📄 disassembler.pas
字号:
result:='EDX+EBP*8';
last:=sibbyte+1;
end;
$eb : begin
result:='EBX+EBP*8';
last:=sibbyte+1;
end;
$ec : begin
result:='ESP+EBP*8';
last:=sibbyte+1;
end;
$ed : begin
dwordptr:=@memory[sibbyte+1];
case getmod(memory[sibbyte-1]) of
0 : begin
last:=sibbyte+5;
result:='EBP*8+'+inttohexs(dwordptr^,8);
end;
1 : begin
last:=sibbyte+1;
result:='EBP+EBP*8';
end;
2 : begin
last:=sibbyte+1;
result:='EBP+EBP*8';
end;
3 : begin
result:='error';
end;
end;
end;
$ee : begin
result:='ESI+EBP*8';
last:=sibbyte+1;
end;
$ef : begin
result:='EDI+EBP*8';
last:=sibbyte+1;
end;
//b0-b7
$f0 : begin
result:='EAX+ESI*8';
last:=sibbyte+1;
end;
$f1 : begin
result:='ECX+ESI*8';
last:=sibbyte+1;
end;
$f2 : begin
result:='EDX+ESI*8';
last:=sibbyte+1;
end;
$f3 : begin
result:='EBX+ESI*8';
last:=sibbyte+1;
end;
$f4 : begin
result:='ESP+ESI*8';
last:=sibbyte+1;
end;
$f5 : begin
dwordptr:=@memory[sibbyte+1];
case getmod(memory[sibbyte-1]) of
0 : begin
last:=sibbyte+5;
result:='ESI*8+'+inttohexs(dwordptr^,8);
end;
1 : begin
last:=sibbyte+1;
result:='EBP+ESI*8';
end;
2 : begin
last:=sibbyte+1;
result:='EBP+ESI*8';
end;
3 : begin
result:='error';
end;
end;
end;
$f6 : begin
result:='ESI+ESI*8';
last:=sibbyte+1;
end;
$f7 : begin
result:='EDI+ESI*8';
last:=sibbyte+1;
end;
//b8-bf
$f8 : begin
result:='EAX+EDI*8';
last:=sibbyte+1;
end;
$f9 : begin
result:='ECX+EDI*8';
last:=sibbyte+1;
end;
$fa : begin
result:='EDX+EDI*8';
last:=sibbyte+1;
end;
$fb : begin
result:='EBX+EDI*8';
last:=sibbyte+1;
end;
$fc : begin
result:='ESP+EDI*8';
last:=sibbyte+1;
end;
$fd : begin
dwordptr:=@memory[sibbyte+1];
case getmod(memory[sibbyte-1]) of
0 : begin
last:=sibbyte+5;
result:='EDI*8+'+inttohexs(dwordptr^,8);
end;
1 : begin
last:=sibbyte+1;
result:='EBP+EDI*8';
end;
2 : begin
last:=sibbyte+1;
result:='EBP+EDI*8';
end;
3 : begin
result:='error';
end;
end;
end;
$fe : begin
result:='ESI+EDI*8';
last:=sibbyte+1;
end;
$ff : begin
result:='EDI+EDI*8';
last:=sibbyte+1;
end;
end;
end;
function disassemble(var offset: dword; var description: string): string; overload;
var memory: TMemory;
actualread: dword;
startoffset: dword;
tempresult: string;
tempst: string;
wordptr: ^word;
dwordptr: ^dword;
dwordptr2: ^dword;
singleptr: ^single;
doubleptr: ^double;
extenedptr: ^extended;
int64ptr: ^int64;
i,j: integer;
prefix: TPrefix;
prefix2: TPrefix;
isprefix: boolean;
last: dword;
foundit: boolean;
begin
result:=inttohex(offset,8)+' - ';
isprefix:=true;
prefix:=[$f0,$f2,$f3,$2e,$36,$3e,$26,$64,$65,$66,$67];
prefix2:=[];
startoffset:=offset;
readprocessmemory(processhandle,pointer(offset),addr(memory),24,actualread);
if actualread>0 then
begin
//I HATE THESE... (I propably will not add them all, but I'll see how far I get)
{$ifndef net}
for i:=0 to actualread-1 do
if (memory[i]=$CC) then
begin
//try to find it in the breakpointlist (not for net)
try
WaitForSingleObject(semaphore,infinite); //make sure it doesnt get deleted while I'm reading it
if debuggerthread<>nil then
begin
for j:=0 to length(debuggerthread.int3userbreakpoints)-1 do
if debuggerthread.int3userbreakpoints[j].address=offset+i then
begin
//it's in the list
memory[i]:=debuggerthread.int3userbreakpoints[j].originalbyte;
break;
end;
if debuggerthread.int3CEBreakpoint.address=offset+i then
memory[i]:=debuggerthread.int3CEBreakpoint.originalbyte;
// memory[0]:=original byte
end;
finally
releasesemaphore(semaphore,1,nil);
end;
end;
{$endif}
while isprefix do
begin
inc(offset);
if memory[0] in prefix then
begin
result:=result+inttohexs(memory[0],2)+' ';
isprefix:=true;
inc(startoffset);
prefix2:=prefix2+[memory[0]];
readprocessmemory(processhandle,pointer(offset),addr(memory),24,actualread);
end else isprefix:=false;
end;
if $F0 in prefix2 then tempresult:='lock ';
if $F2 in prefix2 then tempresult:=tempresult+'repne ';
if $f3 in prefix2 then tempresult:=tempresult+'repe ';
case memory[0] of //opcode
$00 : begin
description:='Add';
tempresult:=tempresult+'add '+MODRM(memory,prefix2,1,2,last)+r8(memory[1]);
inc(offset,last-1);
end;
$01 : begin
description:='Add';
if $66 in prefix2 then tempresult:=tempresult+'ADD '+MODRM(memory,prefix2,1,1,last)+r16(memory[1]) else
tempresult:=tempresult+'ADD '+MODRM(memory,prefix2,1,0,last)+r32(memory[1]);
inc(offset,last-1);
end;
$02 : begin
description:='Add';
tempresult:=tempresult+'ADD '+r8(memory[1])+','+MODRM(memory,prefix2,1,2,last);
tempresult:=copy(tempresult,0,length(tempresult)-1);
inc(offset,last-1);
end;
$03 : begin
description:='Add';
if $66 in prefix2 then tempresult:=tempresult+'ADD '+r16(memory[1])+','+MODRM(memory,prefix2,1,1,last) else
tempresult:=tempresult+'ADD '+r32(memory[1])+','+MODRM(memory,prefix2,1,0,last);
tempresult:=copy(tempresult,0,length(tempresult)-1);
inc(offset,last-1);
end;
$04 : begin
description:='Add x to y';
tempresult:=tempresult+'ADD AL,'+inttohexs(memory[1],2);
inc(offset);
end;
$05 : begin
description:='Add x to y';
wordptr:=@memory[1];
dwordptr:=@memory[1];
if $66 in prefix2 then
begin
tempresult:=tempresult+'ADD AX,'+inttohexs(wordptr^,4);
inc(offset,2);
end else
begin
tempresult:=tempresult+'ADD EAX,'+inttohexs(dwordptr^,8);
inc(offset,4);
end;
end;
$06 : begin
description:='Place ES on the stack';
tempresult:=tempresult+'PUSH ES';
end;
$07 : begin
description:='Remove ES from the stack';
tempresult:=tempresult+'POP ES';
end;
$08 : begin
description:='Logical Inclusive OR';
tempresult:=tempresult+'OR '+MODRM(memory,prefix2,1,2,last)+r8(memory[1]);
inc(offset,last-1);
end;
$09 : begin
description:='Logical Inclusive OR';
if $66 in prefix2 then tempresult:=tempresult+'OR '+MODRM(memory,prefix2,1,1,last)+r16(memory[1]) else
tempresult:=tempresult+'OR '+MODRM(memory,prefix2,1,0,last)+r32(memory[1]);
inc(offset,last-1);
end;
$0a : begin
description:='Logical Inclusive OR';
tempresult:=tempresult+'OR '+r8(memory[1])+','+MODRM(memory,prefix2,1,2,last);
tempresult:=copy(tempresult,0,length(tempresult)-1);
inc(offset,last-1);
end;
$0b : begin
description:='Logical Inclusive OR';
if $66 in prefix2 then tempresult:=tempresult+'OR '+r16(memory[1])+','+MODRM(memory,prefix2,1,1,last) else
tempresult:=tempresult+'OR '+r32(memory[1])+','+MODRM(memory,prefix2,1,0,last);
tempresult:=copy(tempresult,0,length(tempresult)-1);
inc(offset,last-1);
end;
$0c : begin
description:='Logical Inclusive OR';
tempresult:=tempresult+'OR AL,'+inttohexs(memory[1],2);
inc(offset);
end;
$0d : begin
description:='Logical Inclusive OR';
if $66 in prefix2 then
begin
wordptr:=@memory[1];
tempresult:=tempresult+'OR AX,'+inttohexs(wordptr^,4);
inc(offset,2);
end
else
begin
dwordptr:=@memory[1];
tempresult:=tempresult+'OR EAX,'+inttohexs(dwordptr^,8);
inc(offset,4);
end;
end;
$0e : begin
description:='Place CS on the stack';
tempresult:=tempresult+'PUSH CS';
end;
$0f : begin //SIMD extensions
case memory[1] of
$00 : begin
case getreg(memory[2]) of
0: begin
description:='Store Local Descriptor Table Register';
if $66 in prefix2 then tempresult:=tempresult+'SLDT '+modrm(memory,prefix2,2,1,last,16) else
tempresult:=tempresult+'SLDT '+modrm(memory,prefix2,2,0,last);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
1: begin
description:='Store Task Register';
tempresult:=tempresult+'STR '+modrm(memory,prefix2,2,1,last,16);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
2: begin
description:='Load Local Descriptor Table Register';
tempresult:=tempresult+'LLDT '+modrm(memory,prefix2,2,1,last,16);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
3: begin
description:='Load Task Register';
tempresult:=tempresult+'LTR '+modrm(memory,prefix2,2,1,last,16);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
4: begin
description:='Verify a Segment for Reading';
tempresult:=tempresult+'VERR '+modrm(memory,prefix2,2,1,last,16);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
5: begin
description:='Verify a Segment for Writing';
tempresult:=tempresult+'VERW '+modrm(memory,prefix2,2,1,last,16);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
//the following 2 were made up by me.
else
begin
description:='Not specified by the intel documentation';
tempresult:=tempresult+'DB 0F';
end;
end;
end;
$01 : begin
case getreg(memory[2]) of
0: begin
description:='Store Global Descriptor Table Register';
tempresult:=tempresult+'SGDT '+modrm(memory,prefix2,2,0,last);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
1: begin
description:='Store Interrupt Descriptor Table Register';
tempresult:=tempresult+'SIDT '+modrm(memory,prefix2,2,0,last);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
2: begin
description:='Load Global Descriptor Table Register';
tempresult:=tempresult+'LGDT '+modrm(memory,prefix2,2,0,last);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
3: begin
description:='Load Interupt Descriptor Table Register';
tempresult:=tempresult+'LIDT '+modrm(memory,prefix2,2,0,last);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
4: begin
description:='Store Machine Status Word';
if $66 in prefix2 then tempresult:=tempresult+'SMSW '+modrm(memory,prefix2,2,0,last)
else tempresult:=tempresult+'SMSW '+modrm(memory,prefix2,2,0,last);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
6: begin
description:='Load Machine Status Word';
tempresult:=tempresult+'LMSW '+modrm(memory,prefix2,2,1,last);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
7: begin
description:='Invalidate TLB Entry';
tempresult:=tempresult+'INVPLG '+modrm(memory,prefix2,2,0,last);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
end;
end;
$02 : begin
description:='Load Access Rights Byte';
if $66 in prefix2 then tempresult:=tempresult+'LAR '+r16(memory[2])+','+modrm(memory,prefix2,2,1,last) else
tempresult:=tempresult+'LAR '+r32(memory[2])+','+modrm(memory,prefix2,2,2,last);
tempresult:=copy(tempresult,1,length(tempresult)-1);
inc(offset,last-1);
end;
$03 : begin
description:='Load Segment Limit';
if $66 in prefix2 then tempresult:=tempresult+'LSL '+r16(memory[2])+','+modrm(memory,prefix2,2,1,last) else
tempresult:=tempresult+'LSL '+r32(memory[2])+','+modrm(⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -