By default, the LyScript plugin does not provide the ability to fetch the previous and next assembly instructions, although you can use theLyScriptToolsToolkit directly call the built-in commands to get, but this way is obviously not ideal in terms of efficiency, we need to LyScript plug-in API based on their own package to achieve this function.
LyScript project address:/lyshark/LyScript
Get the next assembly instruction
The next assembly instruction needs to note that if the instruction is hit, it should be a CC breakpoint to take up a byte, if not, it is normal to get the current instruction.
1. We need to check whether the current memory breakpoint has been hit, if not then it means that here we need to get the length of the original assembly instruction, and then add it with the current eip address to get.
2. If a breakpoint is hit, there are two scenarios here
1.1 If the breakpoint is placed by the user, the debugger here replaces CC at the instruction location, which is the init stop instruction in assembly, which takes up 1 byte and requires eip+1 to get.
1.2 If it is a system breakpoint, the location where the EIP stays, then we need to get the current instruction address normally, here the debugger does not change the assembly instructions only under the exception breakpoint.
from LyScript32 import MyDebug
# Get the next instruction of the current EIP instruction
def get_disasm_next(dbg,eip):
next = 0
# Check if the current memory address is tripped
check_breakpoint = dbg.check_breakpoint(eip)
# Indicates that a breakpoint exists, if so it's a byte here
if check_breakpoint == True:
# Then determine whether the current is EIP, if it is EIP need to use the original byte
local_eip = dbg.get_register("eip")
# That means it's an EIP and it hit the breakpoint #
if local_eip == eip:
dis_size = dbg.get_disasm_operand_size(eip)
next = eip + dis_size
next_asm = dbg.get_disasm_one_code(next)
return next_asm
else:
next = eip + 1
next_asm = dbg.get_disasm_one_code(next)
return next_asm
return None
# If not, you need to get the length of the original assembly code.
elif check_breakpoint == False:
# Get the current instruction length
dis_size = dbg.get_disasm_operand_size(eip)
next = eip + dis_size
next_asm = dbg.get_disasm_one_code(next)
return next_asm
else:
return None
if __name__ == "__main__":
dbg = MyDebug()
()
eip = dbg.get_register("eip")
next = get_disasm_next(dbg,eip)
print("next command: {}".format(next))
prev = get_disasm_next(dbg,12391436)
print("next command: {}".format(prev))
()
Get the results below:
Get the last assembly instruction
The difficulty of obtaining the last instruction is that we can not determine how long the last instruction of the current instruction is, so we can only use the stupid way, scanning line by line to compare the assembly instruction, if you find it, then take out its last instruction.
from LyScript32 import MyDebug
# Get the previous instruction of the current EIP instruction
def get_disasm_prev(dbg,eip):
prev_dasm = None
# Get the current assembly instruction
local_disasm = dbg.get_disasm_one_code(eip)
# Can only scan 10 lines up
eip = eip - 10
disasm = dbg.get_disasm_code(eip,10)
# Cyclic scanning assembly code
for index in range(0,len(disasm)):
# If you find it, take out his last assembly code #
if disasm[index].get("opcode") == local_disasm:
prev_dasm = disasm[index-1].get("opcode")
break
return prev_dasm
if __name__ == "__main__":
dbg = MyDebug()
()
eip = dbg.get_register("eip")
next = get_disasm_prev(dbg,eip)
print("previous instruction: {}".format(next))
()
The output effect is as follows:
To this point, this article on LyScript to get the last assembly instruction with the next assembly instruction method details of the article is introduced to this, more relevant LyScript to get the contents of the assembly instruction, please search for my previous posts or continue to browse the following articles hope that you will support me in the future more!