VERSION 5.00 Object = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}#2.0#0"; "mscomctl.ocx" Begin VB.Form Form1 Caption = "VB6 Bindings for Capstone Disassembly Engine - Contributed by FireEye FLARE Team" ClientHeight = 7290 ClientLeft = 60 ClientTop = 345 ClientWidth = 10275 LinkTopic = "Form1" ScaleHeight = 7290 ScaleWidth = 10275 StartUpPosition = 2 'CenterScreen Begin VB.CommandButton Command2 Caption = "Save" Height = 375 Left = 8760 TabIndex = 8 Top = 120 Width = 1455 End Begin VB.CommandButton Command1 Caption = " Arm 64" Height = 375 Index = 4 Left = 6840 TabIndex = 7 Top = 120 Width = 1455 End Begin VB.CommandButton Command1 Caption = "Arm" Height = 375 Index = 3 Left = 5160 TabIndex = 6 Top = 120 Width = 1455 End Begin VB.CommandButton Command1 Caption = "x86 64bit" Height = 375 Index = 2 Left = 3480 TabIndex = 5 Top = 120 Width = 1455 End Begin VB.CommandButton Command1 Caption = "x86 16bit" Height = 375 Index = 0 Left = 120 TabIndex = 4 Top = 120 Width = 1455 End Begin VB.CommandButton Command1 Caption = "x86 32bit" Height = 375 Index = 1 Left = 1800 TabIndex = 3 Top = 120 Width = 1455 End Begin MSComctlLib.ListView lv Height = 2415 Left = 120 TabIndex = 2 Top = 1440 Width = 10095 _ExtentX = 17806 _ExtentY = 4260 View = 3 LabelEdit = 1 LabelWrap = -1 'True HideSelection = 0 'False FullRowSelect = -1 'True _Version = 393217 ForeColor = -2147483640 BackColor = -2147483643 BorderStyle = 1 Appearance = 1 BeginProperty Font {0BE35203-8F91-11CE-9DE3-00AA004BB851} Name = "Courier" Size = 9.75 Charset = 0 Weight = 400 Underline = 0 'False Italic = 0 'False Strikethrough = 0 'False EndProperty NumItems = 1 BeginProperty ColumnHeader(1) {BDD1F052-858B-11D1-B16A-00C0F0283628} Object.Width = 2540 EndProperty End Begin VB.ListBox List1 BeginProperty Font Name = "Courier" Size = 9.75 Charset = 0 Weight = 400 Underline = 0 'False Italic = 0 'False Strikethrough = 0 'False EndProperty Height = 840 Left = 120 TabIndex = 1 Top = 600 Width = 10095 End Begin VB.TextBox Text1 BeginProperty Font Name = "Courier" Size = 9.75 Charset = 0 Weight = 400 Underline = 0 'False Italic = 0 'False Strikethrough = 0 'False EndProperty Height = 3375 Left = 120 MultiLine = -1 'True ScrollBars = 3 'Both TabIndex = 0 Text = "Form1.frx":0000 Top = 3840 Width = 10095 End End Attribute VB_Name = "Form1" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Option Explicit 'Capstone Disassembly Engine bindings for VB6 'Contributed by FireEye FLARE Team 'Author: David Zimmer , 'License: Apache 'Copyright: FireEye 2017 Dim cap As CDisassembler Dim lastSample As Long Private Sub Command1_Click(index As Integer) Dim code() As Byte, arch As cs_arch, mode As cs_mode lastSample = index Const x86_code32 As String = "\x8d\x4c\x32\x08\x01\xd8\x81\xc6\x34\x12\x00\x00\x05\x23\x01\x00\x00\x36\x8b\x84\x91\x23\x01\x00\x00\x41\x8d\x84\x39\x89\x67\x00\x00\x8d\x87\x89\x67\x00\x00\xb4\xc6" Const X86_CODE16 As String = "\x8d\x4c\x32\x08\x01\xd8\x81\xc6\x34\x12\x00\x00\x05\x23\x01\x00\x00\x36\x8b\x84\x91\x23\x01\x00\x00\x41\x8d\x84\x39\x89\x67\x00\x00\x8d\x87\x89\x67\x00\x00\xb4\xc6" Const X86_CODE64 As String = "\x55\x48\x8b\x05\xb8\x13\x00\x00" Const ARM_CODE As String = "\xED\xFF\xFF\xEB\x04\xe0\x2d\xe5\x00\x00\x00\x00\xe0\x83\x22\xe5\xf1\x02\x03\x0e\x00\x00\xa0\xe3\x02\x30\xc1\xe7\x00\x00\x53\xe3\x00\x02\x01\xf1\x05\x40\xd0\xe8\xf4\x80\x00\x00" Const ARM64_CODE As String = "\x09\x00\x38\xd5\xbf\x40\x00\xd5\x0c\x05\x13\xd5\x20\x50\x02\x0e\x20\xe4\x3d\x0f\x00\x18\xa0\x5f\xa2\x00\xae\x9e\x9f\x37\x03\xd5\xbf\x33\x03\xd5\xdf\x3f\x03\xd5\x21\x7c\x02\x9b\x21\x7c\x00\x53\x00\x40\x21\x4b\xe1\x0b\x40\xb9\x20\x04\x81\xda\x20\x08\x02\x8b\x10\x5b\xe8\x3c" Select Case index Case 0: arch = CS_ARCH_X86 mode = CS_MODE_16 code = toBytes(X86_CODE16) Case 1: arch = CS_ARCH_X86 mode = CS_MODE_32 code = toBytes(x86_code32) Case 2: arch = CS_ARCH_X86 mode = CS_MODE_64 code = toBytes(X86_CODE64) Case 3: arch = CS_ARCH_ARM mode = CS_MODE_ARM code = toBytes(ARM_CODE) Case 4: arch = CS_ARCH_ARM64 mode = CS_MODE_ARM code = toBytes(ARM64_CODE) End Select test code, arch, mode End Sub Private Sub test(code() As Byte, arch As cs_arch, mode As cs_mode) Dim ret As Collection Dim ci As CInstruction Dim li As ListItem clearForm If Not cap Is Nothing Then Set cap = Nothing Set cap = New CDisassembler If Not cap.init(arch, mode, True) Then List1.AddItem "Failed to init engine: " & cap.errMsg Exit Sub End If List1.AddItem "Capstone loaded @ 0x" & Hex(cap.hLib) List1.AddItem "hEngine: 0x" & Hex(cap.hCapstone) List1.AddItem "Version: " & cap.version If cap.vMajor < 3 Then List1.AddItem "Sample requires Capstone v3+" Exit Sub End If Set ret = cap.disasm(&H1000, code) For Each ci In ret Set li = lv.ListItems.Add(, , ci.text) Set li.Tag = ci Next End Sub Private Sub Command2_Click() Dim fName() As String Dim fPath As String Dim t() As String Dim li As ListItem Dim ci As CInstruction On Error Resume Next If lastSample = -1 Then MsgBox "Run a test first..." Exit Sub End If fName = Split("16b,32b,64b,Arm,Arm64", ",") fPath = App.path & "\vb" & fName(lastSample) & "Test.txt" If FileExists(fPath) Then Kill fPath For Each li In lv.ListItems push t, li.text Set ci = li.Tag push t, ci.toString() push t, String(60, "-") Next WriteFile fPath, Join(t, vbCrLf) MsgBox FileLen(fPath) & " bytes saved to: " & vbCrLf & vbCrLf & fPath End Sub Private Sub lv_ItemClick(ByVal Item As MSComctlLib.ListItem) Dim ci As CInstruction Set ci = Item.Tag Text1 = ci.toString() End Sub Function clearForm() List1.Clear lv.ListItems.Clear Text1 = Empty End Function Private Sub Form_Load() lv.ColumnHeaders(1).Width = lv.Width clearForm lastSample = -1 End Sub