importcapstoneascsimportloggingfromarchinfo.arch_armimportis_arm_archfrom..misc.uximportoncel=logging.getLogger(name=__name__)INS_GROUP_INFO={"X86":{cs.x86.X86_GRP_CALL:"call",cs.x86.X86_GRP_JUMP:"branch",cs.x86.X86_GRP_RET:"return",},"AMD64":{cs.x86.X86_GRP_CALL:"call",cs.x86.X86_GRP_JUMP:"branch",cs.x86.X86_GRP_RET:"return",},"ARM":{cs.arm.ARM_GRP_CALL:"call",cs.arm.ARM_GRP_BRANCH_RELATIVE:"branch",cs.arm.ARM_GRP_JUMP:"branch",},}INS_GROUP_INFO["ARMEL"]=INS_GROUP_INFO["ARM"]INS_GROUP_INFO["ARMHF"]=INS_GROUP_INFO["ARM"]INS_GROUP_INFO["ARMCortexM"]=INS_GROUP_INFO["ARM"]try:INS_GROUP_INFO["MIPS32"]={cs.mips.MIPS_GRP_CALL:"call",cs.mips.MIPS_GRP_JUMP:"branch",cs.mips.MIPS_GRP_RET:"return",}exceptAttributeError:# The installed capstone is too old - it does not support cs.mips.MIPS_GRP_*passINS_INFO={"MIPS32":{cs.mips.MIPS_INS_JAL:"call",cs.mips.MIPS_INS_BAL:"branch",}}
[docs]defdecode_instruction(arch,instr):# this is clearly architecture specificarch_name=arch.nameifarch_name=="MIPS32"andonce("mips-instruction-groups"):l.warning("Your version of capstone does not support MIPS instruction groups.")insn_info=Noneinfo=INS_GROUP_INFO.get(arch_name,None)ifinfoisnotNone:forgroupininstr.insn.insn.groups:insn_info=info.get(group,None)ifinsn_infoisnotNone:breakifinsn_infoisNone:info=INS_INFO.get(arch_name,None)ifinfoisnotNone:insn_info=info.get(instr.insn.insn.id,None)ifinsn_infoisNone:returninstr.type=insn_infoifinstr.typein("call","branch"):# determine if this is a direct or indirect call/branchifarch_namein("X86","AMD64"):last_operand=instr.insn.operands[-1]iflast_operand.type==cs.x86.X86_OP_IMM:instr.branch_type="direct"else:instr.branch_type="indirect"instr.branch_target_operand=len(instr.insn.operands)-1elifis_arm_arch(arch):last_operand=instr.insn.operands[-1]iflast_operand.type==cs.arm.ARM_OP_IMM:instr.branch_type="direct"else:instr.branch_type="indirect"instr.branch_target_operand=len(instr.insn.operands)-1elifarch_name=="MIPS32":# check the last operandlast_operand=instr.insn.operands[-1]iflast_operand.type==cs.mips.MIPS_OP_REG:instr.branch_type="indirect"else:instr.branch_type="direct"instr.branch_target_operand=len(instr.insn.operands)-1