LyScript AI

Appearance

Disassembly interface

Disassembly is the process of converting machine code or compiled binary files back into human readable assembly code. Assembly code is a low-level language that is closer to computer hardware instructions and is easier to understand and analyze compared to machine code. Through disassembly, programmers can understand the internal workings of the program, diagnose problems, reverse engineering, and more. Disassembly can be used to analyze, modify, optimize, and other operations on compiled programs, and is one of the important tools in software reverse engineering and security research.

Disassembly

DisasmOneCode

By passing in the target memory address (supporting hexadecimal string format, such as "0x77BB80C9"), disassemble a single machine instruction at that address to obtain detailed information such as instruction content and length. When successful, return a dictionary containing disassembly results, address information, instruction properties, and platform. When failed, return false (if the address is invalid or there are no valid instructions).

python
call interface function:
>>> disassembly.DisasmOneCode("0x77BB80C9")
Return value of interface function (JSON):
{
    'message': 'Singleinstructiondisassemblysuccessful',
    'address_value': 2008776905,
    'address_hex': '0x77BB80C9',
    'instruction': 'jmp 0x77BB80D2',
    'instruction_size': 2,
    'instruction_desc': 'Lengthofthedisassembledinstructioninbytes',
    'platform': 'x86'
}

DisasmCountCode

Batch disassembles consecutive machine instructions starting from the starting address by passing in the starting memory address (supporting hexadecimal string format, such as "0x77BB80C9") and the number of instructions to be disassembled (integer), obtaining detailed information such as the address, content, and length of each instruction. When successful, return a dictionary containing the batch disassembly result, the number of requests/actual instructions, the starting address, and the instruction list. When failed, return false (if the starting address is invalid and there are no valid instructions for subsequent addresses).

python
call interface function:
>>> disassembly.DisasmCountCode("0x77BB80C9",3)
Return value of interface function (JSON):
{
    'message': 'Batchdisassemblysuccessful',
    'requested_count': 3,
    'actual_count': 3,
    'start_address_hex': '0x77BB80C9',
    'start_address_value': 2008776905,
    'instructions': [
        {
            'address_value': 2008776905,
            'address_hex': '0x77BB80C9',
            'instruction': 'jmp 0x77BB80D2',
            'size': 2,
            'size_desc': 'Lengthoftheinstructioninbytes'
        },
        {
            'address_value': 2008776907,
            'address_hex': '0x77BB80CB',
            'instruction': 'xor eax,eax',
            'size': 2,
            'size_desc': 'Lengthoftheinstructioninbytes'
        },
        {
            'address_value': 2008776909,
            'address_hex': '0x77BB80CD',
            'instruction': 'inc eax',
            'size': 1,
            'size_desc': 'Lengthoftheinstructioninbytes'
        }
    ],
    'platform': 'x86'
}

DisasmOperand

By passing in the memory address of the target instruction (supporting hexadecimal string format, such as "0x77BB80C9"), obtain detailed information about the operand of the machine instruction at that address (such as operand value, size, and corresponding instruction content). When successful, return a dictionary containing operand information, instruction address, instruction content, and platform. When failed, return false (such as invalid address, instruction without operand, or parsing failure).

python
call interface function:
>>> disassembly.DisasmOperand("0x77BB80C9")
Return value of interface function (JSON):
{
    'message': 'Operandinformationretrievedsuccessfully',
    'target_address_hex': '0x77BB80C9',
    'target_address_value': 2008776905,
    'operand_value': 2008776914,
    'operand_size': 0,
    'operand_size_desc': 'Sizeoftheoperandinbytes',
    'instruction': 'jmp 0x77BB80D2',
    'platform': 'x86'
}

DisasmFastAtFunction

By passing in the memory address of the target instruction (supporting hexadecimal string format, such as "0x77BB80C9"), quickly obtain the core properties of the machine instruction at that address (including instruction size, whether it is a branch/call instruction, instruction type enumeration, etc.), without the need for complete decompilation context to obtain key instruction features. When successful, return a dictionary containing instruction attributes, address information, instruction content, and platform. When failed, return false (if the address is invalid or the instruction cannot be parsed).

python
call interface function:
>>> disassembly.DisasmFastAtFunction("0x77BB80C9")
Return value of interface function (JSON):
{
    'message': 'Instructionpropertiesretrievedsuccessfully',
    'target_address_hex': '0x77BB80C9',
    'target_address_value': 2008776905,
    'instruction_size': 2,
    'size_desc': 'Lengthoftheinstructioninbytes',
    'is_branch': True,
    'is_call': False,
    'instruction_type': 4,
    'type_desc': 'Instructiontype(architecture-specificenum)',
    'instruction': 'jmp 0x77BB80D2',
    'platform': 'x86'
}

GetOperandSize

By passing in the memory address of the target instruction (supporting hexadecimal string format, such as "0x77BB80C9"), obtain the machine code byte length of the machine instruction at that address (note: although the method name contains "Operand", its actual function is to read the overall length of the instruction, not the length of the operand alone). When successful, return a dictionary containing instruction length, address information, corresponding instruction content, and platform. When failed, return false (if the address is invalid or there are no valid instructions).

python
call interface function:
>>> disassembly.GetOperandSize("0x77BB80C9")
Return value of interface function (JSON):
{
    'message': 'Instructionsizeretrievedsuccessfully',
    'target_address_hex': '0x77BB80C9',
    'target_address_value': 2008776905,
    'instruction_size': 2,
    'size_desc': 'Lengthoftheinstructionmachinecodeinbytes',
    'instruction': 'jmp 0x77BB80D2',
    'platform': 'x86'
}

GetBranchDestination

By passing in the memory address of a branch instruction (such as JMP, CALL, etc.) (supporting hexadecimal string format, such as "0x77BB80C9"), obtain the jump/call destination address of the branch instruction. Only valid for branch type instructions, non branch instructions (such as MOV, PUSH) will return a destination address of 0. When successful, return a dictionary containing the source address, branch destination address, and description information. When failed, return false (if the address is invalid).

python
call interface function:
>>> disassembly.GetBranchDestination("0x77BB80C9")
Return value of interface function (JSON):
{
    'message': 'Branchdestinationretrievedsuccessfully',
    'source_address_type': 'specifiedaddress',
    'source_address_value': 2008776905,
    'source_address_hex': '0x77BB80C9',
    'branch_destination_value': 2008776914,
    'branch_destination_hex': '0x77BB80D2',
    'note': 'Destinationis0iftheinstructionisnotCALL/JMPorhasnovalidbranch',
    'platform': 'x86'
}

GuiGetDisassembly

By passing in the memory address of the target instruction (supporting hexadecimal string format, such as "0x77BB80C9"), the machine instruction at that address is obtained based on the UI layer disassembly logic (different from the underlying disassembly interface). The instruction result usually includes a module name prefix (such as ntdll.), which is more suitable for the display requirements of graphical interfaces (GUI). When successful, return a dictionary containing address information, UI layer disassembly instructions, function description, and platform. When failed, return false (such as invalid address or UI layer logic parsing failure).

python
>> ds.GuiGetDisassembly("0x77BB80C9")
{
    'message': 'GUIdisassemblysuccessful',
    'target_address_value': 2008776905,
    'target_address_hex': '0x77BB80C9',
    'disassembly_instruction': 'jmpntdll.77BB80D2',
    'note': 'ThisusesUI-layerdisassemblylogic(GuiGetDisassembly)',
    'platform': 'x86'
}

Assembly

AssembleMemoryEx

Translate the specified x86 architecture assembly instructions into machine code and write them into the target memory address. The core is used to modify the instruction logic of the target program in debugging scenarios (such as dynamically patching, adjusting execution flow, repairing or bypassing specific code). When successful, return a dictionary containing assembly instructions, target address, and key considerations. When failed, return false (common reasons for failure: assembly instruction syntax error, target address without memory write permission, invalid address, or exceeding program address space).

python
call interface function:
>>> disassembly.AssembleMemoryEx("0x77BB80C9","mov eax,1")
Return value of interface function (JSON):
{
    'message': 'Assemblysuccessfulandwrittentomemory',
    'assembly_string': 'mov eax,1',
    'target_address_value': 2008776905,
    'target_address_hex': '0x77BB80C9',
    'note': 'Ensurethetargetaddresshaswritepermission',
    'platform': 'x86'
}

AssembleCodeSize

Dry run "assembly of specified x86 architecture assembly instructions (only calculating the byte length of machine code after instruction assembly, without actually writing it into memory), with the core used for debugging preprocessing scenarios - confirming instruction length in advance to avoid overwriting adjacent valid code due to mismatched instruction lengths when directly modifying memory. When successful, return a dictionary containing assembly instructions, machine code size, and a "no memory write" prompt. When failed, return false (common reasons for failure include assembly instruction syntax errors, instructions that do not comply with x86 architecture specifications, containing multiple instructions, or illegal operators).

python
call interface function:
>>> disassembly.AssembleCodeSize("mov eax,1")
Return value of interface function (JSON):
{
    'message': 'Assemblysizecalculatedsuccessfully',
    'assembly_string': 'mov eax,1',
    'machine_code_size': 5,
    'size_desc': 'Lengthoftheassembledmachinecodeinbytes',
    'note': 'Thisisadry-run(nomemorywriteperformed)',
    'platform': 'x86'
}
>>>
call interface function:
>>> disassembly.AssembleCodeSize("mov ebx,10")
Return value of interface function (JSON):
{
    'message': 'Assemblysizecalculatedsuccessfully',
    'assembly_string': 'mov ebx,10',
    'machine_code_size': 5,
    'size_desc': 'Lengthoftheassembledmachinecodeinbytes',
    'note': 'Thisisadry-run(nomemorywriteperformed)',
    'platform': 'x86'
}

AssembleCodeHex

Translates a specified x86 architecture assembly instruction into machine code represented in hexadecimal format (as a space-separated byte string). It is primarily used in debugging preprocessing scenarios—retrieving the machine code characteristics of an instruction in advance without actual memory writing ("dry-run" mode). This function helps verify the correctness of assembly instructions, compare original machine code, or prepare for subsequent memory write operations. On success, it returns a dictionary containing the assembly instruction, hexadecimal machine code, machine code length, and key prompts; on failure, it returns false (common failure causes: invalid assembly syntax, instructions incompatible with x86 architecture, multiple instructions, or illegal operators).

python
call interface function:
>>> disassembly.AssembleCodeHex("mov eax,100")
Return value of interface function (JSON):
{
    'message': 'Assemblyhexmachinecodegeneratedsuccessfully',
    'assembly_string': 'mov eax,100',
    'machine_code_size': 5,
    'machine_code_hex': 'B864000000',
    'hex_desc': 'Space-separatedhexadecimalrepresentationofmachinecodebytes',
    'note': 'Thisisadry-run(nomemorywriteperformed)',
    'platform': 'x86'
}

AssembleAtFunctionEx

Assembles a specified x86 architecture assembly instruction into machine code and writes the machine code to the target memory address (typically used for modifying instructions within function ranges, though it supports any valid memory address). It is core to dynamic debugging scenarios—for example, patching code (e.g., replacing critical instructions with nop to disable logic), adjusting function execution flow, or fixing runtime errors. On success, it returns a dictionary containing the assembly instruction, target address details, and critical warnings; on failure, it returns false (common failure causes: invalid assembly syntax, target address lacking write permission, invalid address, or address outside the program’s address space).

python
call interface function:
>>> disassembly.AssembleAtFunctionEx("0x77BB80C9","nop")
Return value of interface function (JSON):
{
    'message': 'Assemblysuccessfulandwrittentotargetaddress',
    'assembly_string': 'nop',
    'target_address_value': 2008776905,
    'target_address_hex': '0x77BB80C9',
    'note': 'Ensurethetargetaddresshaswritepermission',
    'platform': 'x86'
}

Automation component developed for x64dbg debugger

Copyright © 2022-2025 LyShark Security Team