{"id":6314,"date":"2022-01-15T17:43:06","date_gmt":"2022-01-15T09:43:06","guid":{"rendered":"https:\/\/www.wangonc.com\/?p=6314"},"modified":"2024-03-01T14:30:40","modified_gmt":"2024-03-01T06:30:40","slug":"capstone","status":"publish","type":"post","link":"https:\/\/www.wangonc.com\/index.php\/2022\/01\/15\/capstone\/","title":{"rendered":"capstone"},"content":{"rendered":"<p><strong>capstone\u5b98\u7f51<\/strong><\/p>\n<p><a href=\"http:\/\/www.capstone-engine.org\/\">The Ultimate Disassembly Framework<\/a><\/p>\n<p><strong>\u5b98\u65b9\u6559\u7a0b\uff08python\uff09<\/strong><\/p>\n<p><a href=\"http:\/\/www.capstone-engine.org\/lang_python.html\">Programming with Python language<\/a><\/p>\n<p>\u5b98\u65b9\u6559\u7a0b\uff08C\uff09<\/p>\n<p><a href=\"http:\/\/www.capstone-engine.org\/lang_c.html\">Programming with C language<\/a><\/p>\n<p>\u5b98\u65b9\u6559\u7a0b\uff08Java\uff09<\/p>\n<p><a href=\"http:\/\/www.capstone-engine.org\/lang_java.html\">Programming with Java language<\/a><\/p>\n<p>capstone\u662f\u4e00\u4e2a\u53cd\u6c47\u7f16\u5de5\u5177\uff0c\u5176\u53ef\u4ee5\u5c06\u5b57\u8282\u7801\u7ffb\u8bd1\u4e3a\u6c47\u7f16\u4ee3\u7801<\/p>\n<p>\u5728python\u4e0b\u7684\u793a\u4f8b\u4f7f\u7528\u65b9\u6cd5\u5982\u4e0b\uff08\u4ee5arm64\u6c47\u7f16\u4e3a\u4f8b\uff09<\/p>\n<pre><code class=\"language-python\">from capstone import *\n\ncode =b&#039;\\x01\\x10\\xa0\\xe3\\x02 \\xa0\\xe3\\x010B\\xe0&#039;\nCS = Cs(CS_ARCH_ARM, CS_MODE_LITTLE_ENDIAN)\na=CS.disasm(code,0)\n\nfor i in a:\n    print(i.mnemonic,i.op_str)\n\n# \u6267\u884c\u8f93\u51fa\u5982\u4e0b\n# mov r1, #1\n# mov r2, #2\n# sub r3, r2, r1<\/code><\/pre>\n<p>\u4e0a\u8ff0\u4ee3\u7801\u4e2dcode\u4e3a\u9700\u8981\u7ffb\u8bd1\u5b57\u8282\u7801\u7684bytes\u4e32<\/p>\n<p><code>CS = Cs(CS_ARCH_ARM, CS_MODE_LITTLE_ENDIAN)<\/code> \u4e00\u884c\u7528\u4e8e\u521d\u59cb\u5316Capstone\u7c7b\uff0c\u5176\u53c2\u6570\u5206\u522b\u4e3a<strong>\u786c\u4ef6\u67b6\u6784\u548c\u786c\u4ef6\u6a21\u5f0f<\/strong><\/p>\n<p><code>a=CS.disasm(code,0)<\/code> \u4e00\u884c\u7684\u4f5c\u7528\u4e3a\u5c06\u5b57\u8282\u7801\u7ffb\u8bd1\u4e3a\u6c47\u7f16\u6307\u4ee4\uff0c\u5176\u53c2\u6570\u5206\u522b\u4e3a<strong>\u5f85\u7ffb\u8bd1\u7684\u5b57\u8282\u7801\u548c\u4ee3\u7801\u504f\u79fb\u5730\u5740<\/strong><\/p>\n<p>\u5176\u51fd\u6570\u539f\u578b\u4e3a<code>disasm(code, offset, count=0)<\/code><\/p>\n<p><strong>code<\/strong>:\u5f85\u7ffb\u8bd1\u7684\u5b57\u8282\u7801<\/p>\n<p><strong>offset<\/strong>:\u4ee3\u7801\u7684\u504f\u79fb\u91cf<\/p>\n<p><strong>count<\/strong>:\u4ee3\u7801\u6570\u91cf\uff08\u672a\u627e\u5230\u5b98\u65b9\u89e3\u91ca\uff09<\/p>\n<p>\u5176\u8fd4\u56de\u503c\u4e3a<strong><code>CsInsn<\/code><\/strong> \u5bf9\u8c61\uff0c\u53ef\u4ee5\u8fed\u4ee3\uff0c\u5176\u90e8\u5206\u65b9\u6cd5\u5982\u4e0b<\/p>\n<pre><code class=\"language-python\">CsInsn.id         # \u6307\u4ee4\u7684id\nCsInsn.address  # \u6307\u4ee4\u7684\u5730\u5740\nCsInsn.op_str     # \u6307\u4ee4\u7684\u52a9\u8bb0\u7b26\nCsInsn.mnemonic # \u6307\u4ee4\u7684\u64cd\u4f5c\u6570\nCsInsn.size     # \u6307\u4ee4\u7684\u5927\u5c0f\nCsInsn.bytes      # \u6307\u4ee4\u7684bytes\u6d41\uff0c\u5e94\u6709size\u4e2a\u5b57\u8282<\/code><\/pre>\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u53ef\u4ee5\u4f7f\u7528<code>disasm_lite<\/code> \u51fd\u6570\u8fdb\u884c\u7ffb\u8bd1\uff0c\u5176\u4f7f\u7528\u65b9\u5f0f\u4e0e<code>disasm<\/code> \u76f8\u540c\uff0c\u4f46\u662f\u8be5\u51fd\u6570\u5e76\u4e0d\u4f1a\u8fd4\u56de\u4e00\u4e2a<strong><code>CsInsn<\/code><\/strong>\u5bf9\u8c61\uff0c\u800c\u662f\u4f1a\u8fd4\u56de\u4e00\u4e2a\u4ec5\u5305\u542b<strong>address, size, mnemonic \u548c op_str<\/strong>\u7684\u5143\u7ec4\uff0c\u5176\u6267\u884c\u901f\u5ea6\u4e5f\u6bd4<code>disasm<\/code> \u5feb\u5927\u7ea630%\u3002\u5176\u4f7f\u7528\u65b9\u5f0f\u5982\u4e0b<\/p>\n<pre><code class=\"language-python\">from capstone import *\n\ncode =b&#039;\\x01\\x10\\xa0\\xe3\\x02 \\xa0\\xe3\\x010B\\xe0&#039;\nCS = Cs(CS_ARCH_ARM, CS_MODE_LITTLE_ENDIAN)\n\nfor (address, size, mnemonic, op_str) in Cs.disasm_lite(CS,code,0x40000000):\n    print(hex(address), mnemonic, op_str)\n\n# \u6267\u884c\u8f93\u51fa\u5982\u4e0b\n# 0x40000000 mov r1, #1\n# 0x40000004 mov r2, #2\n# 0x40000008 sub r3, r2, r1<\/code><\/pre>\n<p>\u6216<\/p>\n<pre><code class=\"language-python\">from capstone import *\n\ncode =b&#039;\\x01\\x10\\xa0\\xe3\\x02 \\xa0\\xe3\\x010B\\xe0&#039;\nCS = Cs(CS_ARCH_ARM, CS_MODE_LITTLE_ENDIAN)\na=CS.disasm_lite(code,0x40000000)\n\nfor (address, size, mnemonic, op_str) in a:\n    print(hex(address), mnemonic, op_str)\n\n# \u6267\u884c\u8f93\u51fa\u5982\u4e0b\n# 0x40000000 mov r1, #1\n# 0x40000004 mov r2, #2\n# 0x40000008 sub r3, r2, r1<\/code><\/pre>\n<p>\u5982\u679c\u9700\u8981\u4f7f\u7528\u4e0d\u540c\u8bed\u6cd5\u7684\u6307\u4ee4\u96c6\uff0c\u9700\u8981\u6309\u7167\u5982\u4e0b\u65b9\u5f0f\u8fdb\u884c\u6307\u5b9a\uff08\u4ee5AT&amp;T\u8bed\u6cd5\u7684x86\u6307\u4ee4\u96c6\u4e3a\u4f8b\uff09<\/p>\n<pre><code class=\"language-python\">cs = cs(CS_ARCH_X86, CS_MODE_32)\ncs.syntax = CS_OPT_SYNTAX_ATT<\/code><\/pre>\n<p>\u5982\u679c\u9700\u8981\u5728\u8fd0\u884c\u65f6\u52a8\u6001\u7684\u66f4\u6362\u5176\u89e3\u6790\u6a21\u5f0f\uff0c\u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b\u5199\u6cd5<\/p>\n<pre><code class=\"language-python\">md = Cs(CS_ARCH_ARM, CS_MODE_ARM) # \u4f7f\u7528arm\u6a21\u5f0f\n# ....\n\nmd.mode = CS_MODE_THUMB # \u5207\u6362\u5230Thumb\u6a21\u5f0f\n# ....\n\nmd.mode = CS_MODE_ARM # \u5207\u6362\u56deArm\u6a21\u5f0f\n# ....<\/code><\/pre>\n<p>\u66f4\u591a\u5173\u4e8e<strong>details\u6a21\u5f0f<\/strong>\u4f7f\u7528\u6559\u7a0b\u89c1\u5b98\u65b9\u6559\u7a0b\u9875\u9762<\/p>\n<hr \/>\n<p>\u652f\u6301\u7684\u67b6\u6784\u548c\u5bf9\u5e94\u7684\u6a21\u5f0f\u5982\u4e0b\uff08\u53c2\u8003keystone\uff09<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.wangonc.com\/wp-content\/uploads\/2021\/12\/Untitled-8.png'><img class=\"lazyload lazyload-style-3\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/www.wangonc.com\/wp-content\/uploads\/2021\/12\/Untitled-8.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Untitled\/\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u7ed3\u5408\u7684\u6a21\u5f0f\u5982\u4e0b<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.wangonc.com\/wp-content\/uploads\/2021\/12\/Untitled-1-2.png'><img class=\"lazyload lazyload-style-3\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/www.wangonc.com\/wp-content\/uploads\/2021\/12\/Untitled-1-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"Untitled\/\" \/><\/div><\/p>\n<p>\u82e5\u8981\u7ed3\u5408\u6a21\u5f0f\uff0c\u53ef\u4ee5\u4f7f\u7528+\u6765\u8fde\u63a5\u4e24\u4e2a\u6a21\u5f0f\uff0c\u5982\u4e0b\u9762\u4e3a\u5728\u5c0f\u7aef\u5e8f\u6a21\u5f0f\u4e0b\u53cd\u6c47\u7f16Mips64\u7684\u4ee3\u7801 <code>Cs(CS_ARCH_MIPS, CS_MODE_MIPS64 + CS_MODE_LITTLE_ENDIAN)<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>capstone\u5b98\u7f51 The Ultimate Disassembly Framework \u5b98\u65b9\u6559\u7a0b\uff08pyth [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6393,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,2,8],"tags":[13],"series":[],"class_list":["post-6314","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-so-reverse-engineering","category-study-notes","category-android-reverse-engineering","tag-capstone"],"_links":{"self":[{"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/posts\/6314","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/comments?post=6314"}],"version-history":[{"count":5,"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/posts\/6314\/revisions"}],"predecessor-version":[{"id":7371,"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/posts\/6314\/revisions\/7371"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/media\/6393"}],"wp:attachment":[{"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/media?parent=6314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/categories?post=6314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/tags?post=6314"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/www.wangonc.com\/index.php\/wp-json\/wp\/v2\/series?post=6314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}