def decode16(hexcode):
print "-----------------------Decode16Bits-----------------------"
lines = distorm.Decode(0x100, binascii.unhexlify(hexcode),
distorm.Decode16Bits)
for i in lines:
print "0x%08x (%02x) %-20s '%s'" % (i[0], i[1], i[3], i[2])
print
def dasm(self, irc, msg, args):
"Disassemble hex bytes. use -a to get the addresses"
if args[0] == "-a":
inc_addr = True
bytes = " ".join(args[1:])
else:
inc_addr = False
bytes = " ".join(args)
address = 0x0
rawbytes = ""
for byte in bytes.split():
try:
rawbytes = rawbytes + chr(int(byte, 16))
except:
pass
disasm = distorm.Decode(address, rawbytes, distorm.Decode32Bits)
ret = [""]
for i in disasm:
if inc_addr:
ret.append("%02X: %s" % (i[0], i[2]))
else:
ret.append("%s" % (i[2]))
irc.reply((" ".join(ret)).strip())
def main():
if (len(sys.argv) != 2) and (len(sys.argv) != 3):
print os.path.split(sys.argv[0])[1] + " <PE file name> <new image base in hex>"
return None
filename = sys.argv[1]
NewImageBase = None
if (len(sys.argv) == 3):
NewImageBase = int(sys.argv[2], 16)
PEObj = PEFile(filename, NewImageBase)
print "diSlib, http://ragestorm.net/distorm/\n"
print "Image Base: 0x%08x, Code Size: 0x%x" % (PEObj.ImageBase, PEObj.CodeSize)
print "Entry Point RVA: %08x" % PEObj.EntryPoint
print "Sections:"
for i in PEObj.Sections[:-1]:
print "%d.Name: %s, VA: %x, Size: %x, Flags: %x" % (i.Index + 1, i.Name, i.VA, i.Size, i.Flags)
if PEObj.Imports:
print "Imports:"
for i in PEObj.Imports:
print i
try:
if PEObj.Exports:
print "Exports:"
for i in PEObj.Exports:
print i
except:
# Ignore corrupted exports.
pass
if PEObj.Relocs:
print "Relocations:"
for i in PEObj.Relocs:
print i
try:
# If diStorm isn't available, we won't disassemble anything.
import distorm
DecodeType = distorm.Decode32Bits
if (PEObj.MachineType == IMAGE_FILE_MACHINE_AMD64):
DecodeType = distorm.Decode64Bits
# Find code section and disassemble entry point routine.
TextSec = PEObj.GetSectionByVA(PEObj.EntryPoint)
if TextSec == None:
return
l = distorm.Decode(PEObj.ImageBase + PEObj.EntryPoint, TextSec.Data[PEObj.EntryPoint - TextSec.VA:][:4*1024], DecodeType)
for i in l:
print "0x%08x (%02x) %-20s %s" % (i[0], i[1], i[3], i[2])
if ((i[2][:3] == "RET") or (i[2] == "INT 3") or (i[2][:3] == "JMP")):
break
except:
pass
def main_old():
print distorm.info
hexcode = ""
random.seed(9879877)
print "start generating: %s" % time.asctime(time.localtime())
for i in xrange(1024):
hexcode += chr(random.randint(0, 255))
print "start unpacking: %s" % time.asctime(time.localtime())
hexcode *= (1024 * 5)
print "start decoding: %s" % time.asctime(time.localtime())
lines = distorm.Decode(0x55551, hexcode, distorm.Decode32Bits)
print "end: %s" % time.asctime(time.localtime())
for i in lines:
print "0x%08x (%02x) %-20s '%s'" % (i[0], i[1], i[3], i[2])