_insn *insn; int i; size_t count; for (i = 0; i < sizeof(platforms)/sizeof(platforms[0]); i++) { cs_err err = cs_open(platforms[i].arch, platforms[i].mode, &handle); if (err) { printf("Failed on cs_open() with error returned: %u\n", err); abort(); } cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON); count = cs_disasm(handle, platforms[i].code, platforms[i].size, address, 0, &insn); if (count) { size_t j; printf("****************\n"); printf("Platform: %s\n", platforms[i].comment); print_string_hex("Code: ", platforms[i].code, platforms[i].size); printf("Disasm:\n"); for (j = 0; j < count; j++) { assert(address == insn[j].address && "this means the size of the previous instruction was incorrect"); address += insn[j].size; printf("0x%" PRIx64 ":\t%s\t%s\n", insn[j].address, insn[j].mnemonic, insn[j].op_str); print_insn_detail(&insn[j]); } printf("0x%" PRIx64 ":\n", insn[j-1].address + insn[j-1].size); // free memory allocated by cs_disasm() cs_free(insn, count); } else { printf("****************\n"); printf("Platform: %s\n", platforms[i].comment); print_string_hex("Code:", platforms[i].code, platforms[i].size); printf("ERROR: Failed to disasm given code!\n"); abort(); } printf("\n"); cs_close(&handle); } }
static void test() { #define SYSZ_CODE "\xed\x00\x00\x00\x00\x1a\x5a\x0f\x1f\xff\xc2\x09\x80\x00\x00\x00\x07\xf7\xeb\x2a\xff\xff\x7f\x57\xe3\x01\xff\xff\x7f\x57\xeb\x00\xf0\x00\x00\x24\xb2\x4f\x00\x78\xec\x18\x00\x00\xc1\x7f" struct platform platforms[] = { { CS_ARCH_SYSZ, CS_MODE_BIG_ENDIAN, (unsigned char*)SYSZ_CODE, sizeof(SYSZ_CODE) - 1, "SystemZ", }, }; uint64_t address = 0x1000; cs_insn *insn; int i; size_t count; for (i = 0; i < sizeof(platforms)/sizeof(platforms[0]); i++) { cs_err err = cs_open(platforms[i].arch, platforms[i].mode, &handle); if (err) { printf("Failed on cs_open() with error returned: %u\n", err); continue; } cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON); count = cs_disasm(handle, platforms[i].code, platforms[i].size, address, 0, &insn); if (count) { size_t j; printf("****************\n"); printf("Platform: %s\n", platforms[i].comment); print_string_hex("Code:", platforms[i].code, platforms[i].size); printf("Disasm:\n"); for (j = 0; j < count; j++) { printf("0x%"PRIx64":\t%s\t%s\n", insn[j].address, insn[j].mnemonic, insn[j].op_str); print_insn_detail(&insn[j]); } printf("0x%"PRIx64":\n", insn[j-1].address + insn[j-1].size); // free memory allocated by cs_disasm() cs_free(insn, count); } else { printf("****************\n"); printf("Platform: %s\n", platforms[i].comment); print_string_hex("Code:", platforms[i].code, platforms[i].size); printf("ERROR: Failed to disasm given code!\n"); } printf("\n"); cs_close(&handle); } }
int main(int argc, char **argv, char **envp) { csh handle; if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle)) { printf("cs_open(…) failed\n"); return 1; } cs_insn *insn; cs_disasm(handle, (uint8_t *)BINARY, sizeof(BINARY) - 1, 0x1000, 0, &insn); return 0; }
int main() { pthread_t t[2]; cs_open("/sem",1); pthread_create(t,NULL,t1,NULL); sleep(1); pthread_create(t+1,NULL,t2,NULL); pthread_join(t[0],NULL); pthread_join(t[1],NULL); cs_close("/sem"); return 0; }
static int analop(RAnal *a, RAnalOp *op, ut64 addr, const ut8 *buf, int len) { csh handle = 0; cs_insn *insn = NULL; int mode = (a->bits==16)? CS_MODE_THUMB: CS_MODE_ARM; int n, ret; mode |= (a->big_endian)? CS_MODE_BIG_ENDIAN: CS_MODE_LITTLE_ENDIAN; ret = (a->bits==64)? cs_open (CS_ARCH_ARM64, mode, &handle): cs_open (CS_ARCH_ARM, mode, &handle); cs_option (handle, CS_OPT_DETAIL, CS_OPT_ON); op->type = R_ANAL_OP_TYPE_NULL; op->size = (a->bits==16)? 2: 4; op->delay = 0; op->jump = op->fail = -1; op->addr = addr; op->ptr = op->val = -1; op->refptr = 0; r_strbuf_init (&op->esil); if (ret == CS_ERR_OK) { n = cs_disasm (handle, (ut8*)buf, len, addr, 1, &insn); if (n<1) { op->type = R_ANAL_OP_TYPE_ILL; } else { op->size = insn->size; if (a->bits == 64) { anop64 (op, insn); } else { anop32 (op, insn); } if (a->decode) { analop_esil (a, op, addr, buf, len, &handle, insn); } cs_free (insn, n); } cs_close (&handle); } return op->size; }
void MCParser::reset(cs_arch arch, cs_mode mode) { if(valid()) cs_close(&m_handle); m_arch = arch; m_mode = mode; cs_err err_no; err_no = cs_open(m_arch, m_mode, &m_handle); if (err_no) { throw std::runtime_error("Failed on cs_open() " "with error returned:" + err_no); } cs_option(m_handle, CS_OPT_DETAIL, CS_OPT_ON); m_valid = true; }
void MCParser::initialize(cs_arch arch, cs_mode mode, addr_t end_addr) { m_arch = arch; m_mode = mode; m_end_addr = end_addr; cs_err err_no; err_no = cs_open(m_arch, m_mode, &m_handle); if (err_no) { throw std::runtime_error("Failed on cs_open() " "with error returned:" + err_no); } cs_option(m_handle, CS_OPT_DETAIL, CS_OPT_ON); m_valid = true; }
static int disassemble(RAsm *a, RAsmOp *op, const ut8 *buf, int len) { cs_insn* insn; int mode, n, ret = -1; mode = CS_MODE_BIG_ENDIAN; if (!op) { return 0; } // mode |= (a->bits == 64)? CS_MODE_64: CS_MODE_32; memset (op, 0, sizeof (RAsmOp)); op->size = 4; if (cd != 0) { cs_close (&cd); } ret = cs_open (CS_ARCH_TMS320C64X, mode, &cd); if (ret) { goto fin; } if (a->syntax == R_ASM_SYNTAX_REGNUM) { cs_option (cd, CS_OPT_SYNTAX, CS_OPT_SYNTAX_NOREGNAME); } else { cs_option (cd, CS_OPT_SYNTAX, CS_OPT_SYNTAX_DEFAULT); } cs_option (cd, CS_OPT_DETAIL, CS_OPT_OFF); n = cs_disasm (cd, (ut8*)buf, len, a->pc, 1, &insn); if (n < 1) { strcpy (op->buf_asm, "invalid"); op->size = 4; goto beach; } else { ret = 4; } if (insn->size < 1) { goto beach; } op->size = insn->size; snprintf (op->buf_asm, R_ASM_BUFSIZE, "%s%s%s", insn->mnemonic, insn->op_str[0]? " ": "", insn->op_str); // r_str_replace_in (op->buf_asm, sizeof (op->buf_asm), "*+", "", 1); // nasty, the disasm output comes with tabs and uppercase :( r_str_replace_char (op->buf_asm, '\t', 0); // r_str_replace_in (op->buf_asm, sizeof (op->buf_asm), "\t", "", 1); r_str_case (op->buf_asm, false); cs_free (insn, n); beach: // cs_close (&cd); fin: return op->size; }
ArmCapstone::ArmCapstone(unsigned int thumb_mode) : is_thumb(true) { cs_mode mode = CS_MODE_THUMB; if(thumb_mode == 0) { mode = CS_MODE_ARM; is_thumb = false; } if(cs_open(CS_ARCH_ARM, mode, &m_handle) != CS_ERR_OK) RAISE_EXCEPTION("Apparently no support for ARM in capstone.lib"); cs_option(m_handle, CS_OPT_DETAIL, CS_OPT_ON); }
static cs_insn * disassemble_instruction_at (gconstpointer address) { csh capstone; cs_insn * insn = NULL; cs_open (CS_ARCH_ARM64, CS_MODE_LITTLE_ENDIAN, &capstone); cs_option (capstone, CS_OPT_DETAIL, CS_OPT_ON); cs_disasm (capstone, address, 16, GPOINTER_TO_SIZE (address), 1, &insn); cs_close (&capstone); return insn; }
void check_disassembly (const unsigned char * buf, size_t size) { unsigned int i; struct _wtfile_writer * ww = wtfile_writer_open("disassembly.txt"); if (size < DISASM_SIZE) return; for (i = 0; capstone_ops[i].description != NULL; i++) { struct _capstone_op * cop = &capstone_ops[i]; csh handle; cs_insn * insn; size_t count; if (cs_open(cop->arch, cop->mode, &handle) != CS_ERR_OK) { fprintf(stderr, "error opening %s in capstone, results may be incomplete\n", cop->description); continue; } size_t offset = 0; for (offset = 0; offset < size - DISASM_SIZE; offset++) { if (offset > DISASM_LIMIT) break; count = cs_disasm(handle, &(buf[offset]), DISASM_SIZE, 0, 0, &insn); if (count > (DISASM_SIZE / 8)) { char tmp[4096]; /*************************** RESET INDENT *******************************/ uint32_t t; t = snprintf(tmp, 4096, "--------------------------------------\n"); t += snprintf(&(tmp[t]), 4096 - t, "Possible disassembly for %s starting at 0x%x\n", cop->description, offset); unsigned int j; for (j = 0; j < 4; j++) { t += snprintf(&(tmp[t]), 4096 - t, "%s\t%s\n", insn[j].mnemonic, insn[j].op_str); } t += snprintf(&(tmp[t]), 4096 - t, "\n"); wtfile_writer_write(ww, tmp, strlen(tmp)); } if (count > 0) cs_free(insn, count); } cs_close(&handle); } }
int instruction_length_at_address(uint64_t address) { csh handle; cs_insn *insn; size_t count; int retval = 0; if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) return -1; count = cs_disasm_ex(handle, (uint8_t *)address, 12, 0x1000, 0, &insn); if (count > 0) { retval = insn[0].size; cs_free(insn, count); } cs_close(&handle); return retval; }
int DisassembleCapOffset(unsigned char *buffer, char opt, unsigned char *second_option, int file_len, unsigned char *third_option) { // this option (third option) is responsible for disassemble where it find what and stop unsigned char *length = third_option; int offset = 0; int offset_file = 0; int buf_len=0; int offset_address = 0; // some unit testing ;) int offsets = strtoul(second_option, NULL, 16); offset = RealFileOffset(buffer, offsets); offset_address = offset; //printf("the real offset is %x\n", offset); printf("file len is %d\n", file_len); unsigned char *buf = (unsigned char *)malloc(file_len-offset); for(offset_file=0 ; offset_file+offset != file_len ; offset_file++) { buf[offset_file] = buffer[offset+offset_file]; buf_len++; } csh handle; cs_insn *insn; size_t count; if(cs_open(CS_ARCH_X86, CS_MODE_32, &handle) != CS_ERR_OK) return -1; cs_option(handle, CS_OPT_SKIPDATA, CS_OPT_ON); count = cs_disasm(handle, buf, buf_len, offset, 0, &insn); if(count > 0) { size_t j; for(j=0; j<count; j++) { if (strcmp(length, insn[j].mnemonic)==0 || strcmp("retf", insn[j].mnemonic) == 0) { printf("\x1B[35m\t[ 0x%08x ] : \t\x1B[32m%s\t%s\n", offset_address, insn[j].mnemonic, insn[j].op_str); break; } printf("\x1B[35m\t[ 0x%08x ] : \t\x1B[32m%s\t%s\n", offset_address, insn[j].mnemonic, insn[j].op_str); offset_address += insn[j].size; } cs_free(insn, count); } else { printf("failed disassemble\n"); } }