capstone icon indicating copy to clipboard operation
capstone copied to clipboard
verified publisher icon capstone-engine

Can I get byte array form any code ?

Open realbrotha opened this issue 4 years ago • 5 comments

I need a disassemble code that has been converted to a kind of byte.

Can I get byte array form any code ?

Examples of code are as follows:

void ThisFunction() {
  int a = 1+2+3; 
 printf("%d", a);
  return;
}

int main (int argc, char* argv[]) {
  GetByteCode(&ThisFunction);
}

Through the VisualStudio Disassembly, i can get the asm code and bytes as below. But I have to get it through the my program.

009C2490 55                   push        ebp  
009C2491 8B EC                mov         ebp,esp  
009C2493 81 EC CC 00 00 00    sub         esp,0CCh  
009C2499 53                   push        ebx  
009C249A 56                   push        esi  
009C249B 57                   push        edi  
009C249C 8D BD 34 FF FF FF    lea         edi,[ebp-0CCh]  
009C24A2 B9 33 00 00 00       mov         ecx,33h  
009C24A7 B8 CC CC CC CC       mov         eax,0CCCCCCCCh  
009C24AC F3 AB                rep stos    dword ptr es:[edi]  
009C24AE B9 29 E0 9C 00       mov         ecx,offset _2258097C_ConsoleApplication1@cpp (09CE029h)  
009C24B3 E8 CC EE FF FF       call        @__CheckForDebuggerJustMyCode@4 (09C1384h)  
  int a = 1 + 2 + 3;
009C24B8 C7 45 F8 06 00 00 00 mov         dword ptr [a],6  
  printf("%d", a);
009C24BF 8B 45 F8             mov         eax,dword ptr [a]  
009C24C2 50                   push        eax  
009C24C3 68 30 9B 9C 00       push        offset string "%d" (09C9B30h)  
009C24C8 E8 28 EC FF FF       call        _printf (09C10F5h)  
009C24CD 83 C4 08             add         esp,8  
  return;

is it possible ?

realbrotha avatar Mar 15 '21 01:03 realbrotha

If you already have a filled in cs_insn struct, getting the underlying bytes is trivial. See the printf in cstool.c that uses insn[i].bytes[j] for an example.

The tricky part is getting to the bytes you want to disassemble within the executable

keenk avatar Mar 16 '21 01:03 keenk

cstool.c seems to print the hex to asm code. I want to convert the function into HEX values. is it possible ?

//x64 asm -> hex
55                  
8B EC               
81 EC CC 00 00 00   
53                  
56                  
57                  
8D BD 34 FF FF FF   
B9 33 00 00 00      
B8 CC CC CC CC      
F3 AB               
B9 29 E0 9C 00      
E8 CC EE FF FF      
C7 45 F8 06 00 00 00
8B 45 F8            
50                  
68 30 9B 9C 00      
E8 28 EC FF FF      
83 C4 08

realbrotha avatar Apr 01 '21 07:04 realbrotha

If you mean starting from the text of assembly such as the string:

call eax

and getting the hex for it... no. Capstone is a disassembler, what you need to go that direction is an assembler. Or do I misunderstand your question?

EDIT:

There is a round about way to get this. Assuming the text string "call eax" is correct assembly for part of the executable then you could:

  1. Find where in the executable that instruction lives
  2. Disassemble those bytes with Capstone
  3. Access the raw bytes and print them as hex

But I do not think this is what you were asking?

keenk avatar Apr 05 '21 19:04 keenk

stupid idiot ... I was looking for assembler. Thank you.

realbrotha avatar May 05 '21 22:05 realbrotha

No problem! Good luck with your project!

keenk avatar May 06 '21 12:05 keenk