search

capstone-engine / capstone

Capstone disassembly/disassembler framework for ARM, ARM64 (ARMv8), Alpha, BPF, Ethereum VM, HPPA, LoongArch, M68K, M680X, Mips, MOS65XX, PPC, RISC-V(rv32G/rv64G), SH, Sparc, SystemZ, TMS320C64X, TriCore, Webassembly, XCore and X86.
http://www.capstone-engine.org
7.51k stars 1.54k forks source link

skipdata doesn't work correctly from python #2336

Closed cyb3rc closed 3 weeks ago

cyb3rc commented 5 months ago

Work environment

Questions Answers
OS/arch/bits MacOS, arm64
Architecture arm64
Source of Capstone git clone, pip
Version/git commit v5.0.1

Instruction bytes giving faulty results

0xc0, 0x03, 0x5f, 0xd6, 0x98, 0xf2, 0xff, 0xff, 0xc0, 0x03, 0x5f, 0xd6

Expected results

It should be:

1000  c0 03 5f d6  ret
1004  98 f2 ff ff  .byte    0x98, 0xf2, 0xff, 0xff
1008  c0 03 5f d6  ret

Steps to get the wrong result

With cstool we got expected result:

$ cstool -s arm64 "c0035fd698f2ffffc0035fd6"
1000  c0 03 5f d6  ret
1004  98 f2 ff ff  .byte    0x98, 0xf2, 0xff, 0xff
1008  c0 03 5f d6  ret

With Python code

from capstone import *

CODE = b"\xc0\x03\x5f\xd6\x98\xf2\xff\xff\xc0\x03\x5f\xd6"

md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
md.skipdata = True
for insn in md.disasm(CODE, 0x1000):
    print("%x  %s %s %s" % (insn.address, "".join(["%02x " % b for b in insn.bytes]), insn.mnemonic, insn.op_str))

Got only first instruction

1000  c0 03 5f d6  ret

NOTE

  1. Compiled test_skipdata.c works as expected.
  2. Use of compiled dynamic library from v5.0.1 release sources from python returns invalid result.

Probably the issue with dynamic library.

u07 commented 4 months ago

I can confirm. Spend a day until noticed that PE is only half-decoded. Capstone breaks on this instruction:

image

ver 5.0.1, skipdata = True, python 3.8.10, Win7 64

u07 commented 4 months ago

Any advices about how to overcome this?..

Rot127 commented 3 months ago

Sorry for the late answer. Currently, we are really busy with many other construction sides in Capstone. So the Python bindings don't get the love they would actually need. We first want to bring the C code base up to date. Because the Python bindings possibly get a complete rewrite. For those two reasons, no one looked at this one yet.

Although, you can try to use the next branch (currently only usable with <= Python3.11).

cyb3rc commented 3 months ago

@Rot127 Thanks for response. At least we know that it is in a road map. We'll be waiting for next release.

Amoystyle commented 1 month ago

The library installed through the PyPi package was found to be invalid because the definition of CS_OPT_ON in python and dll was different。

# bindings/python/capstone/__init__.py
CS_OPT_ON = 1 << 0              # Turn ON an option (CS_OPT_DETAIL)

#include/capstone/capstone.h
CS_OPT_ON = 3, ///< Turn ON an option (CS_OPT_DETAIL, CS_OPT_SKIPDATA).

The next branch has fixed this.

Rot127 commented 1 month ago

@Amoystyle In the v5 branch CS_OPT_ON == 3 in the Python bindings and the c header. So this might not be the reason.

Amoystyle commented 1 month ago

@Rot127 I see that the latest version 5.0.2 has fixed this bug

[v5] python: Fix definition of capstone syntax value option constants by @nmeum in https://github.com/capstone-engine/capstone/pull/2240

Rot127 commented 1 month ago

@cyb3rc Can you please try it and close this one if it works for you?

cyb3rc commented 3 weeks ago

@Rot127 Checked with v.5.0.3. It works! Thanks a lot!