0

我正在尝试使用regs_readand regs_write,但它不起作用:

$ cat cs.py 
import capstone
Cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
Cs.detail = True

CODE = b"\x48\x89\x44\x24\x10"
for i in Cs.disasm(CODE,0):
    print(i)
    print(i.regs_read)
    print(i.regs_write)

这就是我得到的

$ python3.7 cs.py
<CsInsn 0x0 [4889442410]: mov qword ptr [rsp + 0x10], rax>
[] <----- why? rax is read
[]

4

2 回答 2

1

我认为你可以这样做:

def has_write_to_dereference_of_register(
    instruction: capstone.CsInsn,
    register: int
) -> bool:
    for operand in instruction.operands:
        if operand.access & capstone.CS_AC_WRITE:
            if operand.type == capstone.CS_OP_REG:
                if operands.value.reg == register:
                    return True
            elif operand.type == capstone.CS_OP_MEM:
                mem = operand.value.mem
                if mem.base == register or mem.index == register:
                    return True
    return False
于 2021-07-21T12:54:11.170 回答
0

您可以改用该regs_access()方法来获取当前指令的读取和写入列表:

import capstone

Cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
Cs.detail = True

CODE = b"\x48\x89\x44\x24\x10"
for i in Cs.disasm(CODE, 0):
    reads, writes = i.regs_access()

    print(f'reads = {reads}, writes = {writes}')
于 2021-11-21T09:59:40.197 回答