最进在研究反汇编引擎,在google看到capstone反汇编工具,据说是IDA都使用了capstone的引擎,记录一下;
capstone 官方网站:http://www.capstone-engine.org/
github源码下载:https://github.com/aquynh/capstone
capstone在架构兼容性上来说是非常丰富了:Multi-architectures: Arm, Arm64 (Armv8), BPF, Ethereum Virtual Machine, M68K, M680X, Mips, MOS65XX, PowerPC, RISCV, Sparc, SystemZ, TMS320C64X, Web Assembly, XCore & X86 (include X86_64)

1.实测解码的速率并不是很快(原因是printf直接把信息往外丢,去掉prinf直接写文件14M内存bin文件耗时5s左右,甚至比intel-xed还快);
2.需要使用动态内存,从代码实现来看,传入文件多大就需要申请多大的内存,还要给disam buffer分配内存;
3.代码架构比较复杂,改造成本还是比较高;

下载源码之后:

//解压文件
curtis@curtis-virtual-machine:~/Desktop$ unzip capstone-master.zip

//编译文件
curtis@curtis-virtual-machine:~/Desktop/capstone-master$ ./make.sh
.........省略..........
make[1]: Leaving directory `/home/curtis/Desktop/capstone-master/tests'
make -C suite/fuzz
make[1]: Entering directory `/home/curtis/Desktop/capstone-master/suite/fuzz'
  CC      fuzz_disasm.o
  CC      drivermc.o
  CC      driverbin.o
  LINK    fuzz_disasm
  LINK    fuzz_bindisasm
make[1]: Leaving directory `/home/curtis/Desktop/capstone-master/suite/fuzz'
install -m0755 ./libcapstone.so.5 ./tests/
cd ./tests/ && rm -f libcapstone.so && ln -s libcapstone.so.5 libcapstone.so

//安装引擎,创建文件夹,把对应的库安装好,安装cstool工具
curtis@curtis-virtual-machine:~/Desktop/capstone-master$ sudo ./make.sh install
mkdir -p /usr/lib
install -m0755 ./libcapstone.so.5 /usr/lib
cd /usr/lib && rm -f libcapstone.so && ln -s libcapstone.so.5 libcapstone.so
install -m0644 ./libcapstone.a /usr/lib
mkdir -p /usr/include/capstone
install -m0644 include/capstone/*.h /usr/include/capstone
mkdir -p /usr/lib/pkgconfig
install -m0644 ./capstone.pc /usr/lib/pkgconfig
mkdir -p /usr/bin
install -m0755 cstool/cstool /usr/bin

//capstone so&a 库大小
curtis@curtis-virtual-machine:/usr/lib$ ls -alh | grep capstone
-rw-r--r--   1 root root     5.7M 10月 26 17:57 libcapstone.a
lrwxrwxrwx   1 root root       16 10月 26 17:57 libcapstone.so -> libcapstone.so.5
-rwxr-xr-x   1 root root     4.4M 10月 26 17:57 libcapstone.so.5

//输出ins.asm大小
curtis@curtis-virtual-machine:~/Desktop$ ls -alh | grep ins.asm
-rwxr-xr-x  1 curtis curtis 395M 10月 28 10:40 ins.asm

//卸载capstone
curtis@curtis-virtual-machine:~/Desktop/capstone-master$ sudo ./make.sh uninstall
[sudo] password for curtis: 
rm -rf /usr/include/capstone
rm -f /usr/lib/libcapstone.*
rm -f /usr/lib/pkgconfig/capstone.pc
rm -f /usr/bin/cstool

这里先讲讲cstool工具的具体使用方法;

curtis@curtis-virtual-machine:~/Desktop/capstone-master$ cstool
Cstool for Capstone Disassembler Engine v5.0.0

Syntax: cstool [-u|-d|-s|-v] <arch+mode> <assembly-hexstring> [start-address-in-hex-format]

The following <arch+mode> options are supported:
        x16         16-bit mode (X86)
        x32         32-bit mode (X86)
        x64         64-bit mode (X86)
        x16att      16-bit mode (X86), syntax AT&T
        x32att      32-bit mode (X86), syntax AT&T
        x64att      64-bit mode (X86), syntax AT&T
        arm         arm
        armbe       arm + big endian
        thumb       thumb mode
        thumbbe     thumb + big endian
        cortexm     thumb + cortex-m extensions
        arm64       aarch64 mode
        arm64be     aarch64 + big endian
        mips        mips32 + little endian
        mipsbe      mips32 + big endian
        mips64      mips64 + little endian
        mips64be    mips64 + big endian
        ppc64       ppc64 + little endian
        ppc64be     ppc64 + big endian
        sparc       sparc
        systemz     systemz (s390x)
        xcore       xcore
        m68k        m68k + big endian
        m68k40      m68k_040
        tms320c64x  TMS320C64x
        m6800       M6800/2
        m6801       M6801/3
        m6805       M6805
        m6808       M68HC08
        m6809       M6809
        m6811       M68HC11
        cpu12       M68HC12/HCS12
        hd6301      HD6301/3
        hd6309      HD6309
        hcs08       HCS08
        evm         Ethereum Virtual Machine
        mos65xx     MOS65XX family

Extra options:
        -d show detailed information of the instructions
        -u show immediates as unsigned
        -s decode in SKIPDATA mode
        -v show version & Capstone core build info

再看看REME中的具体实施例;

$cstool x32 "90 91"

也就是选择好cstool参数之后输入需要反汇汇编的编码;

//举个例子,想要看x86_64编码所对应的汇编代码:
488d 2551 3f60 01e8 d400 0000 488d 3ded ffff ff56 e8d7 0100 005e 4805 0060 f203 eb20 0f1f 4000 662e 0f1f 8400 0000 0000 e8ab 0000 0056 e8c5 1f00 005e 4805 00a0
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ cstool -u x64 "488d 2551 3f60 01e8 d400 0000 488d 3ded ffff ff56 e8d7 0100 005e 4805 0060 f203 eb20 0f1f 4000 662e 0f1f 8400 0000 0000 e8ab 0000 0056 e8c5 1f00 005e 4805 00a0"
 0  48 8d 25 51 3f 60 01                             lea	rsp, [rip + 0x1603f51]
 7  e8 d4 00 00 00                                   call	0xe0
 c  48 8d 3d ed ff ff ff                             lea	rdi, [rip - 0x13]
13  56                                               push	rsi
14  e8 d7 01 00 00                                   call	0x1f0
19  5e                                               pop	rsi
1a  48 05 00 60 f2 03                                add	rax, 0x3f26000
20  eb 20                                            jmp	0x42
22  0f 1f 40 00                                      nop	dword ptr [rax]
26  66 2e 0f 1f 84 00 00 00 00 00                    nop	word ptr cs:[rax + rax]
30  e8 ab 00 00 00                                   call	0xe0
35  56                                               push	rsi
36  e8 c5 1f 00 00                                   call	0x2000
3b  5e                                               pop	rsi
//成功反汇编出汇编代码

使用intel-xed反汇编同一编码;

curtis@curtis-virtual-machine:~/Desktop$ cat 11.txt | head -n 14
XDIS 0: MISC      BASE       488D25513F6001           lea rsp, ptr [rip+0x1603f51]
XDIS 7: CALL      BASE       E8D4000000               call 0xe0
XDIS c: MISC      BASE       488D3DEDFFFFFF           lea rdi, ptr [rip-0x13]
XDIS 13: PUSH      BASE       56                       push rsi
XDIS 14: CALL      BASE       E8D7010000               call 0x1f0
XDIS 19: POP       BASE       5E                       pop rsi
XDIS 1a: BINARY    BASE       48050060F203             add rax, 0x3f26000
XDIS 20: UNCOND_BR BASE       EB20                     jmp 0x42
XDIS 22: WIDENOP   BASE       0F1F4000                 nop dword ptr [rax], eax
XDIS 26: WIDENOP   BASE       662E0F1F840000000000     nop word ptr [rax+rax*1], ax
XDIS 30: CALL      BASE       E8AB000000               call 0xe0
XDIS 35: PUSH      BASE       56                       push rsi
XDIS 36: CALL      BASE       E8C51F0000               call 0x2000
XDIS 3b: POP       BASE       5E                       pop rsi

1.打算添加两个功能,将传入code的参数改为传入文件的路径,反汇编时只需要传入文件路径即可;
2.添加输出参数,将反汇编代码写入文件;
3.添加一个参数,只要传入内存地址即可把该地址前后10条汇编指令打印出来;

功能一已经实现,代码就不公开了,效果如下:

curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ ./cstool -u x64 "/home/curtis/Desktop/ins.txt"
 0  0f 1f 44 00 00                                   nop	dword ptr [rax + rax]
 5  55                                               push	rbp
 6  48 89 e5                                         mov	rbp, rsp
 9  5d                                               pop	rbp
 a  c3                                               ret	
 b  0f 1f 44 00 00                                   nop	dword ptr [rax + rax]

功能二已经实现,代码就不公开了,效果如下:

//命令
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ ./cstool -u x64 "/home/curtis/Desktop/ins.txt" -o "/home/curtis/Desktop/ins.asm"
//效果,成功将内容写入文件
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ cat /home/curtis/Desktop/ins.asm 
0x 0   48 8d 25 51 3f 60 01                           lea	rsp, [rip + 0x1603f51]
0x 7   e8 d4 00 00 00                                 call	0xe0
0x c   48 8d 3d ed ff ff ff                           lea	rdi, [rip - 0x13]
0x13   56                                             push	rsi
0x14   e8 d7 01 00 00                                 call	0x1f0
0x19   5e                                             pop	rsi
0x1a   48 05 00 60 b2 1e                              add	rax, 0x1eb26000
0x20   eb 20                                          jmp	0x42
0x22   0f 1f 40 00                                    nop	dword ptr [rax]

在实现这个功能的过程中发现如果使用-u参数的话,从添加log打印,代码已经限定count的值位312,那么如果你传入参数size大于312条汇编指令的话,剩余部分没有进行反汇编操作,仔细研究capstone代码之后,我们应该使用-s参数进行反汇编;

curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ ./cstool -s x64 "/home/curtis/Desktop/ins.txt"
0x 0   48 8d 25 51 3f 60 01                           lea	rsp, [rip + 0x1603f51]
0x 7   e8 d4 00 00 00                                 call	0xe0
0x c   48 8d 3d ed ff ff ff                           lea	rdi, [rip - 0x13]
0x13   56                                             push	rsi
0x14   e8 d7 01 00 00                                 call	0x1f0
0x19   5e                                             pop	rsi
0x1a   48 05 00 60 b2 1e                              add	rax, 0x1eb26000
0x20   eb 20                                          jmp	0x42
0x22   0f 1f 40 00                                    nop	dword ptr [rax]
.......省略.........
0x447b4  e8 27 2d 03 00                               call	0x774e0
0x447b9  66 90                                        nop	
0x447bb  41 83 fc 02                                  cmp	r12d, 2
0x447bf  0f 8e 6f ff ff ff                            jle	0x44734
0x447c5  48 8d 7b 18                                  lea	rdi, [rbx + 0x18]
0x447c9  e8 d2 fd ff ff                               call	0x445a0
0x447ce  e9 61 ff ff ff                               jmp	0x44734
0x447d3  48 8b 05 12 e1 7f 01                         mov	rax, qword ptr [rip + 0x17fe112]

Logo

开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!

更多推荐