1VERSION 5.00 2Object = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}#2.0#0"; "mscomctl.ocx" 3Begin VB.Form Form1 4 Caption = "VB6 Bindings for Capstone Disassembly Engine - Contributed by FireEye FLARE Team" 5 ClientHeight = 7290 6 ClientLeft = 60 7 ClientTop = 345 8 ClientWidth = 10275 9 LinkTopic = "Form1" 10 ScaleHeight = 7290 11 ScaleWidth = 10275 12 StartUpPosition = 2 'CenterScreen 13 Begin VB.CommandButton Command2 14 Caption = "Save" 15 Height = 375 16 Left = 8760 17 TabIndex = 8 18 Top = 120 19 Width = 1455 20 End 21 Begin VB.CommandButton Command1 22 Caption = " Arm 64" 23 Height = 375 24 Index = 4 25 Left = 6840 26 TabIndex = 7 27 Top = 120 28 Width = 1455 29 End 30 Begin VB.CommandButton Command1 31 Caption = "Arm" 32 Height = 375 33 Index = 3 34 Left = 5160 35 TabIndex = 6 36 Top = 120 37 Width = 1455 38 End 39 Begin VB.CommandButton Command1 40 Caption = "x86 64bit" 41 Height = 375 42 Index = 2 43 Left = 3480 44 TabIndex = 5 45 Top = 120 46 Width = 1455 47 End 48 Begin VB.CommandButton Command1 49 Caption = "x86 16bit" 50 Height = 375 51 Index = 0 52 Left = 120 53 TabIndex = 4 54 Top = 120 55 Width = 1455 56 End 57 Begin VB.CommandButton Command1 58 Caption = "x86 32bit" 59 Height = 375 60 Index = 1 61 Left = 1800 62 TabIndex = 3 63 Top = 120 64 Width = 1455 65 End 66 Begin MSComctlLib.ListView lv 67 Height = 2415 68 Left = 120 69 TabIndex = 2 70 Top = 1440 71 Width = 10095 72 _ExtentX = 17806 73 _ExtentY = 4260 74 View = 3 75 LabelEdit = 1 76 LabelWrap = -1 'True 77 HideSelection = 0 'False 78 FullRowSelect = -1 'True 79 _Version = 393217 80 ForeColor = -2147483640 81 BackColor = -2147483643 82 BorderStyle = 1 83 Appearance = 1 84 BeginProperty Font {0BE35203-8F91-11CE-9DE3-00AA004BB851} 85 Name = "Courier" 86 Size = 9.75 87 Charset = 0 88 Weight = 400 89 Underline = 0 'False 90 Italic = 0 'False 91 Strikethrough = 0 'False 92 EndProperty 93 NumItems = 1 94 BeginProperty ColumnHeader(1) {BDD1F052-858B-11D1-B16A-00C0F0283628} 95 Object.Width = 2540 96 EndProperty 97 End 98 Begin VB.ListBox List1 99 BeginProperty Font 100 Name = "Courier" 101 Size = 9.75 102 Charset = 0 103 Weight = 400 104 Underline = 0 'False 105 Italic = 0 'False 106 Strikethrough = 0 'False 107 EndProperty 108 Height = 840 109 Left = 120 110 TabIndex = 1 111 Top = 600 112 Width = 10095 113 End 114 Begin VB.TextBox Text1 115 BeginProperty Font 116 Name = "Courier" 117 Size = 9.75 118 Charset = 0 119 Weight = 400 120 Underline = 0 'False 121 Italic = 0 'False 122 Strikethrough = 0 'False 123 EndProperty 124 Height = 3375 125 Left = 120 126 MultiLine = -1 'True 127 ScrollBars = 3 'Both 128 TabIndex = 0 129 Text = "Form1.frx":0000 130 Top = 3840 131 Width = 10095 132 End 133End 134Attribute VB_Name = "Form1" 135Attribute VB_GlobalNameSpace = False 136Attribute VB_Creatable = False 137Attribute VB_PredeclaredId = True 138Attribute VB_Exposed = False 139Option Explicit 140 141'Capstone Disassembly Engine bindings for VB6 142'Contributed by FireEye FLARE Team 143'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com> 144'License: Apache 145'Copyright: FireEye 2017 146 147Dim cap As CDisassembler 148Dim lastSample As Long 149 150Private Sub Command1_Click(index As Integer) 151 152 Dim code() As Byte, arch As cs_arch, mode As cs_mode 153 lastSample = index 154 155 Const x86_code32 As String = "\x8d\x4c\x32\x08\x01\xd8\x81\xc6\x34\x12\x00\x00\x05\x23\x01\x00\x00\x36\x8b\x84\x91\x23\x01\x00\x00\x41\x8d\x84\x39\x89\x67\x00\x00\x8d\x87\x89\x67\x00\x00\xb4\xc6" 156 Const X86_CODE16 As String = "\x8d\x4c\x32\x08\x01\xd8\x81\xc6\x34\x12\x00\x00\x05\x23\x01\x00\x00\x36\x8b\x84\x91\x23\x01\x00\x00\x41\x8d\x84\x39\x89\x67\x00\x00\x8d\x87\x89\x67\x00\x00\xb4\xc6" 157 Const X86_CODE64 As String = "\x55\x48\x8b\x05\xb8\x13\x00\x00" 158 Const ARM_CODE As String = "\xED\xFF\xFF\xEB\x04\xe0\x2d\xe5\x00\x00\x00\x00\xe0\x83\x22\xe5\xf1\x02\x03\x0e\x00\x00\xa0\xe3\x02\x30\xc1\xe7\x00\x00\x53\xe3\x00\x02\x01\xf1\x05\x40\xd0\xe8\xf4\x80\x00\x00" 159 Const ARM64_CODE As String = "\x09\x00\x38\xd5\xbf\x40\x00\xd5\x0c\x05\x13\xd5\x20\x50\x02\x0e\x20\xe4\x3d\x0f\x00\x18\xa0\x5f\xa2\x00\xae\x9e\x9f\x37\x03\xd5\xbf\x33\x03\xd5\xdf\x3f\x03\xd5\x21\x7c\x02\x9b\x21\x7c\x00\x53\x00\x40\x21\x4b\xe1\x0b\x40\xb9\x20\x04\x81\xda\x20\x08\x02\x8b\x10\x5b\xe8\x3c" 160 161 Select Case index 162 Case 0: 163 arch = CS_ARCH_X86 164 mode = CS_MODE_16 165 code = toBytes(X86_CODE16) 166 Case 1: 167 arch = CS_ARCH_X86 168 mode = CS_MODE_32 169 code = toBytes(x86_code32) 170 Case 2: 171 arch = CS_ARCH_X86 172 mode = CS_MODE_64 173 code = toBytes(X86_CODE64) 174 175 Case 3: 176 arch = CS_ARCH_ARM 177 mode = CS_MODE_ARM 178 code = toBytes(ARM_CODE) 179 180 Case 4: 181 arch = CS_ARCH_ARM64 182 mode = CS_MODE_ARM 183 code = toBytes(ARM64_CODE) 184 End Select 185 186 187 test code, arch, mode 188 189End Sub 190 191Private Sub test(code() As Byte, arch As cs_arch, mode As cs_mode) 192 193 194 Dim ret As Collection 195 Dim ci As CInstruction 196 Dim li As ListItem 197 198 clearForm 199 If Not cap Is Nothing Then Set cap = Nothing 200 201 Set cap = New CDisassembler 202 203 If Not cap.init(arch, mode, True) Then 204 List1.AddItem "Failed to init engine: " & cap.errMsg 205 Exit Sub 206 End If 207 208 List1.AddItem "Capstone loaded @ 0x" & Hex(cap.hLib) 209 List1.AddItem "hEngine: 0x" & Hex(cap.hCapstone) 210 List1.AddItem "Version: " & cap.version 211 212 If cap.vMajor < 3 Then 213 List1.AddItem "Sample requires Capstone v3+" 214 Exit Sub 215 End If 216 217 Set ret = cap.disasm(&H1000, code) 218 219 For Each ci In ret 220 Set li = lv.ListItems.Add(, , ci.text) 221 Set li.Tag = ci 222 Next 223 224End Sub 225 226Private Sub Command2_Click() 227 228 Dim fName() As String 229 Dim fPath As String 230 Dim t() As String 231 Dim li As ListItem 232 Dim ci As CInstruction 233 234 On Error Resume Next 235 236 If lastSample = -1 Then 237 MsgBox "Run a test first..." 238 Exit Sub 239 End If 240 241 fName = Split("16b,32b,64b,Arm,Arm64", ",") 242 243 fPath = App.path & "\vb" & fName(lastSample) & "Test.txt" 244 If FileExists(fPath) Then Kill fPath 245 246 For Each li In lv.ListItems 247 push t, li.text 248 Set ci = li.Tag 249 push t, ci.toString() 250 push t, String(60, "-") 251 Next 252 253 WriteFile fPath, Join(t, vbCrLf) 254 255 MsgBox FileLen(fPath) & " bytes saved to: " & vbCrLf & vbCrLf & fPath 256 257End Sub 258 259Private Sub lv_ItemClick(ByVal Item As MSComctlLib.ListItem) 260 Dim ci As CInstruction 261 Set ci = Item.Tag 262 Text1 = ci.toString() 263End Sub 264 265Function clearForm() 266 List1.Clear 267 lv.ListItems.Clear 268 Text1 = Empty 269End Function 270 271Private Sub Form_Load() 272 lv.ColumnHeaders(1).Width = lv.Width 273 clearForm 274 lastSample = -1 275End Sub 276