dump of the command;</li>

<li>
<font color="#0000FF">result</font> - ASCII string, disassembled command
itself;</li>

<li>
<font color="#0000FF">comment</font> - ASCII string, brief comment that
applies to the whole command;</li>

<li>
<font color="#0000FF">cmdtype</font> - type of the disassembled command,
one of C_xxx possibly ORed with C_RARE to indicate that command is seldom
in ordinary Win32 applications. Commands of type C_MMX additionally contain
size of MMX data in the 3 least significant bits (0 means 8-byte operands).
Non-MMX commands may have C_EXPL bit set which means that some memory operand
has size which is not conform with standard 80x86 rules;</li>

<li>
<font color="#0000FF">memtype</font> - type of memory operand, one of DEC_xxx,
or DEC_UNKNOWN if operand is non-standard or command does not access memory;</li>

<li>
<font color="#0000FF">nprefix</font> - number of prefixes that this command
contains;</li>

<li>
<font color="#0000FF">indexed</font> - if memory address contains index
register, set to scale, otherwise 0;</li>

<li>
<font color="#0000FF">jmpconst</font> - address of jump destination if
this address is a constant, and 0 otherwise;</li>

<li>
<font color="#0000FF">jmptable</font> - if indirect jump can be interpreted
as switch, base address of switch table and 0 otherwise;</li>

<li>
<font color="#0000FF">adrconst</font> - constant part of memory address;</li>

<li>
<font color="#0000FF">immconst</font> - immediate constant or 0 if command
contains no immediate constant. The only command that contains two immediate
constants is ENTER. Disasm() ignores second constant which is anyway 0
in most cases;</li>

<li>
<font color="#0000FF">zeroconst</font> - nonzero if command contains immediate
zero constant;</li>

<li>
<font color="#0000FF">fixupoffset</font> - possible start of 32 bit fixup
within the command, or 0 if command can't contain fixups;</li>

<li>
<font color="#0000FF">fixupsize</font> - possible total size of fixups
(0, 4 or 8). If command contains both immediate constant and immediate
address, they are always adjacent on 80x86 processors;</li>

<li>
<font color="#0000FF">error</font> - Disasm() was unable to disassemble
command (for example, command does not exist or crosses end of memory block),
one of DAE_xxx;</li>

<li>
<font color="#0000FF">warnings</font> - command is suspicious or meaningless
(for example, far jump or MOV EAX,EAX preceded with segment prefix), combination
of DAW_xxx bits;</li>
</ul>
<b>Global flags that influence text of disassembled command:</b>
<ul>
<li>
<font color="#0000FF">ideal</font> - force IDEAL decoding mode</li>

<li>
<font color="#0000FF">lowercase</font> - force lowercase</li>

<li>
<font color="#0000FF">tabarguments</font> - insert tab between mnemonic
and arguments</li>

<li>
<font color="#0000FF">extraspace</font> - insert extra space between arguments</li>

<li>
<font color="#0000FF">putdefseg</font> - show default segments</li>

<li>
<font color="#0000FF">showmemsize</font> - always show memory size</li>

<li>
<font color="#0000FF">shownear</font> - show NEAR modifiers</li>

<li>
<font color="#0000FF">shortstringcmds</font> - use short form of string
commands</li>

<li>
<font color="#0000FF">sizesens</font> - mode of decoding of size-sensitive
mnemonics (16/32 bits) like:</li>
</ul>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 - PUSHA/PUSHAD
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
1 - PUSHAW/PUSHAD
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
2 - PUSHAW/PUSHA
<ul>
<li>
<font color="#0000FF">symbolic</font> - show symbolic addresses, requires
Decodeaddress()</li>
</ul>
<b>Global flags that warn of potentially invalid commands:</b>
<ul>
<li>
<font color="#0000FF">farcalls</font> - accept far calls, returns &amp;
addresses</li>

<li>
<font color="#0000FF">decodevxd</font> - decode VxD calls (Win95/98)</li>

<li>
<font color="#0000FF">privileged</font> - accept privileged commands</li>

<li>
<font color="#0000FF">iocommand</font> - accept I/O commands</li>

<li>
<font color="#0000FF">badshift</font> - accept shift out of range 1..31</li>

<li>
<font color="#0000FF">extraprefix</font> - accept superfluous prefixes</li>

<li>
<font color="#0000FF">lockedbus</font> - accept LOCK prefixes</li>

<li>
<font color="#0000FF">stackalign</font> - accept unaligned stack operations</li>

<li>
<font color="#0000FF">iswindowsnt</font> - when checking for dangerous
commands, assume NT-based OS</li>
</ul>
If Disasm() encounters potentially invalid command and corresponding flag
is 0, it sets bit in disasm->warning and places warning message in disasm->comment.
<p>
<hr WIDTH="100%">
<br><a NAME="_Toc531975955"></a><b><font face="Arial"><font color="#990000"><font size=+1>Disassembleback</font></font></font></b>
<p>Calculates address of assembler instruction that is n instructions (maximally
127) back from the instruction at specified pi. Returns address of found
instruction. In case of error, it may be less than n instructions apart.
<p>80x86 commands have variable length. Disassembleback uses heuristical
methods to separate commands and in some (astoundingly rare!) cases may
return invalid answer.
<p><b><font color="#0000FF">ulong Disassembleback(char *block,ulong base,ulong
size,ulong ip,int n);</font></b>
<p><b>Parameters</b>:
<ul>
<li>
<font color="#0000FF">block</font> - pointer to the copy of code;</li>

<li>
<font color="#0000FF">base</font> - address of first byte in the code block;</li>

<li>
<font color="#0000FF">size</font> - size of code block;</li>

<li>
<font color="#0000FF">pi</font> - address of current instruction;</li>

<li>
<font color="#0000FF">n</font> - number of instructions to walk back.</li>
</ul>

<hr WIDTH="100%">
<br><a NAME="_Toc531975956"></a><b><font face="Arial"><font color="#990000"><font size=+1>Disassembleforward</font></font></font></b>
<p>Calculates address of assembler instruction that is n instructions forward
from instruction at specified address. Returns address of found instruction.
In case of error, it may be less than n instructions apart.
<p><b><font color="#0000FF">ulong Disassembleforward(char *block,ulong
base,ulong size,ulong ip,int n,int usedec);</font></b>
<p><b>Parameters</b>:
<ul>
<li>
<font color="#0000FF">block</font> - pointer to the copy of code;</li>

<li>
<font color="#0000FF">base</font> - address of first byte in the code block;</li>

<li>
<font color="#0000FF">size</font> - size of code block;</li>

<li>
<font color="#0000FF">pi</font> - address of current instruction;</li>

<li>
<font color="#0000FF">n</font> - number of instructions to walk forward.</li>
</ul>

<hr WIDTH="100%">
<br><a NAME="_Toc531975957"></a><b><font face="Arial"><font color="#990000"><font size=+1>Isfilling</font></font></font></b>
<p>Function determines whether pointed instruction is a no-action command
(equivalent to NOP) used by different compilers to fill the gap between
procedures or data blocks to a specified aligned border. Returns length
of filling command in bytes or 0 if command is not a recognized filling.
<p><b><font color="#0000FF">int Isfilling(ulong addr,char *data,ulong size,ulong
align);</font></b>
<p><b>Parameters</b>:
<ul>
<li>
<font color="#0000FF">addr</font> - address of the first byte of analyzed
command;</li>

<li>
<font color="#0000FF">data</font> - pointer to the binary command;</li>

<li>
<font color="#0000FF">size</font> - size of data;</li>

<li>
<font color="#0000FF">align</font> - assumed alignment of the next non-filling
command (power of 2), or 0 if alignment is not required.</li>
</ul>

<hr WIDTH="100%">
<br><a NAME="_Toc531975958"></a><b><font face="Arial"><font color="#990000"><font size=+1>Printfloat*
functions</font></font></font></b>
<p>These functions decode 4-, 8-, 10-byte floating point number or 8-byte
3DNow! operand into the text form to string s. They correctly decode all
cases of NANs or INFs without triggering floating point exceptions. If
operand is not a valid floating point number, functions print hexadecimal
dump of the number. Return length of decoded string in bytes, not including
terminal 0.
<p><b><font color="#0000FF">int Print3dnow(char *s,char *f);</font></b>
<br><b><font color="#0000FF">int Printfloat10(char *s,long double ext);</font></b>
<br><b><font color="#0000FF">int Printfloat4(char *s,float f);</font></b>
<br><b><font color="#0000FF">int Printfloat8(char *s,double d);</font></b>
<br>&nbsp;
<br>&nbsp;
<p>Copyleft (C) 2001 Oleh Yuschuk
<br>&nbsp;
</body>
</html>