LyScript

Appearance

Disassembly interface

Disassembly is the process of converting machine code or compiled binary files back into human readable assembly code. Assembly code is a low-level language that is closer to computer hardware instructions and is easier to understand and analyze compared to machine code. Through disassembly, programmers can understand the internal workings of the program, diagnose problems, reverse engineering, and more. Disassembly can be used to analyze, modify, optimize, and other operations on compiled programs, and is one of the important tools in software reverse engineering and security research.

Disassembly

get_disassembly_line

There are many disassembly functions in this series. First, let's introduce the get_disassembly_line function. This function takes a decimal memory address and disassembles the memory in the region it is located in. After successful execution, it outputs a dictionary with detailed disassembly parameters. You can get the corresponding information according to your needs. If it fails, it returns false.

python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0x1915bb'
>>>
>>> dasm = dbg.get_disassembly_aline(eip)
>>> dasm
{'Address': 1643963, 'Assembly': 'call 0x001918A1', 'Size': 5}
>>>
>>> hex(dasm.get("Address"))
'0x1915bb'
>>> dasm.get("Assembly")
'call 0x001918A1'
>>> dasm.get("Size")
5

get_disassembly_type

If you want detailed disassembly information, you can use the get_disassembly_type function, which also requires passing in a memory address. The function successfully returns a dictionary, where IsBranch indicates whether it is a branch statement, IsCall indicates whether it is a call, and the final Type represents the type of the current statement.

python
>>> eip = dbg.get_eip()
>>>
>>> dasm = dbg.get_disassembly_type(eip)
>>> dasm
{
	'Address': 1643963, 
	'Assembly': 'call 0x001918A1', 
	'Size': 5, 
	'IsBranch': 1, 
	'IsCall': 1, 
	'Type': 4
}

get_disassembly_count

Sometimes, we need to disassemble a specified length of memory address at once, which can be achieved by calling the get_disassembly_count function, which allows the user to pass in a disassembly length, and the program will traverse a specific number of disassembly machine codes from the memory address down.

python
>>> eip = dbg.get_eip()
>>> dasm = dbg.get_disassembly_count(eip,10)
>>>
>>> for index in range(0,9):
...     address = dasm[index].get("Address")
...     assembly = dasm[index].get("Assembly")
...     size = dasm[index].get("Size")
...     print("{:08x} | {:40} | {}".format(address,assembly,size))
...
001915bb | call 0x001918A1                          | 5
001915c0 | jmp 0x0019140E                           | 5
001915c5 | push ebp                                 | 1
001915c6 | mov ebp, esp                             | 2
001915c8 | call dword ptr ds:[0x00192018]           | 6
001915ce | push 0x01                                | 2
001915d0 | mov dword ptr ds:[0x00193354], eax       | 5
001915d5 | call 0x00191B2C                          | 5
001915da | push dword ptr ss:[ebp+0x08]             | 3

get_disassembly_

The above methods are encapsulated interfaces. If you need to customize parameter acquisition, you can call the following methods to implement them. Users can combine these methods themselves;

  • By calling the get_disassembly_text function and passing in a decimal memory address, a disassembly code can be obtained at the current address.
  • By calling the get_disassembly_size function and passing in a decimal memory address, the length of the machine code at the current address can be obtained.
  • By calling the get_disassembly_operand function and passing in a decimal memory address, the operand of the assembly instruction at the current address can be obtained.
  • By calling the get_branch_destination function and passing in a decimal memory address, the current call or Jmp jump operand can be obtained.
python
>>> eip = dbg.get_eip()
>>>
>>> dbg.get_disassembly_text(eip)
'call win32project.1918A1'
>>>
>>> dbg.get_disassembly_size(eip)
5
>>>
>>> dbg.get_disassembly_operand(eip)
{'Operands': 1644705, 'Size': 0}
>>>
>>> dbg.get_branch_destination(eip)
1644705

Assembly

assembld_code_hex

Assembly series instructions translate an assembly instruction passed in by a user into hexadecimal machine code format. Firstly, the specific information of the assembly instruction machine code can be obtained by calling assembld_code_hex. This function takes a string parameter and returns a dictionary format after successful execution.

python
>>> dbg.assemble_code_hex("push esi")
{'Assembly': 'push esi', 'Hex': '56', 'Size': 1}
>>>
>>> dbg.assemble_code_hex("push edi")
{'Assembly': 'push edi', 'Hex': '57', 'Size': 1}
>>>
>>> assembly = dbg.assemble_code_hex("mov eax,1")
>>>
>>> assembly.get("Hex")
'B801000000'

assembld_code_size

If the user only needs to obtain the length of a specific assembly instruction without any additional information, then assembld_code_size is a good choice, which takes a string instruction and outputs the length information of that instruction.

python
>>> dbg.assemble_code_size("mov eax,1")
5
>>> dbg.assemble_code_size("jmp esp")
2
>>> dbg.assemble_code_size("push ecx")
1

assembl_write_memory

Sometimes, we need to write an assembly instruction to a specific memory, which can be implemented using either assembld_at or assembl_write_memory, both of which accept memory addresses and assembly instructions and automatically write them out to the corresponding memory.

python
>>> eip = dbg.get_eip()
>>> hex(eip)
'0x7733f127'
>>>
>>> dbg.assemble_at(eip,"nop")
True
>>> dbg.assemble_write_memory(eip,"mov eax,1")
True