public static int[] GetAddressMaskLocs(ref byte[] bytes, uint[] rva) // Returns: list of address byte locations
{
if (rva.Length < 3)
{
return new int[] { }
}
;
UnmanagedBuffer buffer = new UnmanagedBuffer(ref bytes);
BeaEngine._Disasm disasm = new BeaEngine._Disasm();
ulong begin = (ulong)buffer.Ptr.ToInt64();
ulong end = begin + (ulong)(rva[1] + rva[2]);
disasm.InstructionPointer = (UIntPtr)(begin + rva[1]); // We start from section start, rather than entry point
int result, off, n;
List <int> locs = new List <int>();
while (disasm.InstructionPointer.ToUInt64() < end)
{
result = BeaEngine.Disassemble(ref disasm, true);
if (result == BeaEngine.UnknownOpcode) // This is not good practice, but not sure, what else I can do
{
Console.WriteLine("UnknownOpcode (" + bytes[(int)(disasm.InstructionPointer.ToUInt64() - begin)].ToString("X2") + ") at: " + (disasm.InstructionPointer.ToUInt64() - begin).ToString() + " skipping 1 byte.");
result = 1;
}
if (result == BeaEngine.OutOfBlock)
{
break;
}
//if (result < 5) // Does not contain address
if (result > 4) // Mask addresses
{
off = result % 4;
n = result - off;
off += (int)(disasm.InstructionPointer.ToUInt64() - begin);
for (int i = 0; i < n; i++)
{
locs.Add(off + i);
}
}
disasm.InstructionPointer = (UIntPtr)(disasm.InstructionPointer.ToUInt64() + (ulong)result);
}
return(locs.ToArray());
}
}
public static IEnumerable <_Disasm> Disassemble(byte[] data, UIntPtr address, Architecture architecture)
{
GCHandle h = GCHandle.Alloc(data, GCHandleType.Pinned);
UInt64 EndCodeSection = (UInt64)h.AddrOfPinnedObject().ToInt64() + (ulong)data.Length;
_Disasm d = new _Disasm();
d.InstructionPointer = (UIntPtr)h.AddrOfPinnedObject().ToInt64();
d.VirtualAddr = address.ToUInt64();
d.Architecture = architecture;
bool error = false;
while (!error)
{
d.SecurityBlock = (uint)(EndCodeSection - d.InstructionPointer.ToUInt64());
d.Length = BeaEngine.Disassemble(ref d);
if (d.Length == BeaEngine.OutOfBlock)
{
Console.WriteLine("disasm engine is not allowed to read more memory.");
error = true;
}
else if (d.Length == BeaEngine.UnknownOpcode)
{
_Disasm yieldedInst = d;
d.InstructionPointer = d.InstructionPointer + 1;
d.VirtualAddr = d.VirtualAddr + 1;
yield return(yieldedInst);
}
else
{
_Disasm yieldedInst = d;
d.InstructionPointer = d.InstructionPointer + d.Length;
d.VirtualAddr = d.VirtualAddr + (ulong)d.Length;
if (d.InstructionPointer.ToUInt64() >= EndCodeSection)
{
error = true;
}
yield return(yieldedInst);
}
}
yield break;
}
public static IEnumerable <_Disasm> Disassemble(byte[] data, IntPtr address, Architecture architecture)
{
return(BeaEngine.Disassemble(data, new UIntPtr((ulong)address.ToInt64()), architecture));
}
public static IEnumerable <_Disasm> Disassemble(byte[] data, ulong address, Architecture architecture)
{
return(BeaEngine.Disassemble(data, new UIntPtr(address), architecture));
}
