How to use the capstone.CS_MODE_BIG_ENDIAN function in capstone
To help you get started, we’ve selected a few capstone examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
williballenthin / python-idb / idb / idapython.py View on Github 
if size == 2:
dis = self._load_dis(capstone.CS_ARCH_ARM, capstone.CS_MODE_THUMB)
else:
dis = self._load_dis(capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM)
elif procname in ['metapc', '8086', '80286r', '80286p', '80386r', '80386p','80486r', '80486p', '80586r', '80586p', '80686p', 'k62', 'p2', 'p3', 'athlon', 'p4', '8085']:
if bitness == 16:
dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_16)
elif bitness == 32:
dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
elif bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
elif procname == "mipsb":
if bitness == 32:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS32 | capstone.CS_MODE_BIG_ENDIAN)
elif bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS64 | capstone.CS_MODE_BIG_ENDIAN)
elif procname == "mipsl":
if bitness == 32:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS32 | capstone.CS_MODE_LITTLE_ENDIAN)
elif bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS64 | capstone.CS_MODE_LITTLE_ENDIAN)
if dis is None:
raise NotImplementedError("unknown arch %s bit:%s inst_len:%d" % (procname, bitness, len(inst_buf)))
dis.detail = True
try:
op = next(dis.disasm(inst_buf, ea))
except StopIteration:
raise RuntimeError('failed to disassemble %s' % (hex(ea)))
else:
return opArchitecture(type=capstone.CS_ARCH_ARM,
mode=capstone.CS_MODE_ARM,
endianness=capstone.CS_MODE_LITTLE_ENDIAN,
description="ARM executable code, 32-bit, little endian"),
Architecture(type=capstone.CS_ARCH_ARM64,
mode=capstone.CS_MODE_ARM,
endianness=capstone.CS_MODE_BIG_ENDIAN,
description="ARM executable code, 64-bit, big endian"),
Architecture(type=capstone.CS_ARCH_ARM64,
mode=capstone.CS_MODE_ARM,
endianness=capstone.CS_MODE_LITTLE_ENDIAN,
description="ARM executable code, 64-bit, little endian"),
Architecture(type=capstone.CS_ARCH_PPC,
mode=capstone.CS_MODE_BIG_ENDIAN,
endianness=capstone.CS_MODE_BIG_ENDIAN,
description="PPC executable code, 32/64-bit, big endian"),
Architecture(type=capstone.CS_ARCH_MIPS,
mode=capstone.CS_MODE_64,
endianness=capstone.CS_MODE_BIG_ENDIAN,
description="MIPS executable code, 32/64-bit, big endian"),
Architecture(type=capstone.CS_ARCH_MIPS,
mode=capstone.CS_MODE_64,
endianness=capstone.CS_MODE_LITTLE_ENDIAN,
description="MIPS executable code, 32/64-bit, little endian"),
Architecture(type=capstone.CS_ARCH_ARM,
mode=capstone.CS_MODE_THUMB,
endianness=capstone.CS_MODE_LITTLE_ENDIAN,
description="ARM executable code, 16-bit (Thumb), little endian"),
Architecture(type=capstone.CS_ARCH_ARM,database.reverse_symbols = self.binary.reverse_symbols
database.demangled = self.binary.demangled
database.reverse_demangled = self.binary.reverse_demangled
database.imports = self.binary.imports
else:
self.binary.symbols = database.symbols
self.binary.reverse_symbols = database.reverse_symbols
self.binary.demangled = database.demangled
self.binary.reverse_demangled = database.reverse_demangled
self.binary.imports = database.imports
cs_arch = arch_lookup.get(self.binary.arch, None)
cs_mode = mode_lookup.get(self.binary.arch, None)
if self.is_big_endian:
cs_mode |= CAPSTONE.CS_MODE_BIG_ENDIAN
else:
cs_mode |= CAPSTONE.CS_MODE_LITTLE_ENDIAN
self.capstone = CAPSTONE
self.md = CAPSTONE.Cs(cs_arch, cs_mode)
self.md.detail = True
for s in self.binary.iter_sections():
s.big_endian = cs_mode & CAPSTONE.CS_MODE_BIG_ENDIANself.vex_arch = "VexArchARM"
self.vex_endness = "VexEndnessLE" if endness == "Iend_LE" else "VexEndnessBE"
self.name = "ARM"
self.qemu_name = 'arm'
self.ida_processor = 'armb'
self.max_inst_bytes = 4
self.ip_offset = 68
self.sp_offset = 60
self.bp_offset = 60
self.ret_offset = 8
self.call_pushes_ret = False
self.stack_change = -4
self.memory_endness = endness
self.register_endness = endness
self.cs_arch = _capstone.CS_ARCH_ARM
self.cs_mode = _capstone.CS_MODE_LITTLE_ENDIAN if endness == 'Iend_LE' else _capstone.CS_MODE_BIG_ENDIAN
#self.ret_instruction = "\x0E\xF0\xA0\xE1" # this is mov pc, lr
self.ret_instruction = "\x1E\xFF\x2F\xE1" # this is bx lr
self.nop_instruction = "\x00\x00\x00\x00"
if endness == "Iend_LE":
self.function_prologs = {
r"[\x00-\xff][\x00-\xff]\x2d\xe9", # stmfd sp!, {xxxxx}
}
else:
self.function_prologs = {
r"\xe9\x2d[\x00-\xff][\x00-\xff]", # stmfd sp!, {xxxxx}
}
self.instruction_alignment = 4
self.concretize_unique_registers.add(64)
self.default_register_values = [
( 'sp', self.initial_sp, True, 'global' ), # the stack
( 0x188, 0x00000000, False, None ) # part of the thumb conditional flagsdef __init__(self, mode):
super(Capstone, self).__init__(mode)
if self.mode == "I386":
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
elif self.mode == "AMD64":
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
elif self.mode == "MIPS":
self.cs = capstone.Cs(capstone.CS_ARCH_MIPS, capstone.CS_MODE_32 +
capstone.CS_MODE_BIG_ENDIAN)
else:
raise NotImplementedError(
"No disassembler available for this arch.")def dissemble_code(self, code, baseaddr):
md = Cs(capstone.CS_ARCH_PPC, capstone.CS_MODE_32 | capstone.CS_MODE_BIG_ENDIAN)
md.syntax = capstone.CS_OPT_SYNTAX_INTEL
for (address, size, mnemonic, op_str) in md.disasm_lite(code, baseaddr):
print "0x%x:\t%s\t%s" % (address, mnemonic, op_str)
def dissemble_addr(self, baseaddr, n = 32):def __init__(self, mode):
super(Capstone, self).__init__(mode)
if self.mode == "I386":
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
elif self.mode == "AMD64":
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
elif self.mode == "MIPS":
self.cs = capstone.Cs(capstone.CS_ARCH_MIPS, capstone.CS_MODE_32 +
capstone.CS_MODE_BIG_ENDIAN)
else:
raise NotImplementedError(
"No disassembler available for this arch.")
Popular capstone functions
- capstone.bindings.python.capstone.__init__.CsError
- capstone.capdb.models.CaseMetadata
- capstone.capdb.models.Citation
- capstone.Cs
- capstone.CS_ARCH_ARM
- capstone.CS_ARCH_ARM64
- capstone.CS_ARCH_MIPS
- capstone.CS_ARCH_X86
- capstone.CS_MODE_32
- capstone.CS_MODE_64
- capstone.CS_MODE_ARM
- capstone.CS_MODE_BIG_ENDIAN
- capstone.CS_MODE_LITTLE_ENDIAN
- capstone.CS_MODE_THUMB
- capstone.suite.test_group_name.GroupTest
- capstone.x86
- capstone.x86.X86_OP_IMM
- capstone.x86.X86_OP_MEM
- capstone.x86.X86_OP_REG
- capstone.x86_const