aquynh
commented
7 years ago They are all absolute address.
Open Levimocun opened 7 years ago
aquynh
commented
7 years ago They are all absolute address.
Levimocun
commented
7 years ago Hi, @aquynh There is an another question. I disassembled the .text segment, the results are listed as follows: 0x1011000: add byte ptr [eax], al 0x1011002: add byte ptr [eax], al 0x1011004: add byte ptr [ebx - 0x1374aa01], cl 0x101100a: push ecx 0x101100b: push ebx The result disassembled by IDA is listed as follows: 0x01011000 00 00 00 00 dd 0 0x01011004 00 db 0 0x01011005 8B FF mov edi, edi 0x01011007 55 push ebp 0x01011008 8B EC mov ebp, esp 0x0101100A 51 push ecx 0x0101100B 53 push ebx
both of the disassembled results have a call instruction: 01012BE9 E8 17 E4 FF FF call 0x1011005
Could you please tell me how could I solve this problem? Thank you.
aquynh
commented
7 years ago Looks like you just decode everything, including data. At the same time, IDA skips data, and only decodes code.
Levimocun
commented
7 years ago @aquynh But the data is in the .text segment. How could I recognize it?
PeterMatula
commented
7 years ago You need some kind of Recursive Traversal (Descent) disassembly algorithm to guide Capstone. Without it, you will not disassemble a real-world x86 binary with any precision.
I'm wondering whether the addresses after call instruction, disassembled by capstone , are all absolute virtual address.