📄 dissectcodethread.pas
字号:
unit DissectCodeThread;
interface
uses
cefuncproc,windows,sysutils,syncobjs,Classes,disassembler;
type tjumptype=(jtUnconditional,jtConditional,jtCall);
type tdissectarray= array of record
address: dword;
jumptype: tjumptype;
end;
type tjumpdata = record
address:dword;
codes: integer;
code: array[0..7] of dword; //default space for 8 addresses
nrofextracodes: integer;
extracodes: array of dword; //but can be expanded to more if really needed
end;
type tjumparray=array of tjumpdata;
type
TDissectCodeThread = class(TThread)
private
{ Private declarations }
unconditionaljump: tjumparray;
conditionaljump: tjumparray;
calls: tjumparray;
nrofunconditionaljumps: integer;
nrofconditionaljumps: integer;
nrofcalls: integer;
function findaddress(address:dword; const list: tjumparray; currentsize: integer; var recnr: integer):boolean;
public
percentagedone: dword;
processid: dword;
done: boolean;
currentaddress:dword;
memoryregion: tmemoryregions;
totalmemory: dword;
totalread: dword;
accuracy: integer;
function CheckAddress(address: dword; var aresult: tdissectarray):boolean;
protected
procedure Execute; override;
end;
implementation
{ Important: Methods and properties of objects in visual components can only be
used in a method called using Synchronize, for example,
Synchronize(UpdateCaption);
and UpdateCaption could look like,
procedure TDissectCodeThread.UpdateCaption;
begin
Form1.Caption := 'Updated in a thread';
end; }
{ TDissectCodeThread }
{
This thread will scan the memory for jumps and conditional jumps
}
function TDissectCodeThread.findaddress(address:dword; const list: tjumparray; currentsize: integer; var recnr: integer):boolean;
var i: integer;
first,last: integer;
begin
result:=false;
first:=0;
last:=currentsize;
while first<last do
begin
i:=first+((last-first) div 2);
if (i=first) or (i=last) then
begin
for i:=first to last-1 do
begin
if list[i].address=address then
begin
recnr:=i;
result:=true;
exit;
end;
if list[i].address>address then break;
end;
break;
end;
if list[i].address=address then
begin
recnr:=i;
result:=true;
exit;
end;
if address<list[i].address then
last:=i
else
first:=i;
end;
end;
function TDissectCodeThread.CheckAddress(address: dword; var aresult: tdissectarray):boolean;
var a,b,c: integer;
fa,fb,fc: boolean;
i,j: integer;
totalsize: integer;
begin
result:=false;
if not done then exit;
totalsize:=0;
fa:=false;
fb:=false;
fc:=false;
//check the unconditionaljump list
if findaddress(address,unconditionaljump,nrofunconditionaljumps,a) then
begin
totalsize:=unconditionaljump[a].codes+unconditionaljump[a].nrofextracodes;
fa:=true;
end;
//check the conditionaljump list
if findaddress(address,conditionaljump,nrofconditionaljumps,b) then
begin
inc(totalsize,conditionaljump[b].codes+conditionaljump[b].nrofextracodes);
fb:=true;
end;
//check the calllist
if findaddress(address,calls,nrofcalls,c) then
begin
inc(totalsize,calls[c].codes+calls[c].nrofextracodes);
fc:=true;
end;
result:=fa or fb or fc;
if result then
begin
setlength(aresult,totalsize);
j:=0;
if fa then
begin
for i:=0 to unconditionaljump[a].codes-1 do
begin
aresult[j].address:=unconditionaljump[a].code[i];
aresult[j].jumptype:=jtUnconditional;
inc(j);
end;
for i:=0 to unconditionaljump[a].nrofextracodes-1 do
begin
aresult[j].address:=unconditionaljump[a].extracodes[i];
aresult[j].jumptype:=jtUnconditional;
inc(j);
end;
end;
if fb then
begin
for i:=0 to conditionaljump[b].codes-1 do
begin
aresult[j].address:=conditionaljump[b].code[i];
aresult[j].jumptype:=jtConditional;
inc(j);
end;
for i:=0 to conditionaljump[b].nrofextracodes-1 do
begin
aresult[j].address:=conditionaljump[b].extracodes[i];
aresult[j].jumptype:=jtConditional;
inc(j);
end;
end;
if fc then
begin
for i:=0 to calls[c].codes-1 do
begin
aresult[j].address:=calls[c].code[i];
aresult[j].jumptype:=jtCall;
inc(j);
end;
for i:=0 to calls[c].nrofextracodes-1 do
begin
aresult[j].address:=calls[c].extracodes[i];
aresult[j].jumptype:=jtCall;
inc(j);
end;
end;
end;
end;
procedure TDissectCodeThread.Execute;
type ttempjumpdata=record
address:dword;
code: dword;
end;
type ttempjumparray=array [0..127] of ttempjumpdata;
var
tempunconditionaljumplist: ttempjumparray;
tempconditionaljumplist: ttempjumparray;
tempcalls: ttempjumparray;
cun,cc,ccls: dword;
a,b,c:integer;
address: dword;
mbi: MEMORY_BASIC_INFORMATION;
temp: array of byte;
br: dword;
i,j: integer;
maxregionsize: dword;
bytesread: dword;
start,stop: dword;
ta: dword;
ts: string;
procedure insert(var list: tjumparray;var currentsize: integer; address: ttempjumpdata);
var i,j: integer;
lastaddress: dword;
first,last: integer;
x: dword;
temp:string;
begin
{x:=previousopcode(address.code);
x:=previousopcode(x);
disassemble(x,temp);
disassemble(x,temp);
if x<>address.code then exit
}
if terminated then exit;
//check if this address is already in the list. if not, add it.
first:=0;
last:=currentsize;
i:=0;
while first<last do
begin
i:=first+((last-first) div 2);
if (i=first) or (i=last) then
begin
for i:=first to last-1 do
begin
if list[i].address=address.address then
begin
if list[i].codes<=7 then
begin
list[i].code[list[i].codes]:=address.code;
inc(list[i].codes);
end
else
begin
inc(list[i].nrofextracodes);
if list[i].nrofextracodes>=length(list[i].extracodes) then
setlength(list[i].extracodes,length(list[i].extracodes)+length(list[i].extracodes)+8); //8 more
list[i].extracodes[list[i].nrofextracodes-1]:=address.code;
end;
exit;
end;
if list[i].address>address.address then break;
end;
break;
end;
if list[i].address=address.address then
begin
if list[i].codes<=7 then
begin
list[i].code[list[i].codes]:=address.code;
inc(list[i].codes);
end
else
begin
inc(list[i].nrofextracodes);
if list[i].nrofextracodes>=length(list[i].extracodes) then
setlength(list[i].extracodes,length(list[i].extracodes)+length(list[i].extracodes)+8); //8 more
list[i].extracodes[list[i].nrofextracodes-1]:=address.code;
end;
exit;
end;
if address.address<list[i].address then
last:=i
else
first:=i;
end;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -