ulong Disasm(uchar *cmd,ulong cmdsize,ulong ip,uchar *dec,t_disasm *da,int mode,t_reg *reg,t_predict *predict);
Probably the most important and one of the most complex OllyDbg functions. Given 80x86 command in binary form, Disasm() decodes it to the text, creates dump and comments, extracts operands and calculates their values. For some frequently used commands it's even able to predict their results.
If mode is 0 (basic information and length of the command), a call to Disasm() takes 0.2 .. 0.3 microseconds on a 3-GHz Athlon. If you request mnemonics, dump and comments, it may take more than 1 microsecond to produce results.
Parameters:
cmd
(In) Pointer to the binary code of the 80x86 command, cmdsize bytes long
cmdsize
(In) Size of the data pointed to by cmd, bytes. Length of valid 80x86 command is limited to MAXCMDSIZE bytes, therefore if you need to disassemble single command, it's always safe to read MAXCMDSIZE bytes. (In fact, maximal command length is 15 bytes and MAXCMDSIZE is defined as 16. But Disasm() can also decode data recognized by the Analyser, and maximal portion of data is 16 bytes)
ip
(In) Address of the command. necessary to decode destinations of relative jumps and calls.
dec
(In) Pointer to decoding information produced by the Analyser, or NULL if decoding is missing or unavailable. If present, decoding data must start at ip and its length must be at least cmdsize bytes.
da
(In/out) Pointer to the structure of type t_disasm
that receives results of the disassembly. Whether this structure should
be pre-initialized and which members will be filled depends on the mode
mode
(In) Disassembling mode, a combination of zero or more of the bit flags listed below. Italic names in parentheses specify members of t_disasm that will be filled if flag is set:
DA_TEXT - decode command to text and comment it (result, comment, op->text)
DA_HILITE - (only in the combination with DA_TEXT) - use syntax highlighting. In this case first three members of da (hilitereg, hiregindex, hiliteindex) must be initialized. See t_disasm for details (mask, maskvalid)
DA_OPCOMM - comment operands (op->comment, improves comment)
DA_DUMP - create hexadecimal dump (dump)
DA_MEMORY - allows Disasm() to read memory of the debugged process and use label names
DA_NOSTACKP - hide "Stack" in comments
DA_NOPSEUDO - don't decode pseudooperands (like implicit ESP in PUSH EAX)
DA_SHOWARG - use prediction data if address is ESP- or EBP-based
DA_STEPINTO - enter CALL when predicting registers
Some flags are not intended for use by plugins:
DA_NOIMPORT - when reading memory, don't rely on the value of imports
DA_RTLOGMEM - use contents of memory saved by the run trace
DA_FORHELP - decode operands for command help
reg
DA_TEXT - decode command to text and comment it (result, comment, op->text)
DA_HILITE - (only in the combination with DA_TEXT) - use syntax highlighting. In this case first three members of da (hilitereg, hiregindex, hiliteindex) must be initialized. See t_disasm for details (mask, maskvalid)
DA_OPCOMM - comment operands (op->comment, improves comment)
DA_DUMP - create hexadecimal dump (dump)
DA_MEMORY - allows Disasm() to read memory of the debugged process and use label names
DA_NOSTACKP - hide "Stack" in comments
DA_NOPSEUDO - don't decode pseudooperands (like implicit ESP in PUSH EAX)
DA_SHOWARG - use prediction data if address is ESP- or EBP-based
DA_STEPINTO - enter CALL when predicting registers
Some flags are not intended for use by plugins:
DA_NOIMPORT - when reading memory, don't rely on the value of imports
DA_RTLOGMEM - use contents of memory saved by the run trace
DA_FORHELP - decode operands for command help
(in) Pointer to the structure of type t_reg
describing contents of registers before the command was executed, or
NULL if registers are unavailable or not necessary. Registers are
necessary to calculate the values of the operands, like in EAX or
[ESI*4+EDX+4]
predict
(in,out) Pointer to the structure of type t_predict or NULL. If predict is supplied, Diasm()
will attempt to calculate the contents of registers, stack and
accessed memory after execution of the command. For example, simple
case: predict->rstate[REG_EAX]=PST_VALID,
predict->rconst[REG_EAX]=4 and command is ADD EAX,EAX. Disasm() will change predict->rconst[REG_EAX] to 8. If command is not supported by prediction, Disasm()
will invalidate registers and memory locations modified by the command.
Prediction is not intended for use in plugins, use this feature at your
own risk
Return values:
If
command is fully recognized, returns length of the binary command in
bytes. If command is longer than cmdsize bytes, returns cmdsize. If
command is not recognized, returns 1 (indicating that at least 1 byte
must be skipped). In the case of invalid parameters, like cmd==NULL or cmdlen<=0, returns 0.
Example:
ulong Disassemble(ulong addr,ulong threadid,wchar_t *command,wchar_t *comment) {
ulong length,&declength;
uchar cmd[MAXCMDSIZE],*decode;
t_disasm da;
t_reg *reg;
length=Readmemory(cmd,addr,MAXCMDSIZE,MM_SILENT|MM_PARTIAL);
if (length==0) return 0;
decode=Finddecode(addr,&declength);
if (decode!=NULL && declength<length)
decode=NULL;
reg=Threadregisters(threadid);
length=Disasm(cmd,length,addr,decode,&da,DA_TEXT|DA_OPCOMM|DA_MEMORY,reg,NULL);
if (length==0) return 0;
StrcopyW(command,TEXTLEN,da.result);
StrcopyW(comment,TEXTLEN,da.comment);
return length;
}
ulong length,&declength;
uchar cmd[MAXCMDSIZE],*decode;
t_disasm da;
t_reg *reg;
length=Readmemory(cmd,addr,MAXCMDSIZE,MM_SILENT|MM_PARTIAL);
if (length==0) return 0;
decode=Finddecode(addr,&declength);
if (decode!=NULL && declength<length)
decode=NULL;
reg=Threadregisters(threadid);
length=Disasm(cmd,length,addr,decode,&da,DA_TEXT|DA_OPCOMM|DA_MEMORY,reg,NULL);
if (length==0) return 0;
StrcopyW(command,TEXTLEN,da.result);
StrcopyW(comment,TEXTLEN,da.comment);
return length;
}
See also:
Analysis, t_disasm, t_predict, t_reg, Assemble(), Assembleallforms(), Cmdinfo(), Disassembleback(), Disassembleforward(), Ndisasm()