<div dir="ltr"><div><div><div>Igor, are you sure that the "pc" argument and "env->eip" will contain different arguments? I'd guess that "pc" is provided as convenience so that you can avoid architecture-specific #ifdef macros in your plugin code ("env->eip" is x86 specific).<br><br></div>InGap, could you elaborate on what you attempt to achieve?<br><br></div>Reconstructing mybin.exe from an execution trace is a non-trivial task. Even in the (unlikely) case you have full coverage of mybin.exe in the execution trace (i.e. every instruction in mybin.exe was executed at least once), the order of the instructions as executed still may be different than the order they appear in the binary. Moreover, executables are not plain instruction dumps. They contain a lot of structured information (see <a href="https://en.wikipedia.org/wiki/Portable_Executable">https://en.wikipedia.org/wiki/Portable_Executable</a>) that you will not be able to recapture just by observing the execution.<br><br></div>M.<br><div><br><br><div><div><div><div><div class="gmail_extra"><div class="gmail_quote">2015-08-17 8:33 GMT+02:00 Igor R <span dir="ltr"><<a href="mailto:boost.lists@gmail.com" target="_blank">boost.lists@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> I trying to get the "mybin.exe'' 's original assembly code(opcode) in the PANDA plugin.<br>
> (for tracing binary's opcode, registers, memory ..)<br>
><br>
> Host OS : ubuntu x64<br>
> Guest OS : windows xp x86<br>
> Test binary : mybin.exe<br>
><br>
> I got the opcode using panda_virtual_memory_rw function at PANDA_CB_INSN_TRANSLATE.<br>
> ex) panda_virtual_memory_rw(env, env->eip, buf, 20, 0);<br>
><br>
> but, It is not same as original assembly code('mybin.exe').<br>
> It seems to be translated by the PANDA.<br>
<br>
<br>
<br>
</span>Quoting from the documentation:<br>
<<<br>
insn_translate: called before the translation of each instruction<br>
<br>
Callback ID: PANDA_CB_INSN_TRANSLATE<br>
<br>
Arguments:<br>
<br>
CPUState *env: the current CPU state<br>
target_ulong pc: the guest PC we are about to translate<br>
>><br>
<br>
So, if you need the opcode of the instruction being translated, you<br>
should read the memory from "pc" address (rather than env->ip).<br>
_______________________________________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
</blockquote></div><br></div></div></div></div></div></div></div>