DISIT 



OPEN SOURCE DISASSEMBLER ENGINE
http://www.piotrbania.com
 

 

UPDATE 2009:

This project is now closed with last version (01C-BETA) released on 09.09.2006 . Disit 02-STABLE with support for FPU, SSE, SSE2 instructions based on more stable, fixed, partially re-designed engine will not be available to public.


VERSION:
 
[09/09/2006] - current release:  01C-BETA - DOWNLOAD [view changes].
[21/04/2006] - current release:  01B-BETA - DOWNLOAD.
[30/01/2006] - previous release: 01A-BETA - DOWNLOAD.

 

NOTES: This is the first release of DISIT, next ones should contains some major fixes (especially "flags" stuff). Currently it handles most of PENTIUM III general purpose instructions.

Enjoy the engine, fixes, contributions are highly welcome as always.


FILES IN THE PACKAGE:
 
- disasm.cpp       - core of the library
- disasm.h         - internal instructions maps and main structures
- disasm_structs.h - some other declarations

 

MAIN FUNCTION: int _disasm(unsigned char *instr, _dis_data *dis_data)

Where:
- instr           - pointer to instruction to disassemble (in)
- dis_data        - _dis_data structure (out)

Return values:
                  - instruction length on success
                  - NULL if error occurred

 

_DISDATA STRUCT:  typedef struct __dis_data {
int len;                    // length of instruction
unsigned char prefix[3];    // prefix bytes (up to 3)
unsigned char seg;          // currently selected segment

unsigned char w_bit;        // write bit occurency
unsigned char s_bit;        // size bit occurency 

unsigned char opcode;       // opcode value
unsigned char opcode2;      // second opcode value
unsigned char modrm;        // modrm value

unsigned char mem_act;      // mem used as: 0-dest / 1-src
unsigned long mem_regs;     // registers used for memory operations

unsigned char use_sib;      // sib occurency flag
unsigned char sib;          // sib value
unsigned char sib_mul;      // sib multipler
unsigned long sib_mul_reg;  // important (reg used for multiply)

unsigned long mem_imm;      // immediate for mem
unsigned long mem_imm_size; // size of immediate for mem
unsigned char mem_super_size; // important only if not zero

unsigned long src_regs;     // source regs
unsigned long dst_regs;     // destination regs

unsigned long i_src_regs;   // a view of src regs
unsigned long i_dst_regs;   // a view of dest regs

unsigned long flags;        // currently reserved

unsigned char spec_regs_on; // special regs flags marker
unsigned char spec_regs;    // special regs (DRx/CRX/etc.)

unsigned char spec_flag;    // call/jump flags
unsigned short selector;    // selector

unsigned char default_addr; // size of addr
unsigned char default_data; // size of data

unsigned long imm_data;     // immediate data
unsigned char imm_size;     // immediate size
unsigned char imm_signextend; // sign extension flag

unsigned long reserved;     // special super cases (tttn and others)
unsigned char reserved_size; // reserved

char instr_out[50];         // text instrunction interpretation
char instr_dump[24];        // text byte dump
char prefix_t[20];          // text for prefix

} _dis_data;


 

EXAMPLES: 1) Disassembling "add eax,edx" instruction:

Few members of _dis_data struct members (output):

len           = 02                     // instruction length
opcode        = 03                     // instruction opcode
modrm         = c2                     // modrm value
dst_regs      = 0000000f (EAX+)        // destination register
src_regs      = 00000f0f (EAX+EDX+)    // source registers
i_dst_regs    = 0000000f (EAX+)        // syntax view
i_src_regs    = 00000f00 (EDX+)        // syntax view

Last two members presented (i_dst_regs/i_src_regs) shows the view of the registers "directly" based on the instruction syntax.

 

2) Disassembling "push dword ptr [edx+ecx*8+10h]" instruction:

Few members of _dis_data struct members (output):

len          = 04                     // instruction length
opcode       = ff                     // instruction opcode
modrm        = 74                     // modrm value
dst_regs     = 00030000 (ESP+)        // used by instruction as dest
src_regs     = 00030ff0 (ECX+EDX+ESP) // used by instruction as src
i_dst_regs   = 00000000 ()            // blank
i_src_regs   = 00000000 ()            // blank
mem_act      = 00 (SOURCE)            // mem request as source
mem_regs     = 00000ff0 (ECX+EDX+)    // regs used for mem operation
mem_imm      = 0010                   // here it is 10h
mem_imm_size = 01                     // size of mem imm operand
use_sib      = 01                     // we use sib here (1=true)
sib          = ca                     // value of sib byte
sib_mul      = 08                     // the multipler
sib_mul_reg  = 000000f0 (ECX+)        // reg which will be multipled

 

USAGE: All you need to do is to place following line in the header of your proggie:

#include "disit/disasm.h"

and then play with _disasm function like:

_dis_data dis_datex;
_disasm((unsigned char*)(memory), &dis_datex);

 

 www.piotrbania.com
2005 / 2006 - All rights reserved ®
Copyrights © - Piotr Bania