📄 disasm.c
字号:
strcpy(strBuffer,"eax");
return;
case 1:
strcpy(strBuffer,"ecx");
return;
case 2:
strcpy(strBuffer,"edx");
return;
case 3:
strcpy(strBuffer,"ebx");
return;
case 4:
strcpy(strBuffer,"esp");
return;
case 6:
strcpy(strBuffer,"esi");
return;
case 7:
strcpy(strBuffer,"edi");
return;
}
};
void GetSIBScaledIndex(unsigned char SIB, char *strBuffer, int cbBuffer)
{
unsigned char SS;
unsigned char Index;
unsigned char ucTemp;
SS = (unsigned char)((SIB & 0xC0) >> 6);
Index = (unsigned char)((SIB & 0x38) >> 3);
ZeroMemory(strBuffer,cbBuffer);
switch(SS)
{
case 0:
switch(Index)
{
case 0:
strncpy(strBuffer,"eax",cbBuffer);
return;
case 1:
strncpy(strBuffer,"ecx",cbBuffer);
return;
case 2:
strncpy(strBuffer,"edx",cbBuffer);
return;
case 3:
strncpy(strBuffer,"ebx",cbBuffer);
return;
case 5:
strncpy(strBuffer,"ebp",cbBuffer);
return;
case 6:
strncpy(strBuffer,"esi",cbBuffer);
return;
case 7:
strncpy(strBuffer,"edi",cbBuffer);
return;
};
return;
case 1:
case 2:
case 3:
/* play some trick - prepare and reuse code for case 0 above */
ucTemp = (unsigned char)(SIB & 0x3F);
GetSIBScaledIndex(ucTemp,strBuffer,cbBuffer);
if(Index != 4) /* otherwise we would get blank */
_snprintf(strBuffer + strlen(strBuffer),cbBuffer - strlen(strBuffer),"*%d",((unsigned char)1)<<SS);
return;
};
};
int DecodeMemory32SIB(DefaultOperationSizeAttrib DSize, unsigned char *pStart, int iOpIndex, IA32InstructionDecode *pIA32Decode)
{
unsigned char SIB;
unsigned char ModRM;
unsigned char ucD8;
unsigned int uiD32;
char strBase[64];
char strIndex[64];
char *strOutput;
char cTemp = '+';
char strOpSize[20];
if(!pIA32Decode->SIA32InstructionHelper.boolSIBExists)
return 0;
if(!pIA32Decode->SIA32InstructionHelper.boolModRMExists)
return 0;
ModRM = pIA32Decode->SIA32RawInstruction.ModRM;
SIB = pIA32Decode->SIA32RawInstruction.SIB;
if(!GetOutputBuffer(iOpIndex,&strOutput,pIA32Decode))
return 0;
GetMemoryOperandSizeStr(strOutput,strOpSize,DSize,pIA32Decode);
if(strlen(strOpSize))
strcat(strOpSize," ");
GetSIBBase(SIB,strBase,sizeof(strBase));
GetSIBScaledIndex(SIB,strIndex,sizeof(strIndex));
if(!strlen(strBase))
{
/* decode operand according to Mod field of ModRM byte */
switch(ModRM>>6)
{
case 0:
uiD32 = *((unsigned int*)(pStart +
pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists +
pIA32Decode->SIA32InstructionHelper.boolSIBExists));
*((unsigned int*)pIA32Decode->SIA32RawInstruction.URawDisplacement.ca4ByteRawDisplacement) = uiD32;
pIA32Decode->SIA32InstructionHelper.cbRawDisplacement = 4;
sprintf(strOutput,"%s[%s+0x%08X]",strOpSize,strIndex,uiD32);
return 1;
case 1:
ucD8 = pStart[pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists +
pIA32Decode->SIA32InstructionHelper.boolSIBExists];
pIA32Decode->SIA32RawInstruction.URawDisplacement.cByteRawDisplacement = ucD8;
pIA32Decode->SIA32InstructionHelper.cbRawDisplacement = 1;
if(ucD8 & 0x80)
{
cTemp = '-';
ucD8 = (unsigned char)(((short)-ucD8) & 0x00FF);
}
if(strlen(strIndex))
sprintf(strOutput,"%s[ebp+%s%c0x%02X]",strOpSize,strIndex,cTemp,ucD8);
else
sprintf(strOutput,"%s[ebp%c0x%02X]",strOpSize,cTemp,ucD8);
return 1;
case 2:
uiD32 = *((unsigned int*)(pStart +
pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists +
pIA32Decode->SIA32InstructionHelper.boolSIBExists));
*((unsigned int*)pIA32Decode->SIA32RawInstruction.URawDisplacement.ca4ByteRawDisplacement) = uiD32;
pIA32Decode->SIA32InstructionHelper.cbRawDisplacement = 4;
sprintf(strOutput,"%s[ebp+%s+0x%08X]",strOpSize,strIndex,uiD32);
return 1;
};
}
else
{
uiD32 = *((unsigned int*)pIA32Decode->SIA32RawInstruction.URawDisplacement.ca4ByteRawDisplacement);
ucD8 = pIA32Decode->SIA32RawInstruction.URawDisplacement.cByteRawDisplacement;
switch(pIA32Decode->SIA32InstructionHelper.cbRawDisplacement)
{
case 0:
if(strlen(strIndex))
sprintf(strOutput,"%s[%s+%s]",strOpSize,strBase,strIndex);
else
sprintf(strOutput,"%s[%s]",strOpSize,strBase);
return 1;
case 1:
if(ucD8 & 0x80)
{
cTemp = '-';
ucD8 = (unsigned char)(((short)-ucD8) & 0x00FF);
}
if(strlen(strIndex))
sprintf(strOutput,"%s[%s+%s%c0x%02X]",strOpSize,strBase,strIndex,cTemp,ucD8);
else
sprintf(strOutput,"%s[%s%c0x%02X]",strOpSize,strBase,cTemp,ucD8);
return 1;
case 4:
if(strlen(strIndex))
sprintf(strOutput,"%s[%s+%s+0x%08X]",strOpSize,strBase,strIndex,uiD32);
else
sprintf(strOutput,"%s[%s+0x%08X]",strOpSize,strBase,uiD32);
return 1;
default:
return 0;
}
}
return 0;
};
int DecodeMemoryOperand32(DefaultOperationSizeAttrib DSize, unsigned char *pStart, int iOpIndex, IA32InstructionDecode *pIA32Decode)
{
unsigned char ModRM;
unsigned char SIB;
unsigned char ucD8;
unsigned int uiD32;
char *strOutput;
char cTemp = '+';
char strSegOverride[10];
char strOpSize[20];
unsigned char ucSegOverride;
if(!pIA32Decode->SIA32InstructionHelper.boolModRMExists)
return 0;
if(!GetOutputBuffer(iOpIndex,&strOutput,pIA32Decode))
return 0;
GetMemoryOperandSizeStr(strOutput,strOpSize,DSize,pIA32Decode);
if(strlen(strOpSize))
strcat(strOpSize," ");
ModRM = pIA32Decode->SIA32RawInstruction.ModRM;
ucSegOverride = GetSegmentOverride(pIA32Decode);
GetSegmentOverrideStr(ucSegOverride,strSegOverride,sizeof(strSegOverride));
if(strlen(strSegOverride))
strcat(strSegOverride,":");
switch((ModRM & 0xC0) >> 6)
{
case 0:
switch(ModRM & 0x07)
{
case 0:
sprintf(strOutput,"%s%s[eax]",strOpSize,strSegOverride);
return 1;
case 1:
sprintf(strOutput,"%s%s[ecx]",strOpSize,strSegOverride);
return 1;
case 2:
sprintf(strOutput,"%s%s[edx]",strOpSize,strSegOverride);
return 1;
case 3:
sprintf(strOutput,"%s%s[ebx]",strOpSize,strSegOverride);
return 1;
case 4:
/* we got a SIB byte following the ModRM byte */
SIB = pStart[ pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists];
pIA32Decode->SIA32InstructionHelper.boolSIBExists = 1;
pIA32Decode->SIA32RawInstruction.SIB = SIB;
return DecodeMemory32SIB(DSize, pStart,iOpIndex,pIA32Decode);
case 5:
/* we just got a disp32 */
uiD32 = *((unsigned int*)(pStart + pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists));
if(!strlen(strSegOverride))
strcpy(strSegOverride,"ds:");
sprintf(strOutput,"%s%s[0x%08X]",strOpSize,strSegOverride,uiD32);
pIA32Decode->SIA32InstructionHelper.cbRawDisplacement = 4;
*((unsigned int*)pIA32Decode->SIA32RawInstruction.URawDisplacement.ca4ByteRawDisplacement) = uiD32;
return 1;
case 6:
sprintf(strOutput,"%s%s[esi]",strOpSize,strSegOverride);
return 1;
case 7:
sprintf(strOutput,"%s%s[edi]",strOpSize,strSegOverride);
return 1;
};
case 1:
/* we got a disp8, needs to sign-extended */
if((ModRM & 0x7) == 4)
ucD8 = pStart[ pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists + 1];
else
ucD8 = pStart[ pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists];
pIA32Decode->SIA32InstructionHelper.cbRawDisplacement = 1;
pIA32Decode->SIA32RawInstruction.URawDisplacement.cByteRawDisplacement = ucD8;
if(ucD8 & 0x80)
{
cTemp = '-';
ucD8 = (unsigned char)(((short)-ucD8) & 0x00FF);
}
switch(ModRM & 0x07)
{
case 0:
sprintf(strOutput,"%s%s[eax%c0x%02X]",strOpSize,strSegOverride,cTemp,ucD8);
return 1;
case 1:
sprintf(strOutput,"%s%s[ecx%c0x%02X]",strOpSize,strSegOverride,cTemp,ucD8);
return 1;
case 2:
sprintf(strOutput,"%s%s[edx%c0x%02X]",strOpSize,strSegOverride,cTemp,ucD8);
return 1;
case 3:
sprintf(strOutput,"%s%s[ebx%c0x%02X]",strOpSize,strSegOverride,cTemp,ucD8);
return 1;
case 4:
/* we got a SIB byte following the ModRM byte */
SIB = pStart[ pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists];
pIA32Decode->SIA32InstructionHelper.boolSIBExists = 1;
pIA32Decode->SIA32RawInstruction.SIB = SIB;
return DecodeMemory32SIB(DSize,pStart,iOpIndex,pIA32Decode);
case 5:
sprintf(strOutput,"%s%s[ebp%c0x%02X]",strOpSize,strSegOverride,cTemp,ucD8);
return 1;
case 6:
sprintf(strOutput,"%s%s[esi%c0x%02X]",strOpSize,strSegOverride,cTemp,ucD8);
return 1;
case 7:
sprintf(strOutput,"%s%s[edi%c0x%02X]",strOpSize,strSegOverride,cTemp,ucD8);
return 1;
};
case 2:
/* we got a disp32, assign it to the raw instruction, with possibility of SIB in mind */
if((ModRM & 0x7) == 4)
/* we have SIB */
uiD32 = *((unsigned int*)(pStart +pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists + 1));
else
uiD32 = *((unsigned int*)(pStart +pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists));
pIA32Decode->SIA32InstructionHelper.cbRawDisplacement = 4;
*((unsigned int*)pIA32Decode->SIA32RawInstruction.URawDisplacement.ca4ByteRawDisplacement) = uiD32;
switch(ModRM & 0x07)
{
case 0:
sprintf(strOutput,"%s%s[eax+0x%08X]",strOpSize,strSegOverride,uiD32);
return 1;
case 1:
sprintf(strOutput,"%s%s[ecx+0x%08X]",strOpSize,strSegOverride,uiD32);
return 1;
case 2:
sprintf(strOutput,"%s%s[edx+0x%08X]",strOpSize,strSegOverride,uiD32);
return 1;
case 3:
sprintf(strOutput,"%s%s[ebx+0x%08X]",strOpSize,strSegOverride,uiD32);
return 1;
case 4:
/* we got a SIB byte following the ModRM byte */
SIB = pStart[ pIA32Decode->SIA32InstructionHelper.cbRawPrefixes +
pIA32Decode->SIA32InstructionHelper.cbRawOpcode +
pIA32Decode->SIA32InstructionHelper.boolModRMExists];
pIA32Decode->SIA32InstructionHelper.boolSIBExists = 1;
pIA32Decode->SIA32RawInstruction.SIB = SIB;
return DecodeMemory32SIB(DSize,pStart,iOpIndex,pIA32Decode);
case 5:
sprintf(strOutput,"%s%s[ebp+0x%08X]",strOpSize,strSegOverride,uiD32);
return 1;
case 6:
sprintf(strOutput,"%s%s[esi+0x%08X]",strOpSize,strSegOverride,uiD32);
return 1;
case 7:
sprintf(strOutput,"%s%s[edi+0x%08X]",strOpSize,strSegOverride,uiD32);
return 1;
};
};
return 0;
}
int DecodeMemoryOperand(unsigned char *pStart, DefaultOperationSizeAttrib DSize, int iOpIndex, IA32InstructionDecode *pIA32Decode)
{
int iRet;
/* if the instruction has an address-size attribute we use non-default addressing mode */
if(DSize == OpSize32)
{
if(IA32InstructionPrefixExists(0x67,pIA32Decode))
iRet = DecodeMemoryOperand16(DSize,pStart,iOpIndex,pIA32Decode);
else
iRet = DecodeMemoryOperand32(DSize,pStart,iOpIndex,pIA32Decode);
}
else
{
if(!IA32InstructionPrefixExists(0x67,pIA32Decode))
iRet = DecodeMemoryOperand16(DSize,pStart,iOpIndex,pIA32Decode);
else
iRet = DecodeMemoryOperand32(DSize,pStart,iOpIndex,pIA32Decode);
};
return iRet;
};
int GetOutputBuffer(int iOpIndex, char** strOutput,IA32InstructionDecode *pIA32Decode)
{
switch(iOpIndex)
{
case 1:
*strOutput = pIA32Decode->SIA32InstructionDescription.strOperandA;
return 1;
case 2:
*strOutput = pIA32Decode->SIA32InstructionDescription.strOperandB;
return 1;
case 3:
*strOutput = pIA32Decode->SIA32InstructionDescription.strOperandC;
return 1;
default:
return 0;
};
};
int strIsFPRegister(const char* str)
{
if(strlen(str) != 5)
return 0;
if(strstr(str,"st(") == str)
{
if(str[strlen(str)-1] != ')')
return 0;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -