Beispiel #1
0
        public bool Disassemble(Distorm.DecodeType decodeType)
        {
            if (this.Data.Length == 0)
            {
                return false;
            }

            if (this.InstructionsDisassembled.Count != 0)
            {
                this.InstructionsDisassembled = Distorm.Disassemble(this.Data, (ulong)Address.ToInt64(), decodeType);
                if (this.InstructionsDisassembled.Count == 0)
                {
                    return false;
                }
            }

            if (this.InstructionsDecomposed.Length != 0)
            {
                this.InstructionsDecomposed = Distorm.Decompose(this.Data, (ulong)Address.ToInt64(), decodeType);
                if (this.InstructionsDecomposed.Length == 0)
                {
                    return false;
                }
            }

            return true;
        }
Beispiel #2
0
        public static bool VerifyDecomposition2(Distorm.DInst[] result)
        {
            string expectedOutput = "mov [rsp+0x8], rsi\n" +
                        "mov [rsp+0x10], rdi\n" +
                        "push r12\n" +
                        "sub rsp, 0xb0\n" +
                        "and dword [rsp+0x20], 0x0\n" +
                        "lea rcx, [rsp+0x40]\n" +
                        "call qword [0xffbf2288]\n" +
                        "lea rdx, [rdi-0x18]\n";

            if (result.Length < 7)
            {
                return false;
            }

            List<string> instructions = new List<string>();

            foreach (Distorm.DInst inst in result)
            {
                instructions.Add(inst.ToString());
            }

            //List<string> instructions2 = Distorm.Disassemble(Program.code2, 0xFFBAB9D0, Distorm.DecodeType.Decode64Bits);

            return expectedOutput.Equals(string.Join("\n", instructions) + "\n");
        }
Beispiel #3
0
        /// <summary>
        /// Tests the decomposition of a resulting array that has parsed the test code in this class.
        /// </summary>
        /// <param name="result">The parsed results.</param>
        /// <returns>Returns true if the results have been parsed as expected.</returns>
        public static bool VerifyDecomposition(Distorm.DInst[] result)
        {
            if (result.Length < 6)
            {
                return false;
            }

            // Manually check each instruction.
            if (result[0].InstructionType != Distorm.InstructionType.PUSH ||
                result[0].ops[0].RegisterName != "ebp")
            {
                return false;
            }
            else if (result[1].InstructionType != Distorm.InstructionType.MOV ||
                result[1].ops[0].RegisterName != "ebp" ||
                result[1].ops[1].RegisterName != "esp")
            {
                return false;
            }
            else if (result[2].InstructionType != Distorm.InstructionType.MOV ||
                result[2].ops[0].RegisterName != "eax" ||
                result[2].ops[1].type != Distorm.OperandType.SMEM ||
                result[2].ops[1].RegisterName != "ebp" ||
                result[2].disp != 0x8)
            {
                return false;
            }
            else if (result[3].InstructionType != Distorm.InstructionType.ADD ||
                result[3].ops[0].RegisterName != "eax" ||
                result[3].ops[1].type != Distorm.OperandType.SMEM ||
                result[3].ops[1].RegisterName != "ebp" ||
                result[3].disp != 0xc)
            {
                return false;
            }
            else if (result[4].InstructionType != Distorm.InstructionType.LEAVE)
            {
                return false;
            }
            else if (result[5].InstructionType != Distorm.InstructionType.RET)
            {
                return false;
            }

            return true;
        }