public void TestDisassemble()
{
// Create X86 Disassembler.
//
// Creating the disassembler in a "using" statement ensures that resources get cleaned up automatically
// when it is no longer needed.
using (var disassembler = CapstoneDisassembler.CreateArm64Disassembler(DisassembleMode.Arm32)) {
Assert.IsNotNull(disassembler);
// Enable Disassemble Details.
//
// Enables disassemble details, which are disabled by default, to provide more detailed information on
// disassembled binary code.
disassembler.EnableDetails = true;
// Set Disassembler's Syntax.
//
// Make the disassembler generate instructions in Intel syntax.
disassembler.Syntax = DisassembleSyntaxOptionValue.Intel;
// Disassemble All Binary Code.
//
// ...
var code = new byte[] { 0x09, 0x00, 0x38, 0xd5, 0xbf, 0x40, 0x00, 0xd5, 0x0c, 0x05, 0x13, 0xd5, 0x20, 0x50, 0x02, 0x0e, 0x20, 0xe4, 0x3d, 0x0f, 0x00, 0x18, 0xa0, 0x5f, 0xa2, 0x00, 0xae, 0x9e, 0x9f, 0x37, 0x03, 0xd5, 0xbf, 0x33, 0x03, 0xd5, 0xdf, 0x3f, 0x03, 0xd5, 0x21, 0x7c, 0x02, 0x9b, 0x21, 0x7c, 0x00, 0x53, 0x00, 0x40, 0x21, 0x4b, 0xe1, 0x0b, 0x40, 0xb9, 0x20, 0x04, 0x81, 0xda, 0x20, 0x08, 0x02, 0x8b, 0x10, 0x5b, 0xe8, 0x3c };
var instructions = disassembler.DisassembleAll(code, 0x2C);
//Assert.AreEqual(instructions.Length, 2);
}
}
/// <summary>
/// Create an XCore Memory Operand Value.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="nativeMemoryOperandValue">
/// A native XCore memory operand value.
/// </param>
internal XCoreMemoryOperandValue(CapstoneDisassembler disassembler, ref NativeXCoreMemoryOperandValue nativeMemoryOperandValue)
{
this.Base = XCoreRegister.TryCreate(disassembler, (XCoreRegisterId)nativeMemoryOperandValue.Base);
this.Direct = nativeMemoryOperandValue.Direct;
this.Displacement = nativeMemoryOperandValue.Displacement;
this.Index = XCoreRegister.TryCreate(disassembler, (XCoreRegisterId)nativeMemoryOperandValue.Index);
}
/// <summary>
/// Build an Instruction Detail.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="hInstruction">
/// An instruction handle.
/// </param>
internal override void Build(CapstoneDisassembler disassembler, NativeInstructionHandle hInstruction)
{
// ...
//
// Throws an exception if the operation fails.
base.Build(disassembler, hInstruction);
var nativeInstructionDetail = NativeCapstone.GetInstructionDetail <NativeX86InstructionDetail>(hInstruction).GetValueOrDefault();
this.AddressSize = nativeInstructionDetail.AddressSize;
this.AvxConditionCode = nativeInstructionDetail.AvxConditionCode;
this.AvxRoundingMode = nativeInstructionDetail.AvxRoundingMode;
this.AvxSuppressAllExceptions = nativeInstructionDetail.AvxSuppressAllExceptions;
this.Displacement = nativeInstructionDetail.Displacement;
this.EFlags = nativeInstructionDetail.Flag.EFlags;
this.Encoding = new X86Encoding(ref nativeInstructionDetail.Encoding);
this.FpuFlags = nativeInstructionDetail.Flag.FpuFlags;
this.ModRm = nativeInstructionDetail.ModRm;
this.Opcode = nativeInstructionDetail.Opcode;
this.Operands = X86Operand.Create(disassembler, ref nativeInstructionDetail);
this.Prefix = nativeInstructionDetail.Prefix;
this.Rex = nativeInstructionDetail.Rex;
this.Sib = nativeInstructionDetail.Sib;
this.SibBase = X86Register.TryCreate(disassembler, nativeInstructionDetail.SibBase);
this.SibIndex = X86Register.TryCreate(disassembler, nativeInstructionDetail.SibIndex);
this.SibScale = nativeInstructionDetail.SibScale;
this.SseConditionCode = nativeInstructionDetail.SseConditionCode;
this.XopConditionCode = nativeInstructionDetail.XopConditionCode;
}
private static void CodeHookCallback(
CapstoneDisassembler <X86Instruction, X86Register, X86InstructionGroup, X86InstructionDetail> disassembler,
Unicorn u,
Int64 addr,
Int32 size,
Object userData)
{
Console.Write("[+] 0x{0}: ", addr.ToString("X"));
var eipBuffer = new Byte[4];
u.RegRead(X86.UC_X86_REG_EIP, eipBuffer);
var effectiveSize = Math.Min(16, size);
var tmp = new Byte[effectiveSize];
u.MemRead(addr, tmp);
var sb = new StringBuilder();
foreach (var t in tmp)
{
sb.AppendFormat("{0} ", (0xFF & t).ToString("X"));
}
Console.Write("{0,-20}", sb);
Console.WriteLine(Utils.Disassemble(disassembler, tmp));
}
public static string DissasembleIl2CppMethod(MethodInfo method, UnitorModel module)
{
StringBuilder output = new StringBuilder();
if (!method.VirtualAddress.HasValue)
{
return("");
}
X86DisassembleMode mode = module.AppModel.Image.Arch == "x64" ? X86DisassembleMode.Bit64 : X86DisassembleMode.Bit32;
CapstoneX86Disassembler disassembler = CapstoneDisassembler.CreateX86Disassembler(mode);
disassembler.EnableInstructionDetails = true;
var asm = disassembler.Disassemble(method.GetMethodBody(), (long)method.VirtualAddress.Value.Start);
foreach (X86Instruction ins in asm)
{
if (ShouldCheckInstruction(ins.Id))
{
output.AppendLine(ins.Mnemonic + " " + ins.Operand + " " + GetTooltipFromInstruction(method, ins, module));
}
else
{
output.AppendLine(ins.Mnemonic + " " + ins.Operand);
}
}
disassembler.Dispose();
return(output.ToString());
}
public void TestDisassemble()
{
// Create X86 Disassembler.
//
// Creating the disassembler in a "using" statement ensures that resources get cleaned up automatically
// when it is no longer needed.
using (var disassembler = CapstoneDisassembler.CreateX86Disassembler(DisassembleMode.Bit32)) {
Assert.IsNotNull(disassembler);
// Enable Disassemble Details.
//
// Enables disassemble details, which are disabled by default, to provide more detailed information on
// disassembled binary code.
disassembler.EnableDetails = true;
// Set Disassembler's Syntax.
//
// Make the disassembler generate instructions in Intel syntax.
disassembler.Syntax = DisassembleSyntaxOptionValue.Intel;
// Disassemble All Binary Code.
//
// ...
var code = new byte[] { 0x8d, 0x4c, 0x32, 0x08, 0x01, 0xd8, 0x81, 0xc6, 0x34, 0x12, 0x00, 0x00, 0x05, 0x23, 0x01, 0x00, 0x00, 0x36, 0x8b, 0x84, 0x91, 0x23, 0x01, 0x00, 0x00, 0x41, 0x8d, 0x84, 0x39, 0x89, 0x67, 0x00, 0x00, 0x8d, 0x87, 0x89, 0x67, 0x00, 0x00, 0xb4, 0xc6 };
var instructions = disassembler.DisassembleAll(code);
Assert.AreEqual(instructions.Length, 9);
}
}
/// <summary>
/// Create an ARM Instruction.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="hInstruction">
/// An instruction handle.
/// </param>
/// <returns>
/// An ARM instruction.
/// </returns>
internal static ArmInstruction Create(CapstoneDisassembler disassembler, NativeInstructionHandle hInstruction)
{
var builder = new ArmInstructionBuilder();
builder.Build(disassembler, hInstruction);
return(builder.Create());
}
/// <summary>
/// Create an ARM Memory Operand Value.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="nativeMemoryOperandValue">
/// A native ARM memory operand value.
/// </param>
internal ArmMemoryOperandValue(CapstoneDisassembler disassembler, ref NativeArmMemoryOperandValue nativeMemoryOperandValue)
{
this.Base = ArmRegister.TryCreate(disassembler, nativeMemoryOperandValue.Base);
this.Displacement = nativeMemoryOperandValue.Displacement;
this.Index = ArmRegister.TryCreate(disassembler, nativeMemoryOperandValue.Index);
this.LeftShit = nativeMemoryOperandValue.LeftShift;
this.Scale = nativeMemoryOperandValue.Scale;
}
public void TearDown()
{
if (this.disassembler != null)
{
this.disassembler.Dispose();
this.disassembler = null;
}
}
/// <summary>
/// Create a MIPS Instruction Detail.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="hInstruction">
/// An instruction handle.
/// </param>
/// <returns>
/// A MIPS instruction detail.
/// </returns>
internal static MipsInstructionDetail Create(CapstoneDisassembler disassembler, NativeInstructionHandle hInstruction)
{
var builder = new MipsInstructionDetailBuilder();
builder.Build(disassembler, hInstruction);
return(builder.Create());
}
/// <summary>
/// Create an X86 Memory Operand Value.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="nativeMemoryOperandValue">
/// A native X86 memory operand value.
/// </param>
internal X86MemoryOperandValue(CapstoneDisassembler disassembler, ref NativeX86MemoryOperandValue nativeMemoryOperandValue)
{
this.Base = X86Register.TryCreate(disassembler, nativeMemoryOperandValue.Base);
this.Displacement = nativeMemoryOperandValue.Displacement;
this.Index = X86Register.TryCreate(disassembler, nativeMemoryOperandValue.Index);
this.Scale = nativeMemoryOperandValue.Scale;
this.Segment = X86Register.TryCreate(disassembler, nativeMemoryOperandValue.Segment);
}
public FmtX86(X86DisassembleMode mode)
{
disassembler = CapstoneDisassembler.CreateX86Disassembler(mode);
disassembler.DisassembleSyntax = DisassembleSyntax.Intel;
// Represent invalid instructions as "db 0x.."
disassembler.EnableSkipDataMode = true;
disassembler.SkipDataInstructionMnemonic = "db";
}
/// <summary>
/// Create X86 Operands.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="nativeInstructionDetail">
/// A native X86 instruction detail.
/// </param>
/// <returns>
/// An array of X86 operands.
/// </returns>
internal static X86Operand[] Create(CapstoneDisassembler disassembler, ref NativeX86InstructionDetail nativeInstructionDetail)
{
var operands = new X86Operand[nativeInstructionDetail.OperandCount];
for (var i = 0; i < operands.Length; i++)
{
ref var nativeOperand = ref nativeInstructionDetail.Operands[i];
operands[i] = new X86Operand(disassembler, ref nativeOperand);
}
public static String Disassemble(CapstoneDisassembler<X86Instruction, X86Register, X86InstructionGroup, X86InstructionDetail> disassembler, Byte[] code)
{
var sb = new StringBuilder();
var instructions = disassembler.DisassembleAll(code);
foreach (var instruction in instructions)
{
sb.AppendFormat("{0} {1}{2}", instruction.Mnemonic, instruction.Operand, Environment.NewLine);
}
return sb.ToString().Trim();
}
public void TestCreate()
{
var disassembler = CapstoneDisassembler.CreateArm64Disassembler(DisassembleMode.Arm32);
Assert.IsNotNull(disassembler);
Assert.AreEqual(disassembler.Architecture, DisassembleArchitecture.Arm64);
Assert.AreEqual(disassembler.EnableDetails, false);
Assert.AreEqual(disassembler.Mode, DisassembleMode.Arm32);
Assert.AreEqual(disassembler.Syntax, DisassembleSyntaxOptionValue.Default);
}
/// <summary>
/// Build an Instruction Detail.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="hInstruction">
/// An instruction handle.
/// </param>
internal override void Build(CapstoneDisassembler disassembler, NativeInstructionHandle hInstruction)
{
// ...
//
// Throws an exception if the operation fails.
base.Build(disassembler, hInstruction);
var nativeInstructionDetail = NativeCapstone.GetInstructionDetail <NativeXCoreInstructionDetail>(hInstruction).GetValueOrDefault();
this.Operands = XCoreOperand.Create(disassembler, ref nativeInstructionDetail);
}
public static String Disassemble(CapstoneDisassembler <X86Instruction, X86Register, X86InstructionGroup, X86InstructionDetail> disassembler, Byte[] code)
{
var sb = new StringBuilder();
var instructions = disassembler.DisassembleAll(code);
foreach (var instruction in instructions)
{
sb.AppendFormat("{0} {1}{2}", instruction.Mnemonic, instruction.Operand, Environment.NewLine);
}
return(sb.ToString().Trim());
}
public ThumbDisassembler(ImageReader rdr)
{
this.rdr = rdr;
this.dasm = CapstoneDisassembler.CreateArmDisassembler(DisassembleMode.ArmThumb);
dasm.EnableDetails = true;
this.stream = dasm.DisassembleStream(
rdr.Bytes,
(int)rdr.Offset,
(long)(rdr.Address.ToLinear()))
.GetEnumerator();
}
public AArch64Disassembler(ImageReader rdr)
{
var dasm = CapstoneDisassembler.CreateArm64Disassembler(DisassembleMode.Arm32);
dasm.EnableDetails = true;
this.stream = dasm.DisassembleStream(
rdr.Bytes,
(int)rdr.Offset,
(long)rdr.Address.ToLinear() - rdr.Offset)
.GetEnumerator();
}
/// <summary>
/// Create an XCore Instruction Group.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="id">
/// The instruction group's unique identifier.
/// </param>
/// <returns>
/// An XCore instruction group.
/// </returns>
internal static XCoreInstructionGroup Create(CapstoneDisassembler disassembler, XCoreInstructionGroupId id)
{
// ...
//
// Throws an exception if the operation fails.
var name = NativeCapstone.GetInstructionGroupName(disassembler.Handle, (int)id);
var @object = new XCoreInstructionGroup(id, name);
return(@object);
}
/// <summary>
/// Create a basic block processing worker
/// </summary>
/// <param name="binaryTarg">Binary target associated with the trace</param>
/// <param name="runrecord">TraceRecord associated with the trace</param>
/// <param name="remotePipeID">ID of the pipe receiving basic block data</param>
public BlockHandlerThread(BinaryTarget binaryTarg, TraceRecord runrecord, uint?remotePipeID = null)
{
target = binaryTarg;
trace = runrecord;
bitWidth = target.BitWidth;
_remotePipeID = remotePipeID;
//todo don't create in headless mode
X86DisassembleMode disasMode = (bitWidth == 32) ? X86DisassembleMode.Bit32 : X86DisassembleMode.Bit64;
disassembler = CapstoneDisassembler.CreateX86Disassembler(disasMode);
}
public Arm32Disassembler(Arm32ProcessorArchitecture arch, EndianImageReader rdr)
{
var dasm = CapstoneDisassembler.CreateArmDisassembler(
DisassembleMode.Arm32 | DisassembleMode.LittleEndian);
dasm.EnableDetails = true;
this.stream = dasm.DisassembleStream(
rdr.Bytes,
(int)rdr.Offset,
(long)rdr.Address.ToLinear() - rdr.Offset)
.GetEnumerator();
}
private static void RunTest(Byte[] code, Int64 address, Int32 mode)
{
using (var u = new Unicorn(Common.UC_ARCH_X86, mode))
using (var disassembler = CapstoneDisassembler.CreateX86Disassembler(DisassembleMode.Bit32))
{
Console.WriteLine("Unicorn version: {0}", u.Version());
// map 2MB of memory for this emulation
u.MemMap(address, 2 * 1024 * 1024, Common.UC_PROT_ALL);
// initialize machine registers
u.RegWrite(X86.UC_X86_REG_EAX, 0x1234);
u.RegWrite(X86.UC_X86_REG_ECX, 0x1234);
u.RegWrite(X86.UC_X86_REG_EDX, 0x7890);
// write machine code to be emulated to memory
u.MemWrite(address, code);
// initialize machine registers
u.RegWrite(X86.UC_X86_REG_ESP, Utils.Int64ToBytes(address + 0x200000));
// handle IN & OUT instruction
u.AddInHook(InHookCallback);
u.AddOutHook(OutHookCallback);
// tracing all instructions by having @begin > @end
u.AddCodeHook((uc, addr, size, userData) => CodeHookCallback(disassembler, uc, addr, size, userData), 1, 0);
// handle interrupt ourself
u.AddInterruptHook(InterruptHookCallback);
// handle SYSCALL
u.AddSyscallHook(SyscallHookCallback);
// intercept invalid memory events
u.AddEventMemHook(MemMapHookCallback, Common.UC_HOOK_MEM_READ_UNMAPPED | Common.UC_HOOK_MEM_WRITE_UNMAPPED);
Console.WriteLine(">>> Start tracing code");
// emulate machine code in infinite time
u.EmuStart(address, address + code.Length, 0u, 0u);
// print registers
var ecx = u.RegRead(X86.UC_X86_REG_ECX);
var edx = u.RegRead(X86.UC_X86_REG_EDX);
var eax = u.RegRead(X86.UC_X86_REG_EAX);
Console.WriteLine("[!] EAX = {0}", eax.ToString("X"));
Console.WriteLine("[!] ECX = {0}", ecx.ToString("X"));
Console.WriteLine("[!] EDX = {0}", edx.ToString("X"));
Console.WriteLine(">>> Emulation Done!");
}
}
private CapstoneX86Disassembler createCapstoneX86Eng(string mode)
{
if (mode == "32bit")
{
return(CapstoneDisassembler.CreateX86Disassembler(X86DisassembleMode.Bit32));
}
else if (mode == "64bit")
{
return(CapstoneDisassembler.CreateX86Disassembler(X86DisassembleMode.Bit64));
}
return(null);
}
public Arm64Instruction[] DisasmArm64(byte[] bytes)
{
const Arm64DisassembleMode disassembleMode = Arm64DisassembleMode.Arm;
using (CapstoneArm64Disassembler disassembler = CapstoneDisassembler.CreateArm64Disassembler(disassembleMode))
{
disassembler.EnableInstructionDetails = true;
disassembler.DisassembleSyntax = DisassembleSyntax.Intel;
Arm64Instruction[] instructions = disassembler.Disassemble(bytes);
return(instructions);
}
}
/// <summary>
/// Build an Instruction Detail.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="hInstruction">
/// An instruction handle.
/// </param>
internal override void Build(CapstoneDisassembler disassembler, NativeInstructionHandle hInstruction)
{
// ...
//
// Throws an exception if the operation fails.
base.Build(disassembler, hInstruction);
var nativeInstructionDetail = NativeCapstone.GetInstructionDetail <NativePowerPcInstructionDetail>(hInstruction).GetValueOrDefault();
this.BranchCode = nativeInstructionDetail.BranchCode;
this.BranchHint = nativeInstructionDetail.BranchHint;
this.Operands = PowerPcOperand.Create(disassembler, ref nativeInstructionDetail);
this.UpdateCr0 = nativeInstructionDetail.UpdateCr0;
}
/// <summary>
/// Build an Instruction Detail.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="hInstruction">
/// An instruction handle.
/// </param>
internal override void Build(CapstoneDisassembler disassembler, NativeInstructionHandle hInstruction)
{
// ...
//
// Throws an exception if the operation fails.
base.Build(disassembler, hInstruction);
var nativeInstruction = NativeCapstone.GetInstruction(hInstruction);
var nativeInstructionDetail = NativeCapstone.GetInstructionDetail <NativeArm64InstructionDetail>(hInstruction).GetValueOrDefault();
this.ConditionCode = nativeInstructionDetail.ConditionCode;
this.Operands = Arm64Operand.Create(disassembler, (Arm64InstructionId)nativeInstruction.Id, ref nativeInstructionDetail);
this.UpdateFlags = nativeInstructionDetail.UpdateFlags;
this.WriteBack = nativeInstructionDetail.WriteBack;
}
/// <summary>
/// Create an M68K Memory Operand Value.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="nativeMemoryOperandValue">
/// A native M68K memory operand value.
/// </param>
internal M68KMemoryOperandValue(CapstoneDisassembler disassembler, ref NativeM68KMemoryOperandValue nativeMemoryOperandValue)
{
this.Base = M68KRegister.TryCreate(disassembler, nativeMemoryOperandValue.Base);
this.BitField = nativeMemoryOperandValue.BitField;
this.Displacement = nativeMemoryOperandValue.Displacement;
this.Index = M68KRegister.TryCreate(disassembler, nativeMemoryOperandValue.Index);
this.IndexSize = nativeMemoryOperandValue.IndexSize;
this.IndirectBase = M68KRegister.TryCreate(disassembler, nativeMemoryOperandValue.IndirectBase);
this.IndirectDisplacement = nativeMemoryOperandValue.IndirectDisplacement;
this.Offset = nativeMemoryOperandValue.Offset;
this.OutDisplacement = nativeMemoryOperandValue.OutDisplacement;
this.Scale = nativeMemoryOperandValue.Scale;
this.Width = nativeMemoryOperandValue.Width;
}
/// <summary>
/// Create a PowerPC Register.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="id">
/// The register's unique identifier.
/// </param>
/// <returns>
/// A PowerPC register. A null reference if the register's unique identifier is equal to
/// <see cref="PowerPcRegisterId.Invalid" />.
/// </returns>
/// <exception cref="System.ObjectDisposedException">
/// Thrown if the disassembler is disposed.
/// </exception>
internal static PowerPcRegister TryCreate(CapstoneDisassembler disassembler, PowerPcRegisterId id)
{
PowerPcRegister @object = null;
if (id != PowerPcRegisterId.Invalid)
{
// ...
//
// Throws an exception if the operation fails.
var name = NativeCapstone.GetRegisterName(disassembler.Handle, (int)id);
@object = new PowerPcRegister(id, name);
}
return(@object);
}
/// <summary>
/// Build an Instruction Detail.
/// </summary>
/// <param name="disassembler">
/// A disassembler.
/// </param>
/// <param name="hInstruction">
/// An instruction handle.
/// </param>
internal override void Build(CapstoneDisassembler disassembler, NativeInstructionHandle hInstruction)
{
// ...
//
// Throws an exception if the operation fails.
base.Build(disassembler, hInstruction);
var nativeInstructionDetail = NativeCapstone.GetInstructionDetail <NativeArmInstructionDetail>(hInstruction).GetValueOrDefault();
this.ConditionCode = nativeInstructionDetail.ConditionCode;
this.CpsFlag = nativeInstructionDetail.CpsFlag;
this.CpsMode = nativeInstructionDetail.CpsMode;
this.IsUserMode = nativeInstructionDetail.IsUserMode;
this.MemoryBarrierOperation = nativeInstructionDetail.MemoryBarrierOperation;
this.Operands = ArmOperand.Create(disassembler, ref nativeInstructionDetail);
this.UpdateFlags = nativeInstructionDetail.UpdateFlags;
this.VectorDataType = nativeInstructionDetail.VectorDataType;
this.VectorSize = nativeInstructionDetail.VectorSize;
this.WriteBack = nativeInstructionDetail.WriteBack;
}
private static void RunTest(Byte[] code, Int64 address)
{
try
{
using (var u = new Unicorn(Common.UC_ARCH_X86, Common.UC_MODE_32))
using (var disassembler = CapstoneDisassembler.CreateX86Disassembler(DisassembleMode.Bit32))
{
Console.WriteLine("Unicorn version: {0}", u.Version());
// map 2MB of memory for this emulation
u.MemMap(address, 2 * 1024 * 1024, Common.UC_PROT_ALL);
// write machine code to be emulated to memory
u.MemWrite(address, code);
// initialize machine registers
u.RegWrite(X86.UC_X86_REG_ESP, Utils.Int64ToBytes(address + 0x200000));
var regv = new Byte[4];
u.RegRead(X86.UC_X86_REG_ESP, regv);
// tracing all instructions by having @begin > @end
u.AddCodeHook((uc, addr, size, userData) => CodeHookCallback(disassembler, uc, addr, size, userData), 1, 0);
// handle interrupt ourself
u.AddInterruptHook(InterruptHookCallback);
// handle SYSCALL
u.AddSyscallHook(SyscallHookCallback);
Console.WriteLine(">>> Start tracing code");
// emulate machine code in infinite time
u.EmuStart(address, address + code.Length, 0u, 0u);
Console.WriteLine(">>> Emulation Done!");
}
}
catch (UnicornEngineException ex)
{
Console.Error.WriteLine("Emulation FAILED! " + ex.Message);
}
}
/// <summary>
/// Initializes a new instance of the <see cref="CapstoneDisassembly"/> class.
/// </summary>
public CapstoneDisassembly() : base(null)
{
this.Caption = "Capstone Disassembly";
// This is the user control hosted by the tool window; Note that, even if this class implements IDisposable,
// we are not calling Dispose on this object. This is because ToolWindowPane calls Dispose on
// the object returned by the Content property.
_disassemblyControl = new CapstoneDisassemblyControl();
this.Content = _disassemblyControl;
_debugListener = new CapstoneDisassemblyDebugListener();
_debugListener.OnBreak += OnDebugBreak;
_debugListener.OnDebugEnd += OnDebugEnd;
// TODO config
_disassembler = CapstoneDisassembler.CreateArm64Disassembler(Gee.External.Capstone.DisassembleMode.Arm32);
_disassembler.EnableDetails = true;
_disassembler.Syntax = Gee.External.Capstone.DisassembleSyntaxOptionValue.Intel;
}
private static void CodeHookCallback(
CapstoneDisassembler<X86Instruction, X86Register, X86InstructionGroup, X86InstructionDetail> disassembler,
Unicorn u,
Int64 addr,
Int32 size,
Object userData)
{
Console.Write("[+] 0x{0}: ", addr.ToString("X"));
var eipBuffer = new Byte[4];
u.RegRead(X86.UC_X86_REG_EIP, eipBuffer);
var effectiveSize = Math.Min(16, size);
var tmp = new Byte[effectiveSize];
u.MemRead(addr, tmp);
var sb = new StringBuilder();
foreach (var t in tmp)
{
sb.AppendFormat("{0} ", (0xFF & t).ToString("X"));
}
Console.Write("{0,-20}", sb);
Console.WriteLine(Utils.Disassemble(disassembler, tmp));
}
public void Setup()
{
this.disassembler = CapstoneDisassembler.CreateArmDisassembler(DisassembleMode.ArmThumb);
}
