Menu
▾
▴
Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help
|
From: Nguyen A. Q. <aq...@gm...> - 2015-01-24 00:20:34
|
On Sat, Jan 24, 2015 at 2:27 AM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA < mic...@us...> wrote: > I guess I'm also confused by what you mean when you refer to illegal code. > Seems like no matter what exe I try to disassemble, I get about 4 lines > assembly instructions. > you got the same output because you are trying to disassemble the same thing: all the EXE file share the same the first part as a EXE header. what you need to do is to disassemble code, not header, so you should start from the EXE entry pointer, not from the EXE header. to find the EXE entry pointer, read documentation about PE/PE+ format (PE is EXE header of 32bit EXE, PE+ is header of 64bit EXE). another way is to read source code of binary analysis program (such as http://radare.org) to see how they deal with EXE files. thanks, Q -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 10:38 AM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: When I try to disassemble Test.exe, I get the following: 0x1000: pop r10 0x1002: npop 0x1003 add byte ptr [rbx], a1 0x1005: add byte ptr [rbx], a1 i can see that you are trying to disasm Test.exe, but dont expect to see its code: you are actually reading from the beginning of Test.exe, where the PE header is. the actual code is way behind that. and by default, Capstone stops at the first ever illegal code, so you only see 4 assembly instructions like above. thanks. ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users |
