主要思路就是Get opcode然后识别转换称ASM代码
我这里有一个SOURCEFORGE上的源代码
/*
*
* File Name:
*
* disasm.h
*
* Summary:
*
* This file was created to be included within a 'disassembler' project for PE
* image files running on x86 and x86-compatible processors.
*
*
*
* Copyright (C) 2004, Isaac Sigasa [isigasa@ananzi.co.za]
* All Rights Reserved
*
*
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* - Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED.
* IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*
*/
#ifndef DISASM_H
#define DISASM_H
#include <stdio.h>
#define N NULL
typedef struct _InstructionTemplate
{
char *strOpcode;
char *strOperandsDescr;
}InstructionTemplate, *PInstructionTemplate;
typedef union _RawOpcode
{
unsigned char cByteRawOpcode;
unsigned char ca2ByteRawOpcode[2];
}RawOpcode;
typedef union _RawDisplacement
{
unsigned char cByteRawDisplacement;
unsigned char ca2ByteRawDisplacement[2];
unsigned char ca4ByteRawDisplacement[4];
}RawDisplacement;
typedef union _RawImmediate
{
unsigned char cByteRawImmediate;
unsigned char ca2ByteRawImmediate[2];
unsigned char ca4ByteRawImmediate[4];
}RawImmediate;
typedef struct _IA32RawInstruction
{
unsigned char caRawPrefixes[4];
RawOpcode URawOpcode;
unsigned char ModRM;
unsigned char SIB;
RawDisplacement URawDisplacement;
RawImmediate URawImmediate;
}IA32RawInstruction;
typedef struct _IA32InstructionHelper
{
unsigned char cbRawPrefixes;
unsigned char cbRawOpcode;
unsigned char boolModRMExists;
unsigned char boolSIBExists;
unsigned char cbRawDisplacement;
unsigned char cbRawImmediate;
}IA32InstructionHelper;
typedef struct _IA32InstructionDescription
{
char strPrefix[64];
char strOpcode[64];
char strOperandA[64];
char strOperandB[64];
char strOperandC[64];
}IA32InstructionDescription;
typedef struct _IA32InstructionDecode
{
IA32RawInstruction SIA32RawInstruction;
IA32InstructionHelper SIA32InstructionHelper;
IA32InstructionDescription SIA32InstructionDescription;
}IA32InstructionDecode;
typedef enum tgDefaultOperationSizeAttrib{OpSize16 = 16, OpSize32 = 32}DefaultOperationSizeAttrib;
void Disassemble(const char*pLoadAddress,DefaultOperationSizeAttrib DSize,unsigned char *pStart, unsigned char *pEnd);
int FetchInstructionFrom1ByteOpcodeTable(const unsigned char *pStart,IA32InstructionDecode *pIA32Decode);
int FetchInstructionFrom2ByteOpcodeTable(const unsigned char *pStart,IA32InstructionDecode *pIA32Decode);
int FetchInstructionFromOpcodeExtensionsTable(unsigned const char ucEntry,const unsigned char* pStart,InstructionTemplate OpcodeExtensions[0x10][0x8][0x3],IA32InstructionDecode *pIA32Decode);
int FetchOpcode(const char * pLoadAddress, const unsigned char* pStart, IA32InstructionDecode *pIA32Decode, DefaultOperationSizeAttrib DSize);
unsigned int GetOperandTypeSize(const char *strType);
void GetMemoryOperandSizeStr(const char*strOpType, char *strOut,DefaultOperationSizeAttrib DSize, IA32InstructionDecode *pIA32Decode);
int DecodeGPRegisterRM(const unsigned int size, const unsigned char ModRM, char* strout);
int GetOutputBuffer(int iOpIndex, char** strOutput,IA32InstructionDecode *pIA32Decode);
int IsExplicitRegisterOperand(const char *strTest);
char strlastchr(const char* str);
#define ARRAYSIZE(p) (sizeof(p)/sizeof(*p))
#endif
