?? readme.htm
字號:
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Mozilla/4.71 [en] (Win95; I) [Netscape]">
<meta name="Author" content="Oleh Yuschuk (Olly)">
<meta name="Description" content="Source code of 80x86 32-bit Disassembler and Single-Line Assembler">
<meta name="KeyWords" content="Assembler, Disassembler, OllyDbg, Code Analysis, Code Walk">
<title>80x86 Assembler and Disasssembler</title>
</head>
<body>
<b><font face="Arial"><font color="#990000"><font size=+2>80x86
32-bit Disassembler and Assembler</font></font></font></b>
<p><b><a href="#_Toc531975948">Legal part</a></b>
<br><b><a href="#_Toc531975949">Introduction</a></b>
<br><b><a href="#_Toc531975950">Brief description of functions</a></b>
<br><b><a href="#_Toc531975951">Assemble</a></b>
<br><b><a href="#_Toc531975952">Checkcondition</a></b>
<br><b><a href="#_Toc531975953">Decodeaddress</a></b>
<br><b><a href="#_Toc531975954">Disasm</a></b>
<br><b><a href="#_Toc531975955">Disassembleback</a></b>
<br><b><a href="#_Toc531975956">Disassembleforward</a></b>
<br><b><a href="#_Toc531975957">Isfilling</a></b>
<br><b><a href="#_Toc531975958">Printfloat* functions</a></b>
<p>
<hr WIDTH="100%">
<br><a NAME="_Toc531975948"></a><b><font face="Arial"><font color="#990000"><font size=+1>Legal
part</font></font></font></b>
<p>This package includes source code of 32-bit Disassembler and 32-bit
single line Assembler for 80x86-compatible processors. The source is a
slightly stripped version of code used in OllyDbg v1.04 and is well proven
by its numerous users. (If you haven't heard before, <a href="http://home.t-online.de/home/OllyDbg">OllyDbg</a>
is a 32-bit Assembler level debugger with powerful analyzing capabilities
that makes binary machine code understandable).
<p>This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. This program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License (<font color="#0000FF"><a href="http://www.fsf.org/copyleft/gpl.html">http://www.fsf.org/copyleft/gpl.html)</a></font>
for more details.
<p>You should have received a copy of the GNU General Public License (<i>gpl.txt</i>)
along with this program; if not, write to the Free Software Foundation,
Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.<b></b>
<p>All brand names and product names used in 80x86 Assembler and Disassembler,
accompanying files or in this help file are trademarks, registered trademarks,
or trade names of their respective holders.
<br>
<p>
<hr WIDTH="100%">
<br><a NAME="_Toc531975949"></a><b><font face="Arial"><font color="#990000"><font size=+1>Introduction</font></font></font></b>
<p>Disassembler understands all standard 80x86 commands, FPU, MMX, AMD's
MMX extensions, Athlon/PIII MMX extensions and 3DNow! instructions. It
does not decode SSI or SSI2 commands. Disassembler assumes 32 bit code
and data segments but correctly decodes prefixed 16-bit commands. Several
decoding modes allow you to select the amount of returned information (which
is inversely proportional to execution speed): command length only, basic
information useful for code analysis, or full decoding with dump and assembler
form. Multiple options select desired format. Disassembler and Assembler
support both MASM and Borland's IDEAL modes.
<p>Assembler converts single command from the ASCII form to the binary
code. It allows to find several possible encodings, or even to create search
patterns with undefined operands.
<p>This package includes following files:
<ul>
<li>
<i>disasm.h</i> - common definitions</li>
<li>
<i>disasm.c</i> - Disassembler</li>
<li>
<i>assembl.c</i> - Assembler</li>
<li>
<i>asmserv.c</i> - table of commands and service functions</li>
<li>
<i>main.c</i> - demo program</li>
</ul>
Total source size exceeds <b>3800 lines</b> of dense text (more than <b>190
K</b>!). I have used Borland C and do not guarantee that it will work with
any other compiler. <b>Please set the default character type to unsigned!</b>
Please also place the following statements into the main file of your program,
and do <b>not</b> #define MAINPROG in any other file:
<p><b><font face="Courier New"><font color="#000000"><font size=-1>
#define MAINPROG // Place all unique variables here</font></font></font></b>
<br><b><font face="Courier New"><font color="#000000"><font size=-1>
#include "disasm.h"</font></font></font></b>
<p>(I use this trick to define shared global variables). Below is a small
piece of code disassembled with OllyDbg 1.04 using different text settings:
<br>
<table BORDER COLS=1 WIDTH="100%" BGCOLOR="#CCFFFF" >
<tr>
<td><tt>004505B3 A1 DC464B00
MOV EAX,DS:[4B46DC]</tt>
<br><tt>004505B8 8B0498
MOV EAX,DS:[EAX+EBX*4]</tt>
<br><tt>004505BB 50
PUSH EAX</tt>
<br><tt>004505BC 8D85 E0FBFFFF
LEA EAX,SS:[EBP-420]</tt>
<br><tt>004505C2 50
PUSH EAX</tt>
<br><tt>004505C3 E8 141BFCFF
CALL 004120DC </tt>
<br><tt>004505C8 83C4 08
ADD ESP,8</tt>
<br><tt>004505CB 43
INC EBX</tt>
<br><tt>004505CC 3B1D D8464B00
CMP EBX,DS:[4B46D8]</tt>
<br><tt>004505D2 0F8C AFFEFFFF
JL 00450487 </tt>
<br><tt>004505D8 80BD E0FDFFFF 00 CMP BYTE PTR
SS:[EBP-220],0</tt>
<br><tt>004505DF 75 14
JNZ SHORT 004505F5</tt>
<br><tt>004505E1 68 B39E4600
PUSH 469EB3 </tt>
<br><tt>004505E6 8D85 E0FDFFFF
LEA EAX,SS:[EBP-220]</tt>
<br><tt>004505EC 50
PUSH EAX</tt>
<br><tt>004505ED E8 521BFCFF
CALL 00412144 </tt></td>
</tr>
</table>
<br>
<table BORDER COLS=1 WIDTH="100%" BGCOLOR="#CCFFFF" >
<tr>
<td><tt>004505B3 A1 DC464B00
mov eax,[dword ds:4B46DC]</tt>
<br><tt>004505B8 8B0498
mov eax,[dword ds:eax+ebx*4]</tt>
<br><tt>004505BB 50
push eax</tt>
<br><tt>004505BC 8D85 E0FBFFFF
lea eax,[dword ss:ebp-420]</tt>
<br><tt>004505C2 50
push eax</tt>
<br><tt>004505C3 E8 141BFCFF
call 004120DC</tt>
<br><tt>004505C8 83C4 08
add esp,8</tt>
<br><tt>004505CB 43
inc ebx</tt>
<br><tt>004505CC 3B1D D8464B00
cmp ebx,[dword ds:4B46D8]</tt>
<br><tt>004505D2 0F8C AFFEFFFF
jl 00450487</tt>
<br><tt>004505D8 80BD E0FDFFFF 00 cmp
[byte ss:ebp-220],0</tt>
<br><tt>004505DF 75 14
jnz short 004505F5</tt>
<br><tt>004505E1 68 B39E4600
push 469EB3</tt>
<br><tt>004505E6 8D85 E0FDFFFF
lea eax,[dword ss:ebp-220]</tt>
<br><tt>004505EC 50
push eax</tt>
<br><tt>004505ED E8 521BFCFF
call 00412144</tt></td>
</tr>
</table>
<p>
<hr WIDTH="100%">
<br><a NAME="_Toc531975950"></a><b><font face="Arial"><font color="#990000"><font size=+1>Brief
description of functions</font></font></font></b>
<ul>
<li>
<font color="#990000">int <b><a href="#_Toc531975951">Assemble</a></b>(char
*cmd,ulong ip,t_asmmodel *model,int attempt,int constsize,char *errtext)</font>
- assembles text command to binary code;</li>
<li>
<font color="#990000">int <b><a href="#_Toc531975952">Checkcondition</a></b>(int
code,ulong flags)</font> - checks whether flags met condition in the command;</li>
<li>
<font color="#990000">int <b><a href="#_Toc531975953">Decodeaddress</a></b>(ulong
addr,ulong base,int addrmode,char *symb,int nsymb,char *comment)</font>
- user-supplied function that decodes addresses into symbolic names;</li>
<li>
<font color="#990000">ulong <b><a href="#_Toc531975954">Disasm</a></b>(char
*src,ulong srcsize,ulong srcip,t_disasm *disasm,int disasmmode)</font>
- determines length of the binary command or disassembles it to the text;</li>
<li>
<font color="#990000">ulong <b><a href="#_Toc531975955">Disassembleback</a></b>(char
*block,ulong base,ulong size,ulong ip,int n)</font> - walks binary code
backward;</li>
<li>
<font color="#990000">ulong <b><a href="#_Toc531975956">Disassembleforward</a></b>(char
*block,ulong base,ulong size,ulong ip,int n)</font> - walks binary code
forward;</li>
<li>
<font color="#990000">int <b><a href="#_Toc531975957">Isfilling</a></b>(ulong
addr,char *data,ulong size,ulong align) </font>- determines whether command
is equivalent to NOP;</li>
<li>
<font color="#990000">int <b><a href="#_Toc531975958">Print3dnow</a></b>(char
*s,char *f)</font> - converts 3DNow! constant to text without triggering
FPU exception for invalid operands;</li>
<li>
<font color="#990000">int <b><a href="#_Toc531975958">Printfloat10</a></b>(char
*s,long double ext)</font> - converts 10-byte floating constant to text
without causing exception;</li>
<li>
<font color="#990000">int <b><a href="#_Toc531975958">Printfloat4</a></b>(char
*s,float f)</font> - converts 4-byte floating constant to text without
causing exception;</li>
<li>
<font color="#990000">int <b><a href="#_Toc531975958">Printfloat8</a></b>(char
*s,double d)</font> - converts 8-byte floating constant to text without
causing exception.</li>
</ul>
<hr WIDTH="100%">
<br><a NAME="_Toc531975951"></a><b><font face="Arial"><font color="#990000"><font size=+1>Assemble</font></font></font></b>
<p>Function Assemble(), as expected, converts command from ASCII form to
binary 32 bit code. It shares command table with Disasm(), so if some command
can be disassembled, it can be assembled back too, with one exception:
Assemble doesn't support 16 bit addresses. With some unimportant exceptions,
16 bit addresses cannot be used in Win32 programs.
<p>Some commands have more than one encoding. Assemble() allows you to
find them all. This is important, for example, if you want to find the
shortest possible code or to find all possible occurrences of this command
in the code. There are two parameters, constsize and attempt. First parameter
selects size of immediate constant and address constant (8 or 32 bits),
second is the occurrence of the command in the command table. To find all
variants, call Assemble() with attempt=0,1,2... and for each attempt with
constsize=0,1,2,3 as long as function reports success for at least one
constsize. Generated codes may repeat. Please note that if command uses
memory addresses, only one form will be generated in each case: [EAX*2]
but not [EAX+EAX]; [EBX+EAX] but not [EAX+EBX]; [EAX] will not use SIB
byte; no DS: prefix and so on.
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -