最进在研究反汇编引擎，在google看到capstone反汇编工具，据说是IDA都使用了capstone的引擎，记录一下；
capstone 官方网站：http://www.capstone-engine.org/
github源码下载：https://github.com/aquynh/capstone
capstone在架构兼容性上来说是非常丰富了：Multi-architectures: Arm, Arm64 (Armv8), BPF, Ethereum Virtual Machine, M68K, M680X, Mips, MOS65XX, PowerPC, RISCV, Sparc, SystemZ, TMS320C64X, Web Assembly, XCore & X86 (include X86_64)

1.实测解码的速率并不是很快（原因是printf直接把信息往外丢，去掉prinf直接写文件14M内存bin文件耗时5s左右，甚至比intel-xed还快）；
2.需要使用动态内存，从代码实现来看，传入文件多大就需要申请多大的内存，还要给disam buffer分配内存；
3.代码架构比较复杂，改造成本还是比较高；

下载源码之后：

//解压文件
curtis@curtis-virtual-machine:~/Desktop$ unzip capstone-master.zip//编译文件
curtis@curtis-virtual-machine:~/Desktop/capstone-master$ ./make.sh
.........省略..........
make[1]: Leaving directory `/home/curtis/Desktop/capstone-master/tests'
make -C suite/fuzz
make[1]: Entering directory `/home/curtis/Desktop/capstone-master/suite/fuzz'CC      fuzz_disasm.oCC      drivermc.oCC      driverbin.oLINK    fuzz_disasmLINK    fuzz_bindisasm
make[1]: Leaving directory `/home/curtis/Desktop/capstone-master/suite/fuzz'
install -m0755 ./libcapstone.so.5 ./tests/
cd ./tests/ && rm -f libcapstone.so && ln -s libcapstone.so.5 libcapstone.so//安装引擎，创建文件夹，把对应的库安装好，安装cstool工具
curtis@curtis-virtual-machine:~/Desktop/capstone-master$ sudo ./make.sh install
mkdir -p /usr/lib
install -m0755 ./libcapstone.so.5 /usr/lib
cd /usr/lib && rm -f libcapstone.so && ln -s libcapstone.so.5 libcapstone.so
install -m0644 ./libcapstone.a /usr/lib
mkdir -p /usr/include/capstone
install -m0644 include/capstone/*.h /usr/include/capstone
mkdir -p /usr/lib/pkgconfig
install -m0644 ./capstone.pc /usr/lib/pkgconfig
mkdir -p /usr/bin
install -m0755 cstool/cstool /usr/bin//capstone so&a 库大小
curtis@curtis-virtual-machine:/usr/lib$ ls -alh | grep capstone
-rw-r--r--   1 root root     5.7M 10月 26 17:57 libcapstone.a
lrwxrwxrwx   1 root root       16 10月 26 17:57 libcapstone.so -> libcapstone.so.5
-rwxr-xr-x   1 root root     4.4M 10月 26 17:57 libcapstone.so.5//输出ins.asm大小
curtis@curtis-virtual-machine:~/Desktop$ ls -alh | grep ins.asm
-rwxr-xr-x  1 curtis curtis 395M 10月 28 10:40 ins.asm//卸载capstone
curtis@curtis-virtual-machine:~/Desktop/capstone-master$ sudo ./make.sh uninstall
[sudo] password for curtis: 
rm -rf /usr/include/capstone
rm -f /usr/lib/libcapstone.*
rm -f /usr/lib/pkgconfig/capstone.pc
rm -f /usr/bin/cstool

这里先讲讲cstool工具的具体使用方法；

curtis@curtis-virtual-machine:~/Desktop/capstone-master$ cstool
Cstool for Capstone Disassembler Engine v5.0.0Syntax: cstool [-u|-d|-s|-v] <arch+mode> <assembly-hexstring> [start-address-in-hex-format]The following <arch+mode> options are supported:x16         16-bit mode (X86)x32         32-bit mode (X86)x64         64-bit mode (X86)x16att      16-bit mode (X86), syntax AT&Tx32att      32-bit mode (X86), syntax AT&Tx64att      64-bit mode (X86), syntax AT&Tarm         armarmbe       arm + big endianthumb       thumb modethumbbe     thumb + big endiancortexm     thumb + cortex-m extensionsarm64       aarch64 modearm64be     aarch64 + big endianmips        mips32 + little endianmipsbe      mips32 + big endianmips64      mips64 + little endianmips64be    mips64 + big endianppc64       ppc64 + little endianppc64be     ppc64 + big endiansparc       sparcsystemz     systemz (s390x)xcore       xcorem68k        m68k + big endianm68k40      m68k_040tms320c64x  TMS320C64xm6800       M6800/2m6801       M6801/3m6805       M6805m6808       M68HC08m6809       M6809m6811       M68HC11cpu12       M68HC12/HCS12hd6301      HD6301/3hd6309      HD6309hcs08       HCS08evm         Ethereum Virtual Machinemos65xx     MOS65XX familyExtra options:-d show detailed information of the instructions-u show immediates as unsigned-s decode in SKIPDATA mode-v show version & Capstone core build info

再看看REME中的具体实施例；

$cstool x32 "90 91"

也就是选择好cstool参数之后输入需要反汇汇编的编码；

//举个例子，想要看x86_64编码所对应的汇编代码：
488d 2551 3f60 01e8 d400 0000 488d 3ded ffff ff56 e8d7 0100 005e 4805 0060 f203 eb20 0f1f 4000 662e 0f1f 8400 0000 0000 e8ab 0000 0056 e8c5 1f00 005e 4805 00a0
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ cstool -u x64 "488d 2551 3f60 01e8 d400 0000 488d 3ded ffff ff56 e8d7 0100 005e 4805 0060 f203 eb20 0f1f 4000 662e 0f1f 8400 0000 0000 e8ab 0000 0056 e8c5 1f00 005e 4805 00a0"0  48 8d 25 51 3f 60 01                             lea	rsp, [rip + 0x1603f51]7  e8 d4 00 00 00                                   call	0xe0c  48 8d 3d ed ff ff ff                             lea	rdi, [rip - 0x13]
13  56                                               push	rsi
14  e8 d7 01 00 00                                   call	0x1f0
19  5e                                               pop	rsi
1a  48 05 00 60 f2 03                                add	rax, 0x3f26000
20  eb 20                                            jmp	0x42
22  0f 1f 40 00                                      nop	dword ptr [rax]
26  66 2e 0f 1f 84 00 00 00 00 00                    nop	word ptr cs:[rax + rax]
30  e8 ab 00 00 00                                   call	0xe0
35  56                                               push	rsi
36  e8 c5 1f 00 00                                   call	0x2000
3b  5e                                               pop	rsi
//成功反汇编出汇编代码

使用intel-xed反汇编同一编码；

curtis@curtis-virtual-machine:~/Desktop$ cat 11.txt | head -n 14
XDIS 0: MISC      BASE       488D25513F6001           lea rsp, ptr [rip+0x1603f51]
XDIS 7: CALL      BASE       E8D4000000               call 0xe0
XDIS c: MISC      BASE       488D3DEDFFFFFF           lea rdi, ptr [rip-0x13]
XDIS 13: PUSH      BASE       56                       push rsi
XDIS 14: CALL      BASE       E8D7010000               call 0x1f0
XDIS 19: POP       BASE       5E                       pop rsi
XDIS 1a: BINARY    BASE       48050060F203             add rax, 0x3f26000
XDIS 20: UNCOND_BR BASE       EB20                     jmp 0x42
XDIS 22: WIDENOP   BASE       0F1F4000                 nop dword ptr [rax], eax
XDIS 26: WIDENOP   BASE       662E0F1F840000000000     nop word ptr [rax+rax*1], ax
XDIS 30: CALL      BASE       E8AB000000               call 0xe0
XDIS 35: PUSH      BASE       56                       push rsi
XDIS 36: CALL      BASE       E8C51F0000               call 0x2000
XDIS 3b: POP       BASE       5E                       pop rsi

1.打算添加两个功能，将传入code的参数改为传入文件的路径，反汇编时只需要传入文件路径即可；
2.添加输出参数，将反汇编代码写入文件；
3.添加一个参数，只要传入内存地址即可把该地址前后10条汇编指令打印出来；

功能一已经实现，代码就不公开了，效果如下：

curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ ./cstool -u x64 "/home/curtis/Desktop/ins.txt"0  0f 1f 44 00 00                                   nop	dword ptr [rax + rax]5  55                                               push	rbp6  48 89 e5                                         mov	rbp, rsp9  5d                                               pop	rbpa  c3                                               ret	b  0f 1f 44 00 00                                   nop	dword ptr [rax + rax]

功能二已经实现，代码就不公开了，效果如下：

//命令
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ ./cstool -u x64 "/home/curtis/Desktop/ins.txt" -o "/home/curtis/Desktop/ins.asm"
//效果，成功将内容写入文件
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ cat /home/curtis/Desktop/ins.asm 
0x 0   48 8d 25 51 3f 60 01                           lea	rsp, [rip + 0x1603f51]
0x 7   e8 d4 00 00 00                                 call	0xe0
0x c   48 8d 3d ed ff ff ff                           lea	rdi, [rip - 0x13]
0x13   56                                             push	rsi
0x14   e8 d7 01 00 00                                 call	0x1f0
0x19   5e                                             pop	rsi
0x1a   48 05 00 60 b2 1e                              add	rax, 0x1eb26000
0x20   eb 20                                          jmp	0x42
0x22   0f 1f 40 00                                    nop	dword ptr [rax]

在实现这个功能的过程中发现如果使用-u参数的话，从添加log打印，代码已经限定count的值位312，那么如果你传入参数size大于312条汇编指令的话，剩余部分没有进行反汇编操作，仔细研究capstone代码之后，我们应该使用-s参数进行反汇编；

curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ ./cstool -s x64 "/home/curtis/Desktop/ins.txt"
0x 0   48 8d 25 51 3f 60 01                           lea	rsp, [rip + 0x1603f51]
0x 7   e8 d4 00 00 00                                 call	0xe0
0x c   48 8d 3d ed ff ff ff                           lea	rdi, [rip - 0x13]
0x13   56                                             push	rsi
0x14   e8 d7 01 00 00                                 call	0x1f0
0x19   5e                                             pop	rsi
0x1a   48 05 00 60 b2 1e                              add	rax, 0x1eb26000
0x20   eb 20                                          jmp	0x42
0x22   0f 1f 40 00                                    nop	dword ptr [rax]
.......省略.........
0x447b4  e8 27 2d 03 00                               call	0x774e0
0x447b9  66 90                                        nop	
0x447bb  41 83 fc 02                                  cmp	r12d, 2
0x447bf  0f 8e 6f ff ff ff                            jle	0x44734
0x447c5  48 8d 7b 18                                  lea	rdi, [rbx + 0x18]
0x447c9  e8 d2 fd ff ff                               call	0x445a0
0x447ce  e9 61 ff ff ff                               jmp	0x44734
0x447d3  48 8b 05 12 e1 7f 01                         mov	rax, qword ptr [rip + 0x17fe112]