1*9a0e4156SSadaf EbrahimiVERSION 5.00 2*9a0e4156SSadaf EbrahimiObject = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}#2.0#0"; "mscomctl.ocx" 3*9a0e4156SSadaf EbrahimiBegin VB.Form Form1 4*9a0e4156SSadaf Ebrahimi Caption = "VB6 Bindings for Capstone Disassembly Engine - Contributed by FireEye FLARE Team" 5*9a0e4156SSadaf Ebrahimi ClientHeight = 7290 6*9a0e4156SSadaf Ebrahimi ClientLeft = 60 7*9a0e4156SSadaf Ebrahimi ClientTop = 345 8*9a0e4156SSadaf Ebrahimi ClientWidth = 10275 9*9a0e4156SSadaf Ebrahimi LinkTopic = "Form1" 10*9a0e4156SSadaf Ebrahimi ScaleHeight = 7290 11*9a0e4156SSadaf Ebrahimi ScaleWidth = 10275 12*9a0e4156SSadaf Ebrahimi StartUpPosition = 2 'CenterScreen 13*9a0e4156SSadaf Ebrahimi Begin VB.CommandButton Command2 14*9a0e4156SSadaf Ebrahimi Caption = "Save" 15*9a0e4156SSadaf Ebrahimi Height = 375 16*9a0e4156SSadaf Ebrahimi Left = 8760 17*9a0e4156SSadaf Ebrahimi TabIndex = 8 18*9a0e4156SSadaf Ebrahimi Top = 120 19*9a0e4156SSadaf Ebrahimi Width = 1455 20*9a0e4156SSadaf Ebrahimi End 21*9a0e4156SSadaf Ebrahimi Begin VB.CommandButton Command1 22*9a0e4156SSadaf Ebrahimi Caption = " Arm 64" 23*9a0e4156SSadaf Ebrahimi Height = 375 24*9a0e4156SSadaf Ebrahimi Index = 4 25*9a0e4156SSadaf Ebrahimi Left = 6840 26*9a0e4156SSadaf Ebrahimi TabIndex = 7 27*9a0e4156SSadaf Ebrahimi Top = 120 28*9a0e4156SSadaf Ebrahimi Width = 1455 29*9a0e4156SSadaf Ebrahimi End 30*9a0e4156SSadaf Ebrahimi Begin VB.CommandButton Command1 31*9a0e4156SSadaf Ebrahimi Caption = "Arm" 32*9a0e4156SSadaf Ebrahimi Height = 375 33*9a0e4156SSadaf Ebrahimi Index = 3 34*9a0e4156SSadaf Ebrahimi Left = 5160 35*9a0e4156SSadaf Ebrahimi TabIndex = 6 36*9a0e4156SSadaf Ebrahimi Top = 120 37*9a0e4156SSadaf Ebrahimi Width = 1455 38*9a0e4156SSadaf Ebrahimi End 39*9a0e4156SSadaf Ebrahimi Begin VB.CommandButton Command1 40*9a0e4156SSadaf Ebrahimi Caption = "x86 64bit" 41*9a0e4156SSadaf Ebrahimi Height = 375 42*9a0e4156SSadaf Ebrahimi Index = 2 43*9a0e4156SSadaf Ebrahimi Left = 3480 44*9a0e4156SSadaf Ebrahimi TabIndex = 5 45*9a0e4156SSadaf Ebrahimi Top = 120 46*9a0e4156SSadaf Ebrahimi Width = 1455 47*9a0e4156SSadaf Ebrahimi End 48*9a0e4156SSadaf Ebrahimi Begin VB.CommandButton Command1 49*9a0e4156SSadaf Ebrahimi Caption = "x86 16bit" 50*9a0e4156SSadaf Ebrahimi Height = 375 51*9a0e4156SSadaf Ebrahimi Index = 0 52*9a0e4156SSadaf Ebrahimi Left = 120 53*9a0e4156SSadaf Ebrahimi TabIndex = 4 54*9a0e4156SSadaf Ebrahimi Top = 120 55*9a0e4156SSadaf Ebrahimi Width = 1455 56*9a0e4156SSadaf Ebrahimi End 57*9a0e4156SSadaf Ebrahimi Begin VB.CommandButton Command1 58*9a0e4156SSadaf Ebrahimi Caption = "x86 32bit" 59*9a0e4156SSadaf Ebrahimi Height = 375 60*9a0e4156SSadaf Ebrahimi Index = 1 61*9a0e4156SSadaf Ebrahimi Left = 1800 62*9a0e4156SSadaf Ebrahimi TabIndex = 3 63*9a0e4156SSadaf Ebrahimi Top = 120 64*9a0e4156SSadaf Ebrahimi Width = 1455 65*9a0e4156SSadaf Ebrahimi End 66*9a0e4156SSadaf Ebrahimi Begin MSComctlLib.ListView lv 67*9a0e4156SSadaf Ebrahimi Height = 2415 68*9a0e4156SSadaf Ebrahimi Left = 120 69*9a0e4156SSadaf Ebrahimi TabIndex = 2 70*9a0e4156SSadaf Ebrahimi Top = 1440 71*9a0e4156SSadaf Ebrahimi Width = 10095 72*9a0e4156SSadaf Ebrahimi _ExtentX = 17806 73*9a0e4156SSadaf Ebrahimi _ExtentY = 4260 74*9a0e4156SSadaf Ebrahimi View = 3 75*9a0e4156SSadaf Ebrahimi LabelEdit = 1 76*9a0e4156SSadaf Ebrahimi LabelWrap = -1 'True 77*9a0e4156SSadaf Ebrahimi HideSelection = 0 'False 78*9a0e4156SSadaf Ebrahimi FullRowSelect = -1 'True 79*9a0e4156SSadaf Ebrahimi _Version = 393217 80*9a0e4156SSadaf Ebrahimi ForeColor = -2147483640 81*9a0e4156SSadaf Ebrahimi BackColor = -2147483643 82*9a0e4156SSadaf Ebrahimi BorderStyle = 1 83*9a0e4156SSadaf Ebrahimi Appearance = 1 84*9a0e4156SSadaf Ebrahimi BeginProperty Font {0BE35203-8F91-11CE-9DE3-00AA004BB851} 85*9a0e4156SSadaf Ebrahimi Name = "Courier" 86*9a0e4156SSadaf Ebrahimi Size = 9.75 87*9a0e4156SSadaf Ebrahimi Charset = 0 88*9a0e4156SSadaf Ebrahimi Weight = 400 89*9a0e4156SSadaf Ebrahimi Underline = 0 'False 90*9a0e4156SSadaf Ebrahimi Italic = 0 'False 91*9a0e4156SSadaf Ebrahimi Strikethrough = 0 'False 92*9a0e4156SSadaf Ebrahimi EndProperty 93*9a0e4156SSadaf Ebrahimi NumItems = 1 94*9a0e4156SSadaf Ebrahimi BeginProperty ColumnHeader(1) {BDD1F052-858B-11D1-B16A-00C0F0283628} 95*9a0e4156SSadaf Ebrahimi Object.Width = 2540 96*9a0e4156SSadaf Ebrahimi EndProperty 97*9a0e4156SSadaf Ebrahimi End 98*9a0e4156SSadaf Ebrahimi Begin VB.ListBox List1 99*9a0e4156SSadaf Ebrahimi BeginProperty Font 100*9a0e4156SSadaf Ebrahimi Name = "Courier" 101*9a0e4156SSadaf Ebrahimi Size = 9.75 102*9a0e4156SSadaf Ebrahimi Charset = 0 103*9a0e4156SSadaf Ebrahimi Weight = 400 104*9a0e4156SSadaf Ebrahimi Underline = 0 'False 105*9a0e4156SSadaf Ebrahimi Italic = 0 'False 106*9a0e4156SSadaf Ebrahimi Strikethrough = 0 'False 107*9a0e4156SSadaf Ebrahimi EndProperty 108*9a0e4156SSadaf Ebrahimi Height = 840 109*9a0e4156SSadaf Ebrahimi Left = 120 110*9a0e4156SSadaf Ebrahimi TabIndex = 1 111*9a0e4156SSadaf Ebrahimi Top = 600 112*9a0e4156SSadaf Ebrahimi Width = 10095 113*9a0e4156SSadaf Ebrahimi End 114*9a0e4156SSadaf Ebrahimi Begin VB.TextBox Text1 115*9a0e4156SSadaf Ebrahimi BeginProperty Font 116*9a0e4156SSadaf Ebrahimi Name = "Courier" 117*9a0e4156SSadaf Ebrahimi Size = 9.75 118*9a0e4156SSadaf Ebrahimi Charset = 0 119*9a0e4156SSadaf Ebrahimi Weight = 400 120*9a0e4156SSadaf Ebrahimi Underline = 0 'False 121*9a0e4156SSadaf Ebrahimi Italic = 0 'False 122*9a0e4156SSadaf Ebrahimi Strikethrough = 0 'False 123*9a0e4156SSadaf Ebrahimi EndProperty 124*9a0e4156SSadaf Ebrahimi Height = 3375 125*9a0e4156SSadaf Ebrahimi Left = 120 126*9a0e4156SSadaf Ebrahimi MultiLine = -1 'True 127*9a0e4156SSadaf Ebrahimi ScrollBars = 3 'Both 128*9a0e4156SSadaf Ebrahimi TabIndex = 0 129*9a0e4156SSadaf Ebrahimi Text = "Form1.frx":0000 130*9a0e4156SSadaf Ebrahimi Top = 3840 131*9a0e4156SSadaf Ebrahimi Width = 10095 132*9a0e4156SSadaf Ebrahimi End 133*9a0e4156SSadaf EbrahimiEnd 134*9a0e4156SSadaf EbrahimiAttribute VB_Name = "Form1" 135*9a0e4156SSadaf EbrahimiAttribute VB_GlobalNameSpace = False 136*9a0e4156SSadaf EbrahimiAttribute VB_Creatable = False 137*9a0e4156SSadaf EbrahimiAttribute VB_PredeclaredId = True 138*9a0e4156SSadaf EbrahimiAttribute VB_Exposed = False 139*9a0e4156SSadaf EbrahimiOption Explicit 140*9a0e4156SSadaf Ebrahimi 141*9a0e4156SSadaf Ebrahimi'Capstone Disassembly Engine bindings for VB6 142*9a0e4156SSadaf Ebrahimi'Contributed by FireEye FLARE Team 143*9a0e4156SSadaf Ebrahimi'Author: David Zimmer <[email protected]>, <[email protected]> 144*9a0e4156SSadaf Ebrahimi'License: Apache 145*9a0e4156SSadaf Ebrahimi'Copyright: FireEye 2017 146*9a0e4156SSadaf Ebrahimi 147*9a0e4156SSadaf EbrahimiDim cap As CDisassembler 148*9a0e4156SSadaf EbrahimiDim lastSample As Long 149*9a0e4156SSadaf Ebrahimi 150*9a0e4156SSadaf EbrahimiPrivate Sub Command1_Click(index As Integer) 151*9a0e4156SSadaf Ebrahimi 152*9a0e4156SSadaf Ebrahimi Dim code() As Byte, arch As cs_arch, mode As cs_mode 153*9a0e4156SSadaf Ebrahimi lastSample = index 154*9a0e4156SSadaf Ebrahimi 155*9a0e4156SSadaf Ebrahimi Const x86_code32 As String = "\x8d\x4c\x32\x08\x01\xd8\x81\xc6\x34\x12\x00\x00\x05\x23\x01\x00\x00\x36\x8b\x84\x91\x23\x01\x00\x00\x41\x8d\x84\x39\x89\x67\x00\x00\x8d\x87\x89\x67\x00\x00\xb4\xc6" 156*9a0e4156SSadaf Ebrahimi Const X86_CODE16 As String = "\x8d\x4c\x32\x08\x01\xd8\x81\xc6\x34\x12\x00\x00\x05\x23\x01\x00\x00\x36\x8b\x84\x91\x23\x01\x00\x00\x41\x8d\x84\x39\x89\x67\x00\x00\x8d\x87\x89\x67\x00\x00\xb4\xc6" 157*9a0e4156SSadaf Ebrahimi Const X86_CODE64 As String = "\x55\x48\x8b\x05\xb8\x13\x00\x00" 158*9a0e4156SSadaf Ebrahimi Const ARM_CODE As String = "\xED\xFF\xFF\xEB\x04\xe0\x2d\xe5\x00\x00\x00\x00\xe0\x83\x22\xe5\xf1\x02\x03\x0e\x00\x00\xa0\xe3\x02\x30\xc1\xe7\x00\x00\x53\xe3\x00\x02\x01\xf1\x05\x40\xd0\xe8\xf4\x80\x00\x00" 159*9a0e4156SSadaf Ebrahimi Const ARM64_CODE As String = "\x09\x00\x38\xd5\xbf\x40\x00\xd5\x0c\x05\x13\xd5\x20\x50\x02\x0e\x20\xe4\x3d\x0f\x00\x18\xa0\x5f\xa2\x00\xae\x9e\x9f\x37\x03\xd5\xbf\x33\x03\xd5\xdf\x3f\x03\xd5\x21\x7c\x02\x9b\x21\x7c\x00\x53\x00\x40\x21\x4b\xe1\x0b\x40\xb9\x20\x04\x81\xda\x20\x08\x02\x8b\x10\x5b\xe8\x3c" 160*9a0e4156SSadaf Ebrahimi 161*9a0e4156SSadaf Ebrahimi Select Case index 162*9a0e4156SSadaf Ebrahimi Case 0: 163*9a0e4156SSadaf Ebrahimi arch = CS_ARCH_X86 164*9a0e4156SSadaf Ebrahimi mode = CS_MODE_16 165*9a0e4156SSadaf Ebrahimi code = toBytes(X86_CODE16) 166*9a0e4156SSadaf Ebrahimi Case 1: 167*9a0e4156SSadaf Ebrahimi arch = CS_ARCH_X86 168*9a0e4156SSadaf Ebrahimi mode = CS_MODE_32 169*9a0e4156SSadaf Ebrahimi code = toBytes(x86_code32) 170*9a0e4156SSadaf Ebrahimi Case 2: 171*9a0e4156SSadaf Ebrahimi arch = CS_ARCH_X86 172*9a0e4156SSadaf Ebrahimi mode = CS_MODE_64 173*9a0e4156SSadaf Ebrahimi code = toBytes(X86_CODE64) 174*9a0e4156SSadaf Ebrahimi 175*9a0e4156SSadaf Ebrahimi Case 3: 176*9a0e4156SSadaf Ebrahimi arch = CS_ARCH_ARM 177*9a0e4156SSadaf Ebrahimi mode = CS_MODE_ARM 178*9a0e4156SSadaf Ebrahimi code = toBytes(ARM_CODE) 179*9a0e4156SSadaf Ebrahimi 180*9a0e4156SSadaf Ebrahimi Case 4: 181*9a0e4156SSadaf Ebrahimi arch = CS_ARCH_ARM64 182*9a0e4156SSadaf Ebrahimi mode = CS_MODE_ARM 183*9a0e4156SSadaf Ebrahimi code = toBytes(ARM64_CODE) 184*9a0e4156SSadaf Ebrahimi End Select 185*9a0e4156SSadaf Ebrahimi 186*9a0e4156SSadaf Ebrahimi 187*9a0e4156SSadaf Ebrahimi test code, arch, mode 188*9a0e4156SSadaf Ebrahimi 189*9a0e4156SSadaf EbrahimiEnd Sub 190*9a0e4156SSadaf Ebrahimi 191*9a0e4156SSadaf EbrahimiPrivate Sub test(code() As Byte, arch As cs_arch, mode As cs_mode) 192*9a0e4156SSadaf Ebrahimi 193*9a0e4156SSadaf Ebrahimi 194*9a0e4156SSadaf Ebrahimi Dim ret As Collection 195*9a0e4156SSadaf Ebrahimi Dim ci As CInstruction 196*9a0e4156SSadaf Ebrahimi Dim li As ListItem 197*9a0e4156SSadaf Ebrahimi 198*9a0e4156SSadaf Ebrahimi clearForm 199*9a0e4156SSadaf Ebrahimi If Not cap Is Nothing Then Set cap = Nothing 200*9a0e4156SSadaf Ebrahimi 201*9a0e4156SSadaf Ebrahimi Set cap = New CDisassembler 202*9a0e4156SSadaf Ebrahimi 203*9a0e4156SSadaf Ebrahimi If Not cap.init(arch, mode, True) Then 204*9a0e4156SSadaf Ebrahimi List1.AddItem "Failed to init engine: " & cap.errMsg 205*9a0e4156SSadaf Ebrahimi Exit Sub 206*9a0e4156SSadaf Ebrahimi End If 207*9a0e4156SSadaf Ebrahimi 208*9a0e4156SSadaf Ebrahimi List1.AddItem "Capstone loaded @ 0x" & Hex(cap.hLib) 209*9a0e4156SSadaf Ebrahimi List1.AddItem "hEngine: 0x" & Hex(cap.hCapstone) 210*9a0e4156SSadaf Ebrahimi List1.AddItem "Version: " & cap.version 211*9a0e4156SSadaf Ebrahimi 212*9a0e4156SSadaf Ebrahimi If cap.vMajor < 3 Then 213*9a0e4156SSadaf Ebrahimi List1.AddItem "Sample requires Capstone v3+" 214*9a0e4156SSadaf Ebrahimi Exit Sub 215*9a0e4156SSadaf Ebrahimi End If 216*9a0e4156SSadaf Ebrahimi 217*9a0e4156SSadaf Ebrahimi Set ret = cap.disasm(&H1000, code) 218*9a0e4156SSadaf Ebrahimi 219*9a0e4156SSadaf Ebrahimi For Each ci In ret 220*9a0e4156SSadaf Ebrahimi Set li = lv.ListItems.Add(, , ci.text) 221*9a0e4156SSadaf Ebrahimi Set li.Tag = ci 222*9a0e4156SSadaf Ebrahimi Next 223*9a0e4156SSadaf Ebrahimi 224*9a0e4156SSadaf EbrahimiEnd Sub 225*9a0e4156SSadaf Ebrahimi 226*9a0e4156SSadaf EbrahimiPrivate Sub Command2_Click() 227*9a0e4156SSadaf Ebrahimi 228*9a0e4156SSadaf Ebrahimi Dim fName() As String 229*9a0e4156SSadaf Ebrahimi Dim fPath As String 230*9a0e4156SSadaf Ebrahimi Dim t() As String 231*9a0e4156SSadaf Ebrahimi Dim li As ListItem 232*9a0e4156SSadaf Ebrahimi Dim ci As CInstruction 233*9a0e4156SSadaf Ebrahimi 234*9a0e4156SSadaf Ebrahimi On Error Resume Next 235*9a0e4156SSadaf Ebrahimi 236*9a0e4156SSadaf Ebrahimi If lastSample = -1 Then 237*9a0e4156SSadaf Ebrahimi MsgBox "Run a test first..." 238*9a0e4156SSadaf Ebrahimi Exit Sub 239*9a0e4156SSadaf Ebrahimi End If 240*9a0e4156SSadaf Ebrahimi 241*9a0e4156SSadaf Ebrahimi fName = Split("16b,32b,64b,Arm,Arm64", ",") 242*9a0e4156SSadaf Ebrahimi 243*9a0e4156SSadaf Ebrahimi fPath = App.path & "\vb" & fName(lastSample) & "Test.txt" 244*9a0e4156SSadaf Ebrahimi If FileExists(fPath) Then Kill fPath 245*9a0e4156SSadaf Ebrahimi 246*9a0e4156SSadaf Ebrahimi For Each li In lv.ListItems 247*9a0e4156SSadaf Ebrahimi push t, li.text 248*9a0e4156SSadaf Ebrahimi Set ci = li.Tag 249*9a0e4156SSadaf Ebrahimi push t, ci.toString() 250*9a0e4156SSadaf Ebrahimi push t, String(60, "-") 251*9a0e4156SSadaf Ebrahimi Next 252*9a0e4156SSadaf Ebrahimi 253*9a0e4156SSadaf Ebrahimi WriteFile fPath, Join(t, vbCrLf) 254*9a0e4156SSadaf Ebrahimi 255*9a0e4156SSadaf Ebrahimi MsgBox FileLen(fPath) & " bytes saved to: " & vbCrLf & vbCrLf & fPath 256*9a0e4156SSadaf Ebrahimi 257*9a0e4156SSadaf EbrahimiEnd Sub 258*9a0e4156SSadaf Ebrahimi 259*9a0e4156SSadaf EbrahimiPrivate Sub lv_ItemClick(ByVal Item As MSComctlLib.ListItem) 260*9a0e4156SSadaf Ebrahimi Dim ci As CInstruction 261*9a0e4156SSadaf Ebrahimi Set ci = Item.Tag 262*9a0e4156SSadaf Ebrahimi Text1 = ci.toString() 263*9a0e4156SSadaf EbrahimiEnd Sub 264*9a0e4156SSadaf Ebrahimi 265*9a0e4156SSadaf EbrahimiFunction clearForm() 266*9a0e4156SSadaf Ebrahimi List1.Clear 267*9a0e4156SSadaf Ebrahimi lv.ListItems.Clear 268*9a0e4156SSadaf Ebrahimi Text1 = Empty 269*9a0e4156SSadaf EbrahimiEnd Function 270*9a0e4156SSadaf Ebrahimi 271*9a0e4156SSadaf EbrahimiPrivate Sub Form_Load() 272*9a0e4156SSadaf Ebrahimi lv.ColumnHeaders(1).Width = lv.Width 273*9a0e4156SSadaf Ebrahimi clearForm 274*9a0e4156SSadaf Ebrahimi lastSample = -1 275*9a0e4156SSadaf EbrahimiEnd Sub 276