justinstenning / sharpdisasm Goto Github PK

Possible to add this feature?

x64 Input:
eb 02 90 90 eb 02 90 90 48 89 5c 24 08

Output:
0000000000000000 eb 02 jmp 0x4
0000000000000002 90 nop
0000000000000003 90 nop
0000000000000004 eb 02 jmp 0x8
0000000000000006 90 nop
0000000000000007 90 nop
0000000000000008 48 89 5c 24 08 mov [rsp+0x8], rbx

ida output:
.text:000000018044F6FC ; =============== S U B R O U T I N E =====
.text:000000018044F6FC
.text:000000018044F6FC
.text:000000018044F6FC public MSO_5997
.text:000000018044F6FC MSO_5997 proc near ; CODE XREF: MSO_5252+D1↑p
.text:000000018044F6FC ; sub_18044F5BC+CE↑p ...
.text:000000018044F6FC jmp short loc_18044F700
.text:000000018044F6FC ; ---------------------------------------------------------------------------
.text:000000018044F6FE align 20h
.text:000000018044F700
.text:000000018044F700 loc_18044F700: ; CODE XREF: MSO_5997↑j
.text:000000018044F700 jmp short sub_18044F704
.text:000000018044F700 MSO_5997 endp
.text:000000018044F700
.text:000000018044F700 ; ---------------------------------------------------------------------------
.text:000000018044F702 align 4
.text:000000018044F704
.text:000000018044F704 ; =============== S U B R O U T I N E ======
.text:000000018044F704
.text:000000018044F704
.text:000000018044F704 sub_18044F704 proc near ; CODE XREF: MSO_5997:loc_18044F700↑j
.text:000000018044F704 ; DATA XREF: .pdata:00000001815CC594↓o
.text:000000018044F704
.text:000000018044F704 arg_0 = qword ptr 8
.text:000000018044F704
.text:000000018044F704 mov [rsp+arg_0], rbx

I need to create an extended instruction instead of SharpDisasm.Instruction.
For this I need to inject an IInstructionFactory to the SharpDasm.Disassembler ctor.
Furthermore changes are needed to support this.

https://github.com/spazzarama/SharpDisasm/blob/ee3af3d8aaec755208aa6782aa0eae51fd90165b/SharpDisasm/Udis86/syn.cs

Line 130:

Array.Copy(str, 0, u.asm_buf, u.asm_buf_fill, Math.Min(str.Length, avail));

Should be:

Array.Copy(str, 0, u.asm_buf, u.asm_buf_fill, Math.Min(str.Length, avail));
u.asm_buf[u.asm_buf_fill + str.Length] = '\0';

With the null terminator added correctly, then you don't need this bandaid:

https://github.com/spazzarama/SharpDisasm/blob/ee3af3d8aaec755208aa6782aa0eae51fd90165b/SharpDisasm/Udis86/udis86.cs

Line 103:
for (var i = 0; i < u.asm_buf.Length; i++)
u.asm_buf[i] = '\0';

Can now correctly match the original as:

u.asm_buf[0] = '\0';

I am disassembling with try catch something that may be valid opcodes or not (just whole memory of a program).

For example I am hitting a debug assert at Udis86/Decode.cs line 429.

Debug.Assert(u.error == 0, "invalid operand size");

Currently I am working around it using
http://stackoverflow.com/questions/2854024/how-to-prevent-debug-assert-to-show-a-modal-dialog, but I think it would be better to have a better failure mode when invalid operations are encountered.

Would be useful to retreive the previous instruction by a given byte array. Example:

00CD038E - 8B 45 08              - mov eax,[ebp+08]
00CD0391 - 56                    - push esi
00CD0392 - 8B 48 3C              - mov ecx,[eax+3C]
00CD0395 - 03 C8                 - add ecx,eax
00CD0397 - 0FB7 41 14            - movzx eax,word ptr [ecx+14] <------------------ Assume this is our current location. Not important for disassembler though but to understand the following

call:
PreviousInstruction(new [] {0x56 0x8B 0x48 0x3C 0x03 0xC8}...)
PreviousInstruction(new [] {0x8B 0x48 0x3C 0x03 0xC8}...)
PreviousInstruction(new [] {0x48 0x3C 0x03 0xC8}...)
PreviousInstruction(new [] {0x3C 0x03 0xC8}...)

return should in ALL cases be:
00CD0395 - 03 C8                 - add ecx,eax

Forward disassemble will always start with first byte in array but on backward disassemble the instruction lengths are unknown so a forward disassemble with shifted bytes lead to wrong results. That means with shifted bytes the last instruction can be different. This is why backward disassemble is required.

I'm porting over my memory editor to .NET Standard, and noticed this library is only available as .NET Framework.

As a quick/dirty fix I created a package here: https://www.nuget.org/packages/SharpDisasmStandard/ which is just a fork that targets only .NET standard.

I thank everyone for the project.
How do I translate assembly code to hex code?