Capstone doesn't disassemble past INVALID instruction

Question

I am using capstone to disassemble a ELF binary and I noticed that when it prints out the instructions , it stops at the invalid instruction and will not continue. I noticed the stopping instruction appears to be invalid when I looked at this in cutter.

How should I handle this?

If you want to compile this , you will need to install capstone and link against it

gcc foo.c -o foo -l capstone

Here is my code:

#include <stdio.h>
#include <inttypes.h>

#include <capstone/capstone.h>

#define CODE "\x55\x48\x8b\x05\xb8\x13\x00\x00"

int main(void)
{
    csh handle;
    cs_insn *insn;
    size_t count;
    FILE * f = fopen ("/home/luser/readconf", "rb");

    fseek(f, 0, SEEK_END);
    long fsize = ftell(f);
    fseek(f, 0, SEEK_SET);  /* same as rewind(f); */

    char *buffer = malloc(fsize + 10);
    fread(buffer, 1, fsize, f);


//  for (int i =0; i < 100 ; i++){
//  char letter = (int *)buffer[i];
//      printf("0x%hhx \n", letter);
//  }

    if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK)
        return -1;
    count = cs_disasm(handle, buffer, 3000, 0x740, 0, &insn);
    if (count > 0) {
        size_t j;
        for (j = 0; j < count; j++) {
            printf("0x%"PRIx64":\t%s\t\t%s\n", insn[j].address, insn[j].mnemonic, insn[j].op_str);
        }

        cs_free(insn, count);
    } else
        printf("ERROR: Failed to disassemble given code!\n");

    cs_close(&handle);

    return 0;

}

Output:

0x740:  jg      0x787
0x742:  add     r8b, byte ptr [rcx]
0x746:  add     dword ptr [rax], eax
0x748:  add     byte ptr [rax], al
0x74a:  add     byte ptr [rax], al
0x74c:  add     byte ptr [rax], al
0x74e:  add     byte ptr [rax], al
0x750:  add     eax, dword ptr [rax]
0x752:  add     byte ptr ds:[rcx], al
0x755:  add     byte ptr [rax], al
0x757:  add     byte ptr [rax + 7], al
0x75a:  add     byte ptr [rax], al
0x75c:  add     byte ptr [rax], al
0x75e:  add     byte ptr [rax], al
0x760:  add     byte ptr [rax], al
0x763:  add     byte ptr [rax], al
0x765:  add     byte ptr [rax], al
0x767:  add     byte ptr [rax], ch
0x769:  adc     dword ptr [rax], eax
0x76b:  add     byte ptr [rax], al
0x76d:  add     byte ptr [rax], al
0x76f:  add     byte ptr [rax], al
0x771:  add     byte ptr [rax], al
0x773:  add     byte ptr [rax], al
0x776:  cmp     byte ptr [rax], al
0x778:  or      dword ptr [rax], eax
0x77a:  add     byte ptr [rbx], bl
0x77d:  add     byte ptr [rdx], bl
0x77f:  add     byte ptr [rsi], al
0x781:  add     byte ptr [rax], al
0x783:  add     byte ptr [rax + rax], al
0x786:  add     byte ptr [rax], al
0x788:  add     byte ptr [rax], al
0x78b:  add     byte ptr [rax], al
0x78d:  add     byte ptr [rax], al
0x78f:  add     byte ptr [rax], al
0x792:  add     byte ptr [rax], al
0x794:  add     byte ptr [rax], al
0x796:  add     byte ptr [rax], al
0x798:  add     byte ptr [rax], al
0x79b:  add     byte ptr [rax], al
0x79d:  add     byte ptr [rax], al
0x79f:  add     al, bh
0x7a1:  add     dword ptr [rax], eax
0x7a3:  add     byte ptr [rax], al
0x7a5:  add     byte ptr [rax], al
0x7a7:  add     al, bh
0x7a9:  add     dword ptr [rax], eax
0x7ab:  add     byte ptr [rax], al
0x7ad:  add     byte ptr [rax], al
0x7af:  add     byte ptr [rax], cl
0x7b1:  add     byte ptr [rax], al
0x7b3:  add     byte ptr [rax], al
0x7b5:  add     byte ptr [rax], al
0x7b7:  add     byte ptr [rbx], al
0x7b9:  add     byte ptr [rax], al
0x7bb:  add     byte ptr [rax + rax], al
0x7be:  add     byte ptr [rax], al
0x7c0:  cmp     byte ptr [rdx], al
0x7c2:  add     byte ptr [rax], al
0x7c4:  add     byte ptr [rax], al
0x7c6:  add     byte ptr [rax], al
0x7c8:  cmp     byte ptr [rdx], al
0x7ca:  add     byte ptr [rax], al
0x7cc:  add     byte ptr [rax], al
0x7ce:  add     byte ptr [rax], al
0x7d0:  cmp     byte ptr [rdx], al
0x7d2:  add     byte ptr [rax], al
0x7d4:  add     byte ptr [rax], al
0x7d6:  add     byte ptr [rax], al
0x7d8:  sbb     al, 0
0x7da:  add     byte ptr [rax], al
0x7dc:  add     byte ptr [rax], al
0x7de:  add     byte ptr [rax], al
0x7e0:  sbb     al, 0
0x7e2:  add     byte ptr [rax], al
0x7e4:  add     byte ptr [rax], al
0x7e6:  add     byte ptr [rax], al
0x7e8:  add     dword ptr [rax], eax
0x7ea:  add     byte ptr [rax], al
0x7ec:  add     byte ptr [rax], al
0x7ee:  add     byte ptr [rax], al
0x7f0:  add     dword ptr [rax], eax
0x7f2:  add     byte ptr [rax], al
0x7f4:  add     eax, 0
0x7f9:  add     byte ptr [rax], al
0x7fb:  add     byte ptr [rax], al
0x7fd:  add     byte ptr [rax], al
0x7ff:  add     byte ptr [rax], al
0x801:  add     byte ptr [rax], al
0x803:  add     byte ptr [rax], al
0x805:  add     byte ptr [rax], al
0x807:  add     byte ptr [rax], al
0x809:  add     byte ptr [rax], al
0x80b:  add     byte ptr [rax], al
0x80d:  add     byte ptr [rax], al
0x80f:  add     byte ptr [rax], bh
0x811:  or      al, 0
0x813:  add     byte ptr [rax], al
0x815:  add     byte ptr [rax], al
0x817:  add     byte ptr [rax], bh
0x819:  or      al, 0
0x81b:  add     byte ptr [rax], al
0x81d:  add     byte ptr [rax], al
0x81f:  add     byte ptr [rax], al
0x821:  add     byte ptr [rax], ah
0x823:  add     byte ptr [rax], al
0x825:  add     byte ptr [rax], al
0x827:  add     byte ptr [rcx], al
0x829:  add     byte ptr [rax], al
0x82b:  add     byte ptr [rsi], al
0x82d:  add     byte ptr [rax], al
0x82f:  add     byte ptr [rax + 0xd], cl
0x835:  add     byte ptr [rax], al
0x837:  add     byte ptr [rax + 0x200d], cl
0x83d:  add     byte ptr [rax], al
0x83f:  add     byte ptr [rax + 0x200d], cl
0x845:  add     byte ptr [rax], al
0x847:  add     byte ptr [rax + 2], cl
0x84d:  add     byte ptr [rax], al
0x84f:  add     byte ptr [rax + 2], dl
0x855:  add     byte ptr [rax], al
0x857:  add     byte ptr [rax], al
0x859:  add     byte ptr [rax], ah
0x85b:  add     byte ptr [rax], al
0x85d:  add     byte ptr [rax], al
0x85f:  add     byte ptr [rdx], al
0x861:  add     byte ptr [rax], al
0x863:  add     byte ptr [rsi], al
0x865:  add     byte ptr [rax], al
0x867:  add     byte ptr [rax + 0xd], bl
0x86d:  add     byte ptr [rax], al
0x86f:  add     byte ptr [rax + 0x200d], bl
0x875:  add     byte ptr [rax], al
0x877:  add     byte ptr [rax + 0x200d], bl
0x87d:  add     byte ptr [rax], al
0x87f:  add     al, dh
0x881:  add     dword ptr [rax], eax
0x883:  add     byte ptr [rax], al
0x885:  add     byte ptr [rax], al
0x887:  add     al, dh
0x889:  add     dword ptr [rax], eax
0x88b:  add     byte ptr [rax], al
0x88d:  add     byte ptr [rax], al
0x88f:  add     byte ptr [rax], cl
0x891:  add     byte ptr [rax], al
0x893:  add     byte ptr [rax], al
0x895:  add     byte ptr [rax], al
0x897:  add     byte ptr [rax + rax], al
0x89a:  add     byte ptr [rax], al
0x89c:  add     al, 0
0x89e:  add     byte ptr [rax], al
0x8a0:  push        rsp
0x8a1:  add     al, byte ptr [rax]
0x8a3:  add     byte ptr [rax], al
0x8a5:  add     byte ptr [rax], al
0x8a7:  add     byte ptr [rdx + rax], dl
0x8ab:  add     byte ptr [rax], al
0x8ad:  add     byte ptr [rax], al
0x8af:  add     byte ptr [rdx + rax], dl
0x8b3:  add     byte ptr [rax], al
0x8b5:  add     byte ptr [rax], al
0x8b7:  add     byte ptr [rax + rax], al
0x8bb:  add     byte ptr [rax], al
0x8bd:  add     byte ptr [rax], al
0x8bf:  add     byte ptr [rax + rax], al
0x8c3:  add     byte ptr [rax], al
0x8c5:  add     byte ptr [rax], al
0x8c7:  add     byte ptr [rax + rax], al
0x8ca:  add     byte ptr [rax], al
0x8cc:  add     byte ptr [rax], al
0x8ce:  add     byte ptr [rax], al
0x8d0:  push        rax
0x8d1:  in      eax, 0x74
0x8d3:  add     al, 0
0x8d6:  add     byte ptr [rax], al
0x8d8:  enter       0xa, 0
0x8dc:  add     byte ptr [rax], al
0x8de:  add     byte ptr [rax], al
0x8e0:  enter       0xa, 0
0x8e4:  add     byte ptr [rax], al
0x8e6:  add     byte ptr [rax], al
0x8e8:  enter       0xa, 0
0x8ec:  add     byte ptr [rax], al
0x8ee:  add     byte ptr [rax], al
0x8f0:  add     byte ptr [rax], r8b
0x8f3:  add     byte ptr [rax], al
0x8f5:  add     byte ptr [rax], al
0x8f7:  add     byte ptr [rax + rax], al
0x8fb:  add     byte ptr [rax], al
0x8fd:  add     byte ptr [rax], al
0x8ff:  add     byte ptr [rax + rax], al
0x902:  add     byte ptr [rax], al
0x904:  add     byte ptr [rax], al
0x906:  add     byte ptr [rax], al
0x908:  push        rcx
0x909:  in      eax, 0x74

Answer 1

How should I handle this?

A) That isn't code, it's data (you can tell from all the add instructions - they're actually zeros in the data). Disassembling data doesn't make sense to begin with.

B) To disassemble (code) correctly you have to know here an instruction starts (so you don't get a jumbled mess caused by assuming the middle of an instruction is the start of an instruction). When the disassembler sees an invalid instruction it can't determine where the next valid instruction would start and therefore can't continue.

To fix the problem, I'd guess that you need to parse the ELF file's headers to correctly determine where the code actually is in the file. To me (after a brief look at capstone's docs) it looks like you're disassembling the data that is the ELF file's header.