Python distorm3.Decode64Bits() Examples
The following are 29
code examples of distorm3.Decode64Bits().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
distorm3
, or try the search function
.
.
Example #1
| Source File: utils.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def disassemble(data, start, bits='32bit', stoponret=False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
# copied from volatility
Example #2
| Source File: disasm.py From filmkodi with Apache License 2.0 | 6 votes |
|
def _import_dependencies(self):
# Load the distorm bindings.
global distorm3
if distorm3 is None:
try:
import distorm3
except ImportError:
import distorm as distorm3
# Load the decoder function.
self.__decode = distorm3.Decode
# Load the bits flag.
self.__flag = {
win32.ARCH_I386: distorm3.Decode32Bits,
win32.ARCH_AMD64: distorm3.Decode64Bits,
}[self.arch]
Example #3
| Source File: code_parser.py From writeups with GNU General Public License v3.0 | 6 votes |
|
def find_rr_writes_distorm3(address, data):
writes = []
for insn in distorm3.Decompose(address, data, type=distorm3.Decode64Bits):
if insn.mnemonic[:3] == 'RET':
break
if insn.mnemonic[:3] != 'MOV':
continue
# potential write
opnd = insn.operands[0]
if opnd.type != 'AbsoluteMemory' or opnd.index is None:
continue
# Absolute mov, with target that is register-based
if distorm3.Registers[opnd.index] != 'RIP':
continue
# RIP-relative write, this is what we are looking for
# distorm3 opnd.size is measured in bits, need to adjust to bytes
writes.append((insn.address + insn.size + opnd.disp, opnd.size / 8))
return writes
# Find rip-relative mov using capstone
Example #4
| Source File: process_stack.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.")
Example #5
| Source File: process_stack.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.")
Example #6
| Source File: process_stack.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.")
Example #7
| Source File: process_stack.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.")
Example #8
| Source File: Instruction.py From VMAttack with MIT License | 6 votes |
|
def __init__(self, offset, code, type = distorm3.Decode32Bits, feature = 0):
"""
@param offset Address of the instruction
@param code Opcode bytes of the instruction
@param type Dissassemble 32 or 64 bit code
@param feature Possible settings for distrom3
not used at the moment
"""
self.valid = False
if SV.dissassm_type == 64:
type = distorm3.Decode64Bits
else:
type = distorm3.Decode32Bits
inst = distorm3.Decompose(offset, code, type, feature)
if len(inst) == 1:
self.Instruction = inst[0]
if self.Instruction.valid:
self.valid = True
self.opcode_len = len(code)
self.opcode_bytes = []
self.addr = offset
for x in code:
self.opcode_bytes.append(ord(x))
self._len = len(self.Instruction.operands) + 1
Example #9
| Source File: disasm.py From PyDev.Debugger with Eclipse Public License 1.0 | 6 votes |
|
def _import_dependencies(self):
# Load the distorm bindings.
global distorm3
if distorm3 is None:
try:
import distorm3
except ImportError:
import distorm as distorm3
# Load the decoder function.
self.__decode = distorm3.Decode
# Load the bits flag.
self.__flag = {
win32.ARCH_I386: distorm3.Decode32Bits,
win32.ARCH_AMD64: distorm3.Decode64Bits,
}[self.arch]
Example #10
| Source File: process_stack.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.")
Example #11
| Source File: malfind.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#--------------------------------------------------------------------------------
Example #12
| Source File: check_syscall.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
func = "sysenter_do_call"
else:
mode = distorm3.Decode64Bits
func = "system_call_fastpath"
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 6)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
return table_size
Example #13
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#--------------------------------------------------------------------------------
Example #14
| Source File: check_syscall_shadow.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op)
Example #15
| Source File: check_syscall.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
func = "sysenter_do_call"
else:
mode = distorm3.Decode64Bits
func = "system_call_fastpath"
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 6)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
return table_size
Example #16
| Source File: malfind.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#--------------------------------------------------------------------------------
Example #17
| Source File: check_syscall_shadow.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op)
Example #18
| Source File: check_syscall_shadow.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op)
Example #19
| Source File: check_syscall.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
func = "sysenter_do_call"
else:
mode = distorm3.Decode64Bits
func = "system_call_fastpath"
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 6)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
return table_size
Example #20
| Source File: inline_hook_finder.py From volafox with GNU General Public License v2.0 | 5 votes |
|
def check_prologue(self, address):
try:
from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
except:
print '[!] Failed to load distorm3'
print '[!] Inline function hook finder need to distorm3.'
exit();
base_pointer = address + self.base_address
buf = self.x86_mem_pae.read(base_pointer, 12)
code = Decode(base_pointer, buf, Decode64Bits)
# code[0] format : (address, instruction size, instruction, hex string)
call_address = 0
inst_opcode2 = code[1][2].split(' ')[0]
inst_opcode = code[0][2].split(' ')[0]
if inst_opcode == 'MOV':
if inst_opcode2 == 'JMP' or inst_opcode2 == 'CALL' or inst_opcode2 == 'RET':
call_address = code[0][2].split(' ')[2] # operand
elif inst_opcode == 'JMP':
call_address = code[0][2].split(' ')[1] # operand
if call_address == 0:
print 'No Prologue hook'
else:
print 'JMP Address : %x'%(call_address)
return call_address
Example #21
| Source File: check_syscall_shadow.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op)
Example #22
| Source File: malfind.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#--------------------------------------------------------------------------------
Example #23
| Source File: check_syscall.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
func = "sysenter_do_call"
else:
mode = distorm3.Decode64Bits
func = "system_call_fastpath"
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 6)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
return table_size
Example #24
| Source File: static_deobfuscate.py From VMAttack with MIT License | 5 votes |
|
def get_distorm_info(inst_addr):
"""
@brief Prints whole distrom3 info of the given instruction
@param inst_addr Address of instruction
"""
size = ItemSize(inst_addr)
inst_bytes = GetManyBytes(inst_addr, size)
inst = distorm3.Decompose(inst_addr,
inst_bytes, distorm3.Decode64Bits, 0)
print inst[0]
i = inst[0]
print 'InstBytes ', i.instructionBytes
print 'Opcode ', i.opcode
for o in i.operands:
print 'operand ', o
print 'operand type', o.type
for f in i.flags:
print 'flag ', f
print 'raw_flags ', i.rawFlags
print 'inst_class ', i.instructionClass
print 'flow_control ', i.flowControl
print 'address ', i.address
print 'size ', i.size
print 'dt ', i.dt
print 'valid ', i.valid
print 'segment ', i.segment
print 'unused_Prefixes ', i.unusedPrefixesMask
print 'mnemonic ', i.mnemonic
print 'inst_class ', i.instructionClass
Example #25
| Source File: disasm.py From OpenXMolar with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def __init__(self, arch = None):
super(DistormEngine, self).__init__(arch)
# Load the decoder function.
self.__decode = distorm3.Decode
# Load the bits flag.
self.__flag = {
win32.ARCH_I386: distorm3.Decode32Bits,
win32.ARCH_AMD64: distorm3.Decode64Bits,
}[self.arch]
Example #26
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#--------------------------------------------------------------------------------
Example #27
| Source File: check_syscall_shadow.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op)
Example #28
| Source File: check_syscall.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
funcs = ["sysenter_do_call"]
else:
mode = distorm3.Decode64Bits
funcs = ["system_call_fastpath", "do_int80_syscall_32"]
for func in funcs:
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 64)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
break
return table_size
Example #29
| Source File: inline_hook_finder.py From volafox with GNU General Public License v2.0 | 5 votes |
|
def find_function_in_code(self, caller_addr, callee_addr):
try:
from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
except:
print '[!] Failed to load distorm3'
print '[!] Inline function hook finder need to distorm3.'
exit();
#print 'Callie Address : %x'%(callie_addr+self.base_address)
base_pointer = caller_addr + self.base_address
buf = self.x86_mem_pae.read(base_pointer, 256)
code = Decode(base_pointer, buf, Decode64Bits)
findit = []
function_inst = []
for instruction in code:
function_inst.append(instruction)
if instruction[2].split(' ')[0] == 'RET':
break
inst_split = instruction[2].split(' ')
if inst_split[0] == 'CALL':
try:
if int(inst_split[1], 16) == callee_addr+self.base_address:
#print 'Find Function : %x'%instruction[0]
findit.append(instruction)
except ValueError:
continue # bypass 'CALL reg/64'
return findit, function_inst
# Korean comments
# inline_quick - Checking JMP instruction in function prologue considered as MOV-JMP instructions
