keystone-engine 是一个开源的轻量级多平台、多架构汇编框架,支持 Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ、 X86 (16/32/64bit). 非常强大!!
我工作中主要用来处理arm、arm64代码,方便用winhex修改
3种安装方法:
pip安装:pip install keystone-engine
github:https://github.com/keystone-engine/keystone
#!/usr/bin/env python # -*- coding: utf-8 -*- # @Date : 2016-08-20 09:37:02 # @Author : PiaoYun ([email protected]) # @Link : http://www.dllhook.com # @Comment : keystone汇编引擎测试 from __future__ import print_function from keystone import * def keystone_test(arch, mode, code, syntax=0): ks = Ks(arch, mode) if syntax != 0: ks.syntax = syntax encoding, count = ks.asm(code) print("%s = [ " % code, end='') for i in encoding: print("%02x " % i, end='') print("]") def test(): # X86 keystone_test(KS_ARCH_X86, KS_MODE_16, b"add eax, ecx") keystone_test(KS_ARCH_X86, KS_MODE_32, b"add eax, ecx") keystone_test(KS_ARCH_X86, KS_MODE_64, b"add rax, rcx") keystone_test( KS_ARCH_X86, KS_MODE_32, b"add %ecx, %eax", KS_OPT_SYNTAX_ATT) keystone_test( KS_ARCH_X86, KS_MODE_64, b"add %rcx, %rax", KS_OPT_SYNTAX_ATT) # ARM keystone_test(KS_ARCH_ARM, KS_MODE_ARM, b"sub r1, r2, r5") keystone_test( KS_ARCH_ARM, KS_MODE_ARM + KS_MODE_BIG_ENDIAN, b"sub r1, r2, r5") keystone_test(KS_ARCH_ARM, KS_MODE_THUMB, b"movs r4, #0xf0") keystone_test( KS_ARCH_ARM, KS_MODE_THUMB + KS_MODE_BIG_ENDIAN, b"movs r4, #0xf0") # ARM64 keystone_test(KS_ARCH_ARM64, KS_MODE_LITTLE_ENDIAN, b"ldr w1, [sp, #0x8]") # Hexagon keystone_test( KS_ARCH_HEXAGON, KS_MODE_BIG_ENDIAN, b"v23.w=vavg(v11.w,v2.w):rnd") # Mips keystone_test(KS_ARCH_MIPS, KS_MODE_MIPS32, b"and $9, $6, $7") keystone_test( KS_ARCH_MIPS, KS_MODE_MIPS32 + KS_MODE_BIG_ENDIAN, b"and $9, $6, $7") keystone_test(KS_ARCH_MIPS, KS_MODE_MIPS64, b"and $9, $6, $7") keystone_test( KS_ARCH_MIPS, KS_MODE_MIPS64 + KS_MODE_BIG_ENDIAN, b"and $9, $6, $7") # PowerPC keystone_test( KS_ARCH_PPC, KS_MODE_PPC32 + KS_MODE_BIG_ENDIAN, b"add 1, 2, 3") keystone_test(KS_ARCH_PPC, KS_MODE_PPC64, b"add 1, 2, 3") keystone_test( KS_ARCH_PPC, KS_MODE_PPC64 + KS_MODE_BIG_ENDIAN, b"add 1, 2, 3") # Sparc keystone_test( KS_ARCH_SPARC, KS_MODE_SPARC32 + KS_MODE_LITTLE_ENDIAN, b"add %g1, %g2, %g3") keystone_test( KS_ARCH_SPARC, KS_MODE_SPARC32 + KS_MODE_BIG_ENDIAN, b"add %g1, %g2, %g3") # SystemZ keystone_test(KS_ARCH_SYSTEMZ, KS_MODE_BIG_ENDIAN, b"a %r0, 4095(%r15,%r1)") if __name__ == '__main__': test()
结果:
add eax, ecx = [ 66 01 c8 ] add eax, ecx = [ 01 c8 ] add rax, rcx = [ 48 01 c8 ] add %ecx, %eax = [ 01 c8 ] add %rcx, %rax = [ 48 01 c8 ] sub r1, r2, r5 = [ 05 10 42 e0 ] sub r1, r2, r5 = [ e0 42 10 05 ] movs r4, #0xf0 = [ f0 24 ] movs r4, #0xf0 = [ 24 f0 ] ldr w1, [sp, #0x8] = [ e1 0b 40 b9 ] v23.w=vavg(v11.w,v2.w):rnd = [ d7 cb e2 1c ] and $9, $6, $7 = [ 24 48 c7 00 ] and $9, $6, $7 = [ 00 c7 48 24 ] and $9, $6, $7 = [ 24 48 c7 00 ] and $9, $6, $7 = [ 00 c7 48 24 ] add 1, 2, 3 = [ 7c 22 1a 14 ] add 1, 2, 3 = [ 14 1a 22 7c ] add 1, 2, 3 = [ 7c 22 1a 14 ] add %g1, %g2, %g3 = [ 02 40 00 86 ] add %g1, %g2, %g3 = [ 86 00 40 02 ] a %r0, 4095(%r15,%r1) = [ 5a 0f 1f ff ] [Finished in 0.1s]
发表评论