1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "CX86Operand"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Option Explicit
'Capstone Disassembly Engine bindings for VB6
'Contributed by FireEye FLARE Team
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
'License: Apache
'Copyright: FireEye 2017
'// Instruction operand sizeof() reports 48 bytes
'typedef struct cs_x86_op {
' x86_op_type type; // operand type
'
' union {
' x86_reg reg; // register value for REG operand
' int64_t imm; // immediate value for IMM operand
' double fp; // floating point value for FP operand
' x86_op_mem mem; // base/index/scale/disp value for MEM operand (24bytes max)
' };
'
' // size of this operand (in bytes).
' uint8_t size;
'
' // AVX broadcast type, or 0 if irrelevant
' x86_avx_bcast avx_bcast;
'
' // AVX zero opmask {z}
' bool avx_zero_opmask;
'} cs_x86_op;
'Instruction's operand referring to memory
'This is associated with X86_OP_MEM operand type above
'Public Type x86_op_mem
' segment As Long ' segment register (or X86_REG_INVALID if irrelevant) UNSIGNED
' base As Long ' base register (or X86_REG_INVALID if irrelevant) UNSIGNED
' index As Long ' index register (or X86_REG_INVALID if irrelevant) UNSIGNED
' scale As Long ' scale for index register
' disp As Currency ' displacement value
'End Type
'this shows the alignment padding used by compiler..
' cs_x86_op op;
' op.type = (x86_op_type)1;
' op.reg = (x86_reg)2;
' op.avx_bcast = (x86_avx_bcast)3;
' op.avx_zero_opmask = 4;
' op.size = 0xaa;
' printf("&cs_x86_op = %x", &op);
' _asm int 3
'
'
'0x0012FF34 01 00 00 00 cc cc cc cc 02 00 00 00 cc cc cc cc ....����....����
'0x0012FF44 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ����������������
'0x0012FF54 aa cc cc cc 03 00 00 00 01 cc cc cc cc cc cc cc ����.....�������
Public optype As x86_op_type
Public size As Byte
Public avx_bcast As x86_avx_bcast
Public avx_zero_opmask As Boolean
'only one of the following will be set based on type
Public reg As x86_reg
Public fp As Currency
Public imm As Currency
Public mem As CX86OpMem
Private hEngine As Long
Private m_raw() As Byte
Function toString() As String
Dim ret() As String
push ret, "X86 Operand:"
push ret, String(45, "-")
If DEBUG_DUMP Then
push ret, "Raw: "
push ret, HexDump(m_raw)
End If
push ret, "Type: " & opStr()
push ret, "Size: " & size
If avx_bcast <> 0 Then push ret, "BCast: " & bcastStr()
If avx_zero_opmask Then push ret, "AvxOpMask: " & avx_zero_opmask
If optype = X86_OP_FP Then
push ret, "FP: " & cur2str(fp)
ElseIf optype = X86_OP_IMM Then
push ret, "IMM: " & cur2str(imm)
ElseIf optype = x86_op_mem Then
If mem.base <> 0 Then push ret, "Base: " & regName(hEngine, mem.base)
If mem.index <> 0 Then push ret, "Index: " & regName(hEngine, mem.index)
If mem.scale_ <> 1 Then push ret, "Scale: " & Hex(mem.scale_)
If mem.segment <> 0 Then push ret, "Seg: " & regName(hEngine, mem.segment)
If mem.disp <> 0 Then push ret, "Disp: " & cur2str(mem.disp)
ElseIf optype = X86_OP_REG Then
push ret, "Reg: " & regName(hEngine, reg)
End If
toString = Join(ret, vbCrLf)
End Function
Function opStr() As String
If optype = X86_OP_FP Then opStr = "X86_OP_FP"
If optype = x86_op_mem Then opStr = "x86_op_mem"
If optype = X86_OP_IMM Then opStr = "X86_OP_IMM"
If optype = X86_OP_REG Then opStr = "X86_OP_REG"
If optype = X86_OP_INVALID Then opStr = "X86_OP_INVALID"
If Len(opStr) = 0 Then
opStr = "Error: " & Hex(optype)
ElseIf DEBUG_DUMP Then
opStr = opStr & " (" & Hex(optype) & ")"
End If
End Function
Function bcastStr() As String
Dim r As String
If avx_bcast = X86_AVX_BCAST_INVALID Then r = "X86_AVX_BCAST_INVALID"
If avx_bcast = X86_AVX_BCAST_2 Then r = "X86_AVX_BCAST_2"
If avx_bcast = X86_AVX_BCAST_4 Then r = "X86_AVX_BCAST_4"
If avx_bcast = X86_AVX_BCAST_8 Then r = "X86_AVX_BCAST_8"
If avx_bcast = X86_AVX_BCAST_16 Then r = "X86_AVX_BCAST_16"
If Len(r) = 0 Then
r = "Unknown: " & Hex(avx_bcast)
ElseIf DEBUG_DUMP Then
r = r & " (" & Hex(avx_bcast) & ")"
End If
bcastStr = r
End Function
Friend Sub LoadDetails(lpStruct As Long, hCapstone As Long)
Dim opMem As x86_op_mem
Dim ptr As Long
Const align4 = 4
Const align3 = 3
hEngine = hCapstone
If DEBUG_DUMP Then
ReDim m_raw(48)
CopyMemory ByVal VarPtr(m_raw(0)), ByVal lpStruct, 48
End If
optype = readLng(lpStruct)
ptr = lpStruct + 4 + align4
If optype = X86_OP_FP Then
fp = readCur(ptr)
ElseIf optype = X86_OP_IMM Then
imm = readCur(ptr)
ElseIf optype = x86_op_mem Then
CopyMemory ByVal VarPtr(opMem), ByVal ptr, LenB(opMem)
Set mem = New CX86OpMem
mem.base = opMem.base
mem.disp = opMem.disp
mem.index = opMem.index
mem.scale_ = opMem.scale
mem.segment = opMem.segment
ElseIf optype = X86_OP_REG Then
reg = readLng(ptr)
End If
ptr = ptr + LenB(opMem)
size = readByte(ptr)
ptr = ptr + 1 + align3
avx_bcast = readLng(ptr)
ptr = ptr + 4
avx_zero_opmask = (readByte(ptr) = 1)
End Sub
Private Sub Class_Terminate()
'looks like everything is freeing up ok
'Debug.Print "Cx86Operand.Terminate"
End Sub
|
