Menu
▾
▴
Re: [Capstone-users] sharedObject Files
|
From: Jay O. <ja...@ko...> - 2015-08-19 18:56:18
|
Tip: Use Capstone's skipdata mode to handle these situations: http://www.capstone-engine.org/skipdata.html On Wed, Aug 19, 2015 at 7:21 AM, Nguyen Anh Quynh <aq...@gm...> wrote: > > > On Wed, Aug 19, 2015 at 8:19 PM, Philipp Roskosch < > phi...@si...> wrote: > >> Hi again, >> >> I investigated my shared-object file a little bit more with different >> tools which are using capstone. On www.CEnigma.org my problem can be >> reproduced: >> >> Settings: Arm, Little Endian >> Code: 04 00 9F E5 00 00 8F E0 E7 FF FF EA C8 23 00 00 >> 00 00 50 E3 08 40 2D E9 08 80 BD 08 30 FF 2F E1 >> 08 80 BD E8 00 10 A0 E1 0C 20 9F E5 0C 00 9F E5 >> 02 20 8F E0 00 00 8F E0 D8 FF FF EA 9C 23 00 00 >> D4 FF FF FF 08 B5 03 48 78 44 00 F0 4F FF 01 20 >> 08 BD C0 46 70 11 00 00 03 68 00 B5 5A 00 03 D5 >> >> After the instruction "D4 FF FF FF" the output just stops. Move this >> instruction to the beginning and it tells you "Error: Failed to >> disassemble! Invalid input?". >> > > D4 FF FF FF is not a valid instruction, so you need to look closer into > your binary file. > > the reason is that your assumption that bytes come from .text must be code > is wrong. > > > thanks. > > > >> I do not know if this is a bug or working as intended. Fact is that >> these byte sequence is present in my shared object file's .text section. >> It is a sharedObject file created with the Android NDK. >> >> > the reason is that your assumption that bytes come from .text must be code > is wrong. > you can always find in .text section data & rubbish. > > > thanks. > > > >> Any comments or suggestions on this? >> >> Thanks! >> Philipp >> >> On 14.08.2015 15:35, Philipp Roskosch wrote: >> > Hello, >> > >> > I am trying to reverse native libraries for Android (ARM). I used >> > capstone (with java) and disassembled ARM executables which worked very >> > good. Doing the same thing with a shared library (created with the >> > Android NDK) isn't working. Capstone only returns the code for the first >> > function and ignores all following commands. Am I missing something? >> > >> > Thanks! >> > >> > >> ------------------------------------------------------------------------------ >> > _______________________________________________ >> > Capstone-users mailing list >> > Cap...@li... >> > https://lists.sourceforge.net/lists/listinfo/capstone-users >> > >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Capstone-users mailing list >> Cap...@li... >> https://lists.sourceforge.net/lists/listinfo/capstone-users >> > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
