how to detect when capstone skipped data?

Asked Jan 14 '22 at 23:25

Active Jan 14 '22 at 23:25

Viewed 118 times

Say, I have the following opcodes \x12\x02\x88\x3C\xDF\xA1\x29\xC7\x74\x08\xDF\xE3. In these opcodes \xDF\xE3 is invalid instructions. So, I call capstone's disassembly to disassemble these instructions for me. My question is, is there a way to know if capstone failed to disassemble or skipped through any of the bytes and if so, which bytes was it?

I currently disassemble opcodes as following:

md = Cs(CS_ARCH_X86, CS_MODE_32)
md.skipdata = True
md.detail = True
for i in md.disasm(data, dataLength):
    print(data)

asked Jan 14 '22 at 23:25

neehack

Check which disassembled instructions have the ".byte" mnemonic (or some custom mnemonic you have set yourself). It may or may not not be straightforward to map these back to the exact bytes. You can get more information here: https://www.capstone-engine.org/skipdata.html – Luke Kurlandski Dec 13 '22 at 15:23

how to detect when capstone skipped data?

0 Answers0