?? readme.htm
字號:
<p>Assemble compiles also imprecise commands that include following generalized
operands:
<ul>
<li>
R8 - any 8-bit register (stays for AL, BL, CL, DL, AH, BH, CH, DH)</li>
<li>
R16 - any 16 bit register (AX, BX, CX, DX, SP, BP, SI, DI)</li>
<li>
R32 - any 32 bit register (EAX, EBX, ECX, EDX, ESP, EBP, ESI, EDI)</li>
<li>
FPU - any FPU register (ST0..ST7)</li>
<li>
MMX - any MMX register (MM0..MM7)</li>
<li>
CRX - any control register (CR0..CR7)</li>
<li>
DRX - any debug register (DR0..DR7)</li>
<li>
CONST - any constant</li>
</ul>
This allows to generate imprecise search patterns, where mask contains
zero bits at the positions occupied by imprecise operands in binary code.
For example, patterns generated for command MOV R32,CONST will match both
MOV EAX,1 and MOV ECX,12345678h.
<p>Function returns number of bytes in assembled code or non-positive (zero
or negative) number in case of error or when variant selected by combination
of attempt and constsize doesn't exist. This number is the negative position
of error in the input command. If you generate executable code, imprecise
commands are usually not allowed. To assure that command is precise, check
that all significant bytes in mask contain 0xFF.
<p><b><font color="#0000FF">int Assemble(char *cmd,ulong ip,t_asmmodel
*model,int attempt,int constsize,char *errtext);</font></b>
<p><b>Parameters</b>:
<ul>
<li>
<font color="#0000FF">cmd</font> - pointer to zero terminated ASCII command;</li>
<li>
<font color="#0000FF">pi</font> - address of the first byte of generated
binary command in memory;</li>
<li>
<font color="#0000FF">model</font> - pointer to the structure that receives
machine code and mask, see detailed description below;</li>
<li>
<font color="#0000FF">attempt</font> - index of alternative encoding of
the command. Call Assemble with attempt=0,1,2... to obtain all possible
versions of the command. Stop this sequence when Assemble reports error;</li>
<li>
<font color="#0000FF">constsize</font> - requested size of address constant
and immediate data. Call Assemble with constsize=0,1,2,3 to obtain all
possible encodings of the version selected by attempt;</li>
<li>
<font color="#0000FF">errtext</font> - pointer to text buffer of length
at least TEXTLEN bytes that receives description of detected error.</li>
</ul>
<b>t_asmmodel</b>: structure that receives assembled code.
<p><tt><font color="#000000">typedef struct t_asmmodel {
// Model to search for assembler command</font></tt>
<br><tt><font color="#000000"> char code[MAXCMDSIZE];
// Binary code</font></tt>
<br><tt><font color="#000000"> char mask[MAXCMDSIZE];
// Mask for binary code (0: bit ignored)</font></tt>
<br><tt><font color="#000000"> int length;
// Length of code, bytes (0: empty)</font></tt>
<br><tt><font color="#000000"> int jmpsize;
// Offset size if relative jump</font></tt>
<br><tt><font color="#000000"> int jmpoffset;
// Offset relative to IP</font></tt>
<br><tt><font color="#000000"> int jmppos;
// Position of jump offset in command</font></tt>
<br><tt><font color="#000000">} t_asmmodel;</font></tt>
<p><b>Members</b>:
<ul>
<li>
<font color="#0000FF">code</font> - binary code of the command. Only bits
that have 1's in corresponding mask bits are significant;</li>
<li>
<font color="#0000FF">mask</font> - comparison mask. Search routine ignores
all code bits where mask is set to 0;</li>
<li>
<font color="#0000FF">length</font> - length of code and mask, bytes. If
length is 0, search model is empty or invalid;</li>
<li>
<font color="#0000FF">jmpsize</font> - if nonzero, command is a relative
jump and jmpsize is a size of offset in bytes;</li>
<li>
<font color="#0000FF">jmpoffset</font> - if jmpsize is nonzero, jump offset
relative to address of the following command, otherwise undefined;</li>
<li>
<font color="#0000FF">jmppos</font> - if jmpsize is nonzero, position of
the first byte of the offset in code, otherwise undefined.</li>
</ul>
<hr WIDTH="100%">
<br><a NAME="_Toc531975952"></a><b><font face="Arial"><font color="#990000"><font size=+1>Checkcondition</font></font></font></b>
<p>Checks whether 80x86 flags meet condition code in the command. Returns
1 if condition is met and 0 if not.
<p><b><font color="#0000FF">int Checkcondition(int code,ulong flags);</font></b>
<p><b>Parameters</b>:
<ul>
<li>
<font color="#0000FF">code</font> - byte of command that contains condition
code;</li>
<li>
<font color="#0000FF">flags</font> - contents of register EFL.</li>
</ul>
<hr WIDTH="100%">
<br><a NAME="_Toc531975953"></a><b><font face="Arial"><font color="#990000"><font size=+1>Decodeaddress</font></font></font></b>
<p>Custom user-supplied function that converts constant (address) into
symbolic name. Initially, source code includes dummy function that returns
0.
<p>Decodeaddress() decodes memory address or constant to the ASCII string
and optionally comments this address. Returns length of decoded string
(not including terminal 0), or 0 on error or if symbolic name is not available.
<p><b><font color="#0000FF">int Decodeaddress(ulong addr,char *symb,int
nsymb,char *comment);</font></b>
<p><b>Parameters</b>:
<ul>
<li>
<font color="#0000FF">addr</font> - address to decode in address space
of debugged program;</li>
<li>
<font color="#0000FF">symb</font> - pointer to buffer of length at least
nsymb bytes where Decodeaddress() places decoded string;</li>
<li>
<font color="#0000FF">nsymb</font> - length, in characters, of buffer symb;</li>
<li>
<font color="#0000FF">comment</font> - pointer to string of length at least
TEXTLEN bytes or NULL, receives comment associated with addr.</li>
</ul>
<hr WIDTH="100%">
<br><a NAME="_Toc531975954"></a><b><font face="Arial"><font color="#990000"><font size=+1>Disasm</font></font></font></b>
<p>The most important (and complex) function in this package. Depending
on the specified disasmmode, Disasm() performs one of the four functions:
<ul>
<li>
<b>DISASM_SIZE</b> - quickly determines size of the command. Use this mode
if you want to walk through the code. In this mode, treat all members of
disasm as undefined;</li>
<li>
<b>DISASM_DATA</b> - determines size and analyses operands. Use this mode
for quick analysis, for example, if you need to calculate jump destination.
Members of disasm marked with asterisk (*) are undefined;</li>
<li>
<b>DISASM_FILE</b> - determines size, analyses operand and disassembles
command, but doesn't attempt to convert addresses to symbols. Use this
mode if there is no correspondence between addresses and symbols, for example,
if you dump the contents of binary file;</li>
<li>
<b>DISASM_CODE</b> - full disassembly.</li>
</ul>
Function returns size of disassembled command. There are several global
constants that influence the behavior of this function. They are described
later in this section. All symbolic constants are described in file <i>disasm.h</i>.
<p><b><font color="#0000FF">ulong Disasm(char *src,ulong srcsize,ulong
srcip,t_disasm *disasm,int disasmmode);</font></b>
<p><b>Parameters</b>:
<ul>
<li>
<font color="#0000FF">src</font> - pointer to binary code that must be
disassembled;</li>
<li>
<font color="#0000FF">srcsize</font> - size of src. Length of 80x86 command
is limited to MAXCMDSIZE bytes;</li>
<li>
<font color="#0000FF">srcip</font> - address of the command;</li>
<li>
<font color="#0000FF">disasm</font> - pointer to structure that receives
results of disassembling, see detailed description below;</li>
<li>
<font color="#0000FF">disasmmode</font> - disassembly mode, one of DISASM_xxx
(see above).</li>
</ul>
<b>t_disasm:</b>
<p><tt><font color="#000000">typedef struct t_disasm {
// Results of disassembling</font></tt>
<br><tt><font color="#000000"> ulong pi;
// Instruction pointer</font></tt>
<br><tt><font color="#000000"> char dump[TEXTLEN];
// (*) Hexadecimal dump of the command</font></tt>
<br><tt><font color="#000000"> char result[TEXTLEN];
// (*) Disassembled command</font></tt>
<br><tt><font color="#000000"> char comment[TEXTLEN];
// (*) Brief comment</font></tt>
<br><tt><font color="#000000"> int cmdtype;
// One of C_xxx</font></tt>
<br><tt><font color="#000000"> int memtype;
// Type of addressed variable in memory</font></tt>
<br><tt><font color="#000000"> int nprefix;
// Number of prefixes</font></tt>
<br><tt><font color="#000000"> int indexed;
// Address contains register(s)</font></tt>
<br><tt><font color="#000000"> ulong jmpconst;
// Constant jump address</font></tt>
<br><tt><font color="#000000"> ulong jmptable;
// Possible address of switch table</font></tt>
<br><tt><font color="#000000"> ulong adrconst;
// Constant part of address</font></tt>
<br><tt><font color="#000000"> ulong immconst;
// Immediate constant</font></tt>
<br><tt><font color="#000000"> int zeroconst;
// Whether contains zero constant</font></tt>
<br><tt><font color="#000000"> int fixupoffset;
// Possible offset of 32 bit fixups</font></tt>
<br><tt><font color="#000000"> int fixupsize;
// Possible total size of fixups or 0</font></tt>
<br><tt><font color="#000000"> int error;
// Error while disassembling command</font></tt>
<br><tt><font color="#000000"> int warnings;
// Combination of DAW_xxx</font></tt>
<br><tt><font color="#000000">} t_disasm;</font></tt>
<p><b>Members</b>:
<ul>
<li>
<font color="#0000FF">pi</font> - address of the disassembled command;</li>
<li>
<font color="#0000FF">dump</font> - ASCII string, formatted hexadecimal
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -