📄 immplugin.pas
字号:
// Names saved in the data file of main module.
NM_INSPECT = $40; // Several last inspect expressions
NM_WATCH = $41; // Watch expressions
NM_ASM = $42; // Several last assembled strings
NM_FINDASM = $43; // Several last find assembler strings
NM_LASTWATCH = $48; // Several last watch expressions
NM_SOURCE = $49; // Several last source search strings
NM_REFTXT = $4A; // Several last ref text search strings
NM_GOTO = $4B; // Several last expressions to follow
NM_GOTODUMP = $4C; // Several expressions to follow in Dump
NM_TRPAUSE = $4D; // Several expressions to pause trace
// Pseudonames.
NM_IMCALL = $FE; // Intermodular call
NMHISTORY = $40; // Converts NM_xxx to type of init list
Var
Insertname : function (addr: ULONG; itype: Integer; name: PChar): Integer; cdecl;
Quickinsertname : function (addr: ULONG; itype: Integer; name: PChar): Integer; cdecl;
Mergequicknames : procedure; cdecl;
Discardquicknames : procedure; cdecl;
Findname : function (addr: ULONG; itype: Integer; name: PChar): Integer; cdecl;
Decodename : function (addr: ULONG; itype: Integer; name: PChar): Integer; cdecl;
Findnextname : function (name: PChar): ULONG; cdecl;
Findlabel : function (addr: ULONG; name: PChar): Integer; cdecl;
Deletenamerange : procedure (addr0: ULONG; addr1: ULONG; itype: Integer); cdecl;
Findlabelbyname : function (name: PChar; addr: PULONG; addr0: ULONG; addr1: ULONG): Integer; cdecl;
Findimportbyname : function (name: PChar; addr0: ULONG; addr1: ULONG): ULONG; cdecl;
Demanglename : function (name: PChar; itype: Integer; undecorated: PChar): Integer; cdecl;
Findsymbolicname : function (addr: ULONG; fname: PChar): Integer; cdecl;
////////////////////////////////////////////////////////////////////////////////
///////////////////////////// DISASSEMBLY FUNCTIONS ////////////////////////////
const
REG_EAX = 0; // Indexes of general-purpose registers
REG_ECX = 1; // in t_reg.
REG_EDX = 2;
REG_EBX = 3;
REG_ESP = 4;
REG_EBP = 5;
REG_ESI = 6;
REG_EDI = 7;
SEG_UNDEF = -1;
SEG_ES = 0; // Indexes of segment/selector registers
SEG_CS = 1; // in t_reg.
SEG_SS = 2;
SEG_DS = 3;
SEG_FS = 4;
SEG_GS = 5;
// Selected items in register window.
RS_NONE = $0000; // No selection
RS_INT = $0010; // General-purpose 32-bit registers
RS_EIP = $0020; // EIP (instruction pointer)
RS_FLG = $0030; // 1-bit decoded flags
RS_SEG = $0040; // Segment (selector) registers
RS_EFL = $0050; // 32-bit flag register
RS_TAG = $0060; // FPU register tag
RS_FPU = $0070; // 80-bit FPU registers
RS_FST = $0080; // FPU status
RS_FCO = $0090; // FPU condition bits
RS_FER = $00A0; // FPU error bits
RS_FCW = $00B0; // FPU control word
RS_FPR = $00C0; // FPU precision fields
RS_FEM = $00D0; // FPU error mask bits
RS_MMX = $00E0; // MMX registers
RS_3DN = $00F0; // 3DNow! registers
RS_SSE = $0100; // SSE registers
RS_CSR = $0110; // SSE MXCSR register
RS_CSB = $0120; // SSE MXCSR bits
RS_CPR = $0130; // SSE rounding control
RS_ERR = $0140; // Last thread error
RS_GROUP = $01F0; // Mask to extract group of registers
RS_INDEX = $000F; // Mask to extract index of register
NREGSTACK = 32; // Length of stack trace buffer
MAXCALSIZE = 8; // Max length of CALL without prefixes
INT3 = $CC; // Code of 1-byte breakpoint
NOP = $90; // Code of 1-byte NOP command
TRAPFLAG = $00000100; // Trap flag in CPU flag register
C_TYPEMASK = $F0; // Mask for command type
C_CMD = $00; // Ordinary instruction
C_PSH = $10; // PUSH instruction
C_POP = $20; // POP instruction
C_MMX = $30; // MMX instruction
C_FLT = $40; // FPU instruction
C_JMP = $50; // JUMP instruction
C_JMC = $60; // Conditional JUMP instruction
C_CAL = $70; // CALL instruction
C_RET = $80; // RET instruction
C_FLG = $90; // Changes system flags
C_RTF = $A0; // C_JMP and C_FLG simultaneously
C_REP = $B0; // Instruction with REPxx prefix
C_PRI = $C0; // Privileged instruction
C_SSE = $D0; // SSE instruction
C_NOW = $E0; // 3DNow! instruction
C_BAD = $F0; // Unrecognized command
C_RARE = $08; // Rare command, seldom used in programs
C_SIZEMASK = $07; // MMX data size or special flag
C_EXPL = $01; // (non-MMX) Specify explicit memory size
C_DANGER95 = $01; // Command is dangerous under Win95/98
C_DANGER = $03; // Command is dangerous everywhere
C_DANGERLOCK = $07; // Dangerous with LOCK prefix
DEC_TYPEMASK = $1F; // Type of memory byte
DEC_UNKNOWN = $00; // Unknown type
DEC_BYTE = $01; // Accessed as byte
DEC_WORD = $02; // Accessed as short
DEC_NEXTDATA = $03; // Subsequent byte of data
DEC_DWORD = $04; // Accessed as long
DEC_FLOAT4 = $05; // Accessed as float
DEC_FWORD = $06; // Accessed as descriptor/long pointer
DEC_FLOAT8 = $07; // Accessed as double
DEC_QWORD = $08; // Accessed as 8-byte integer
DEC_FLOAT10 = $09; // Accessed as long double
DEC_TBYTE = $0A; // Accessed as 10-byte integer
DEC_STRING = $0B; // Zero-terminated ASCII string
DEC_UNICODE = $0C; // Zero-terminated UNICODE string
DEC_3DNOW = $0D; // Accessed as 3Dnow operand
DEC_SSE = $0E; // Accessed as SSE operand
DEC_TEXT = $10; // For use in t_result only
DEC_BYTESW = $11; // Accessed as byte index to switch
DEC_NEXTCODE = $13; // Subsequent byte of command
DEC_COMMAND = $1D; // First byte of command
DEC_JMPDEST = $1E; // Jump destination
DEC_CALLDEST = $1F; // Call (and maybe jump) destination
DEC_PROCMASK = $60; // Procedure analysis
DEC_PROC = $20; // Start of procedure
DEC_PBODY = $40; // Body of procedure
DEC_PEND = $60; // End of procedure
DEC_CHECKED = $80; // Byte was analysed
DEC_SIGNED = $100; // For use in t_result only
DISASM_SIZE = 0; // Determine command size only
DISASM_DATA = 1; // Determine size and analysis data
DISASM_TRACE = 2; // Trace integer registers
DISASM_FILE = 3; // Disassembly, no symbols/registers
DISASM_CODE = 4; // Disassembly, registers undefined
DISASM_ALL = 5; // Complete disassembly
DISASM_RTRACE = 6; // Disassemble with run-trace registers
DISASM_MODE = $0000000F; // Mask to extract disassembling mode
DISASM_HILITE = $000F0000; // Mask to extract highlighting mode
DISASM_HLSHIFT = 16; // Shift to extract highlighting mode
// Warnings issued by Disasm():
DAW_FARADDR = $0001; // Command is a far jump, call or return
DAW_SEGMENT = $0002; // Command loads segment register
DAW_PRIV = $0004; // Privileged command
DAW_IO = $0008; // I/O command
DAW_SHIFT = $0010; // Shift constant out of range 1..31
DAW_PREFIX = $0020; // Superfluous prefix
DAW_LOCK = $0040; // Command has LOCK prefix
DAW_STACK = $0080; // Unaligned stack operation
DAW_DANGER95 = $1000; // May mess up Win95/98 if executed
DAW_DANGEROUS = $3000; // May mess up any OS if executed
RST_INVALID = 0; // Register undefined
RST_VALUE = 1; // Register contains regdata
RST_VFIXUP = 2; // Reg contains regdata that is fixup
RST_INDIRECT = 3; // Register contains [regdata]
type
p_reg = ^t_reg;
t_reg = packed record // Excerpt from context
modified: Integer; // Some regs modified, update context
modifiedbyuser: Integer; // Among modified, some modified by user
singlestep: Integer; // Type of single step, SS_xxx
r: array[0..7] of ULONG; // EAX,ECX,EDX,EBX,ESP,EBP,ESI,EDI
ip: ULONG; // Instruction pointer (EIP)
flags: ULONG; // Flags
top: Integer; // Index of top-of-stack
f: array[0..7] of Extended; // Float registers, f[top] - top of stack
tag: array[0..7] of Char; // Float tags (0x3 - empty register)
fst: ULONG; // FPU status word
fcw: ULONG; // FPU control word
s: array[0..5] of ULONG; // Segment registers ES,CS,SS,DS,FS,GS
base: array[0..5] of ULONG; // Segment bases
limit: array[0..5] of ULONG; // Segment limits
big: array[0..5] of Char; // Default size (0-16, 1-32 bit)
dr6: ULONG; // Debug register DR6
threadid: ULONG; // ID of thread that owns registers
lasterror: ULONG; // Last thread error or 0xFFFFFFFF
ssevalid: Integer; // Whether SSE registers valid
ssemodified: Integer; // Whether SSE registers modified
ssereg: array[0..7, 0..15] of Char; // SSE registers
mxcsr: ULONG; // SSE control and status register
selected: Integer; // Reports selected register to plugin
dummy: array[0..3] of ULONG; // Reserved for future compatibility
end;
p_operand = ^t_operand;
t_operand = packed record // Full decription of command's operand
optype: Char; // DEC_xxx (mem) or DECR_xxx (reg,const)
opsize: Char; // Size of operand
regscale: array[0..7] of Char; // Scales of registers
seg: Char; // Segment register
opconst: ULONG; // Constant
end;
p_disasm = ^t_disasm;
t_disasm = packed record // Results of disassembling
ip: ULONG; // Instrucion pointer
dump: array[0..TEXTLEN-1] of Char; // Hexadecimal dump of the command
result: array[0..TEXTLEN-1] of Char; // Disassembled command
comment: array[0..TEXTLEN-1] of Char; // Brief comment
opinfo: array[0..2, 0..TEXTLEN-1] of Char; // Comments to command's operands
cmdtype: Integer; // One of C_xxx
memtype: Integer; // Type of addressed variable in memory
nprefix: Integer; // Number of prefixes
indexed: Integer; // Address contains register(s)
jmpconst: ULONG; // Constant jump address
jmptable: ULONG; // Possible address of switch table
adrconst: ULONG; // Constant part of address
immconst: ULONG; // Immediate constant
zeroconst: Integer; // Whether contains zero constant
fixupoffset: Integer; // Possible offset of 32-bit fixups
fixupsize: Integer; // Possible total size of fixups or 0
jmpaddr: ULONG; // Destination of jump/call/return
condition: Integer; // 0xFF:unconditional, 0:false, 1:true
error: Integer; // Error while disassembling command
warnings: Integer; // Combination of DAW_xxx
optype: array[0..2] of Integer; // Type of operand (extended set DEC_xxx)
opsize: array[0..2] of Integer; // Size of operand, bytes
opgood: array[0..2] of Integer; // Whether address and data valid
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -