////////////////////////////////////////////////////////////////////////////////
// //
// OllyDbg Disassembling Engine v2.01 //
// //
// Copyright (c) 2007-2013 Oleh Yuschuk, ollydbg@t-online.de //
// //
// This code is part of the OllyDbg Disassembler v2.01 //
// //
// Disassembling engine is free software; you can redistribute it and/or //
// modify it under the terms of the GNU General Public License as published //
// by the Free Software Foundation; either version 3 of the License, or (at //
// your option) any later version. //
// //
// This code is distributed in the hope that it will be useful, but WITHOUT //
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or //
// FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for //
// more details. //
// //
// You should have received a copy of the GNU General Public License along //
// with this program. If not, see <http://www.gnu.org/licenses/>. //
// //
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
// //
// This is a fast disassembler that can be used to determine the length of //
// the binary 80x86 32-bit command and its attributes, to convert it to the //
// human-readable text form, highlight its operands, and create hexadecimal //
// dump of the binary command. //
// //
// It is a stripped down version of the disassembler used by OllyDbg 2.01. //
// It can't analyse and comment the contents of the operands, or predict the //
// results of the command execution. Analysis-dependent features are not //
// included, too. Most other features are kept. //
// //
// Disassembler supports integer, FPU, MMX, 3DNow, SSE1-SSE4.1 and AVX //
// instructions. 64-bit mode, AVX2, FMA and XOP are not (yet) supported. //
// //
// This code can be compiled either in ASCII or UNICODE mode. It is reentrant //
// (thread-safe, feature not available in the original OllyDbg code). //
// //
// Typical operation speed on 3-GHz Phenom II in MASM mode is: //
// //
// Command length and info: 130 ns/command (7,700,000 commands/s) //
// Disassembly: 290 ns/command (3,400,000 commands/s) //
// Disassembly, dump, highlighting: 350 ns/command (2,800,000 commands/s) //
// //
////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
////////////// PREFERRED SETTINGS AND FIXES FOR BORLAND COMPILERS //////////////
#ifdef __BORLANDC__
#pragma option -a1 // Byte alignment
#pragma option -w-pin // Disable "partially bracketed" warning
// Redefinition of MAKELONG removes nasty warning under Borland Builder 4.0:
// boolean OR in one row with arithmetical shift.
#undef MAKELONG
#define MAKELONG(lo,hi) ((LONG)(((WORD)(lo))|(((DWORD)((WORD)(hi)))<<16)))
#endif
#define MAKEWP(lo,hi) ((WPARAM)MAKELONG(lo,hi))
#define MAKELP(lo,hi) ((LPARAM)MAKELONG(lo,hi))
#define LOINT(l) ((signed short)((WORD)(l)))
#define HIINT(l) ((signed short)(((DWORD)(l)>>16) & 0xFFFF))
#ifndef FIELD_OFFSET
#define FIELD_OFFSET(type,field) ((long)&(((type *)0)->field))
#endif
////////////////////////////////////////////////////////////////////////////////
#define TEXTLEN 256 // Max length of text string
#define SHORTNAME 32 // Max length of short or module name
#ifdef UNICODE
#define tchar wchar_t // Or replace it with TCHAR
#define T(x) L##x
#define tstrlen wcslen
#define tstrcpy wcscpy
#define tstrcmp wcscmp
#define tstrlwr _wcslwr
#define tsprintf swprintf
#define ttolower towlower
#else
#define tchar char
#define T(x) x
#define tstrlen strlen
#define tstrcpy strcpy
#define tstrcmp strcmp
#define tstrlwr strlwr
#define tsprintf sprintf
#define ttolower tolower
#endif
#define NOPERAND 4 // Maximal allowed number of operands
#define NREG 8 // Number of registers (of any type)
#define NSEG 6 // Number of valid segment registers
#define MAXCMDSIZE 16 // Maximal length of valid 80x86 command
#define NEGLIMIT (-16384) // Limit to decode offsets as negative
#define DECLIMIT 16384 // Limit to decode constants as decimal
typedef unsigned char uchar; // Unsigned character (byte)
typedef unsigned short ushort; // Unsigned short
typedef unsigned int uint; // Unsigned integer
typedef unsigned long ulong; // Unsigned long
// CMDMASK can be used to balance between the necessary memory size and the
// disassembly time.
#define CMDMASK 0x3FFF // Search mask for Disassembler, 2**n-1
#define NCHAIN 44300 // Max allowed number of chain links
// Registers.
#define REG_UNDEF (-1) // Codes of general purpose registers
#define REG_EAX 0
#define REG_ECX 1
#define REG_EDX 2
#define REG_EBX 3
#define REG_ESP 4
#define REG_EBP 5
#define REG_ESI 6
#define REG_EDI 7
#define REG_AL 0 // Symbolic indices of 8-bit registers
#define REG_CL 1
#define REG_DL 2
#define REG_BL 3
#define REG_AH 4
#define REG_CH 5
#define REG_DH 6
#define REG_BH 7
#define SEG_UNDEF (-1) // Codes of segment/selector registers
#define SEG_ES 0
#define SEG_CS 1
#define SEG_SS 2
#define SEG_DS 3
#define SEG_FS 4
#define SEG_GS 5
// Command highlighting.
#define DRAW_PLAIN '.' //0x0000000C // Plain commands
#define DRAW_JUMP '>' //0x0000000D // Unconditional jump commands
#define DRAW_CJMP '?' //0x0000000E // Conditional jump commands
#define DRAW_PUSHPOP '=' //0x0000000F // PUSH/POP commands
#define DRAW_CALL '@' //0x00000010 // CALL commands
#define DRAW_RET '<' //0x00000011 // RET commands
#define DRAW_FPU '1' //0x00000012 // FPU, MMX, 3DNow! and SSE commands
#define DRAW_SUSPECT '!' //0x00000013 // Bad, system and privileged commands
// Operand highlighting.
#define DRAW_IREG 'R' //0x00000018 // General purpose registers
#define DRAW_FREG 'F' //0x00000019 // FPU, MMX and SSE registers
#define DRAW_SYSREG 'S' //0x0000001A // Segment and system registers
#define DRAW_STKMEM 'K' //0x0000001B // Memory accessed over ESP or EBP
#define DRAW_MEM 'M' //0x0000001C // Any other memory
#define DRAW_CONST 'C' //0x0000001E // Constant
#define D_NONE 0x00000000 // No special features
// General type of command, only one is allowed.
#define D_CMDTYPE 0x0000001F // Mask to extract type of command
#define D_CMD 0x00000000 // Ordinary (none of listed below)
#define D_MOV 0x00000001 // Move to or from integer register
#define D_MOVC 0x00000002 // Conditional move to integer register
#define D_SETC 0x00000003 // Conditional set integer register
#define D_TEST 0x00000004 // Used to test data (CMP, TEST, AND...)
#define D_STRING 0x00000005 // String command with REPxxx prefix
#define D_JMP 0x00000006 // Unconditional near jump
#define D_JMPFAR 0x00000007 // Unconditional far jump
#define D_JMC 0x00000008 // Conditional jump on flags
#define D_JMCX 0x00000009 // Conditional jump on (E)CX (and flags)
#define D_PUSH 0x0000000A // PUSH exactly 1 (d)word of data
#define D_POP 0x0000000B // POP exactly 1 (d)word of data
#define D_CALL 0x0000000C // Plain near call
#define D_CALLFAR 0x0000000D // Far call
#define D_INT 0x0000000E // Interrupt
#define D_RET 0x0000000F // Plain near return from call
#define D_RETFAR 0x00000010 // Far return or IRET
#define D_FPU 0x00000011 // FPU command
#define D_MMX 0x00000012 // MMX instruction, incl. SSE extensions
#define D_3DNOW 0x00000013 // 3DNow! instruction
#define D_SSE 0x00000014 // SSE instruction
#define D_IO 0x00000015 // Accesses I/O ports
#define D_SYS 0x00000016 // Legal but useful in system code only
#define D_PRIVILEGED 0x00000017 // Privileged (non-Ring3) command
#define D_AVX 0x00000018 // AVX instruction
#define D_XOP 0x00000019 // AMD instruction with XOP prefix
#define D_DATA 0x0000001C // Data recognized by Analyser
#define D_PSEUDO 0x0000001D // Pseudocommand, for search models only
#define D_PREFIX 0x0000001E // Standalone prefix
#define D_BAD 0x0000001F // Bad or unrecognized command
// Additional parts of the command.
#define D_SIZE01 0x00000020 // Bit 0x01 in last cmd is data size
#define D_POSTBYTE 0x00000040 // Command continues in postbyte
// For string commands, either long or short form can be selected.
#define D_LONGFORM 0x00000080 // Long form of string command
// Decoding of some commands depends on data or address size.
#define D_SIZEMASK 0x00000F00 // Mask for data/address size dependence
#define D_DATA16 0x00000100 // Requires 16-bit data size
#define D_DATA32 0x00000200 // Requires 32-bit data size
#define D_ADDR16 0x00000400 // Requires 16-bit address size
#define D_ADDR32 0x00000800 // Requires 32-bit address size
// Prefixes that command may, must or must not possess.
#define D_MUSTMASK 0x0000F000 // Mask for fixed set of prefixes
#define D_NOMUST 0x00000000 // No obligatory prefixes (default)
#define D_MUST66 0x00001000 // (SSE,AVX) Requires 66, no F2 or F3
#define D_MUSTF2 0x00002000 // (SSE,AVX) Requires F2, no 66 or F3
#define D_MUSTF3 0x00003000 // (SSE,AVX) Requires F3, no 66 or F2
#define D_MUSTNONE 0x00004000 // (MMX,SSE,AVX) Requires no 66, F2, F3
#define D_NEEDF2 0x00005000 // (SSE,AVX) Requires F2, no F3
#define D_NEEDF3 0x00006000 // (SSE,AVX) Requires F3, no F2
#define D_NOREP 0x00007000 // Must not include F2 or F3
#define D_MUSTREP 0x00008000 // Must include F3 (REP)
#define D_MUSTREPE 0x00009000 // Must include F3 (REPE)
#define D_MUSTREPNE 0x0000A000 // Must include F2 (REPNE)
#define D_LOCKABLE 0x00010000 // Allows for F0 (LOCK, memory only)
#define D_BHINT 0x00020000 // Allows for branch hints (2E, 3E)
// Decoding of some commands with ModRM-SIB depends whether register or memory.
#define D_MEMORY 0x00040000 // Mod field must indicate memory
#define D_REGISTER 0x00080000 // Mod field must indicate register
// Side effects caused by command.
#define D_FLAGMASK 0x00700000 // Mask to extract modified flags
#define D_NOFLAGS 0x00000000 // Flags S,Z,P,O,C remain unchanged
#define D_ALLFLAGS 0x00100000 // Modifies flags S,Z,P,O,C
#define D_FLAGZ 0x00200000 // Modifies flag Z only
#define D_FLAGC 0x00300000 // Modifies flag C only
#define D_FLAGSCO 0x00400000 // Modifies flag C and O only
#define D_FLAGD 0x00500000 // Modifies flag D only
#define D_FLAGSZPC 0x00600000 // Modifies flags Z, P and C only (FPU)
#define D_NOCFLAG 0x00700000 // S,Z,P,O modified, C unaffected
#define D_FPUMASK 0x01800000 // Mask for effects on FPU stack
#define D_FPUSAME 0x00000000 // Doesn't rotate FPU stack (default)
#define D_FPUPOP 0x00800000 // Pops FPU stack
#define D_FPUPOP2 0x01000000 // Pops FPU stack twice
#define D_FPUPUSH 0x01800000 // Pushes FPU stack
#define D_CHGESP 0x02000000 // Command indirectly modifies ESP
// Command features.
#define D_HLADIR 0x04000000 // Nonstandard order of operands in HLA
#define D_WILDCARD 0x08000000 // Mnemonics contains W/D wildcard ('*')
#define D_COND 0x10000000 // Conditional (action depends on flags)
#define D_USESCARRY 0x20000000 // Uses Carry flag
#define D_USEMASK 0xC0000000 // Mask to detect unusual commands
#define D_RARE 0x40000000 // Rare or obsolete in Win32 apps
#define D_SUSPICIOUS 0x80000000 // Suspicious command
#define D_UNDOC 0xC0000000 // Undocumented command
// Extension of D_xxx.
#define DX_ZEROMASK 0x00000003 // How to decode FLAGS.Z flag
#define DX_JE 0x00000001 // JE, JNE instead of JZ, JNZ
#define DX_JZ 0x00000002 // JZ, JNZ instead of JE, JNE
#define DX_CARRYMASK 0x0000000C // How to decode FLAGS.C flag
#define DX_JB 0x00000004 // JAE, JB instead of JC, JNC
#define DX_JC 0x00000008 // JC, JNC instead of JAE, JB
#define DX_RETN 0x00000010 // The mnemonics is RETN
#define DX_VEX 0x00000100 // Requires VEX prefix
#define DX_VLMASK 0x00000600 // Mask to extract VEX operand length
#define DX_LSHORT 0x00000000 // 128-bit only
#define DX_LBOTH 0x00000200 // Both 128- and 256-bit versions
#define DX_LLONG 0x00000400 // 256-bit only
#define DX_IGNOREL 0x00000600 // Ignore VEX.L
#define DX_NOVREG 0x00000800 // VEX.vvvv must be set to all 1's
#define DX_VWMASK 0x00003000 // Mask to extract VEX.W
#define DX_W0 0x00001000 // VEX.W must be 0
#define DX_W1 0x00002000 // VEX.W must be 1
#define DX_LEADMASK 0x00070000 // Mask to extract leading opcode bytes
#define DX_LEAD0F 0x00000000 // Implied 0F leading byte (default)
#define DX_LEAD38 0x00010000 // Implied 0F 38 leading opcode bytes
#define DX_LEAD3A 0x00020000 // Implied 0F 3A leading opcode bytes
#define DX_WONKYTRAP 0x00800000 // Don't single-step this command
#define DX_TYPEMASK 0xFF000000 // Precised command type mask
#define DX_ADD 0x01000000 // The command is integer ADD
#define DX_SUB 0x02000000 // The command is integer SUB
#define DX_LEA 0x03000000 // The command is LEA
#define DX_NOP 0x04000000 // The command is NOP
//#define DX_LVEX (DX_VEX|DX_LBOTH)
//#define DX_GVEX (DX_VEX|DX_LLONG)
// Type of operand, only one is allowed. Size of SSE operands is given for the
// case of 128-bit operations and usually doubles for 256-bit AVX commands. If
// B_NOVEXSIZE is set, memory may double but XMM registers are not promoted to
// YMM.
#define B_ARGMASK 0x000000FF // Mask to extract type of argument
#define B_NONE 0x00000000 // Operand absent
#define B_AL 0x00000001 // Register AL
#define B_AH 0x00000002 // Register AH
#define B_AX 0x00000003 // Register AX
#define B_CL 0x00000004 // Register CL
#define B_CX 0x00000005 // Register CX
#define B_DX 0x00000006 // Register DX
#define B_DXPORT 0x00000007 // Register DX as I/O port address
#define B_EAX 0x00000008 // Register EAX
#define B_EBX 0x00000009 // Register EBX
#define B_ECX 0x0000000A // Register ECX
#define B_EDX 0x0000000B // Register EDX
#define B_ACC 0x0000000C // Accumulator (AL/AX/EAX)
#define B_STRCNT 0x0000000D // Register CX or ECX as REPxx counter
#define B_DXEDX 0x0000000E // Register DX or EDX in DIV/MUL
#define B_BPEBP 0x0000000F // Register BP or EBP in ENTER/LEAVE
#define B_REG 0x00000010 // 8/16/32-bit register in Reg
#define B_REG16 0x00000011 // 16-bit register in Reg
#define B_REG32 0x00000012 // 32-bit register in Reg
#define B_REGCMD 0x00000013 // 16/32-bit register in last cmd byte
#define B_REGCMD8 0x00000014 // 8-bit register in last cmd byte
#define B_ANYREG 0x00000015 // Reg field is unused, any allowed
#define B_INT 0x00000016 // 8/16/32-bit register/memory in ModRM
#define B_INT8 0x00000017 // 8-bit register/memory in ModRM
#define B_INT16 0x00000018 // 16-bit register/memory in ModRM
#define B_INT32 0x00000019 // 32-bit register/memory in ModRM
#define B_INT1632 0x0000001A // 16/32-bit register/memory in ModRM
#define B_INT64 0x0000001B // 64-bit integer in ModRM, memory only
#define B_INT128 0x0000001C // 128-bit integer in ModRM, memory only
#define B_IMMINT 0x0000001D // 8/16/32-bit int at immediate addr
#define B_INTPAIR 0x0000001E // Two signed 16/32 in ModRM, memory only
#define B_SEGOFFS 0x0000001F // 16:16/16:32 absolute address in memory
#define B_STRDEST 0x00000020 // 8/16/32-bit string dest, [ES:(E)DI]
#define B_STRDEST8 0x00000021 // 8-bit string destination, [ES:(E)DI]
#define B_STRSRC 0x00000022 // 8/16/32-bit string source, [(E)SI]
#define B_STRSRC8 0x00000023 // 8-bit string source, [(E)SI]
#define B_XLATMEM 0x00000024 // 8-bit memory in XLAT, [(E)BX+AL]
#define B_EAXMEM 0x00000025 // Reference to memory addressed by [EAX]
#define B_LONGDATA 0x00000026 // Long data in ModRM, mem only
#define B_ANYMEM 0x00000027 // Reference to memory, data unimportant
#define B_STKTOP 0x00000028 // 16/32-bit int top of stack
#define B_STKTOPFAR 0x00000029 // Top of stack (16:16/16:32 far addr)
#define B_STKTOPEFL 0x0000002A // 16/32-bit flags on top of stack
#define B_STKTOPA 0x0000002B // 16/32-bit top of stack all registers
#define B_PUSH 0x0000002C // 16/32-bit int push to stack
#define B_PUSHRET 0x0000002D // 16/32-bit push of return address
#define B_PUSHRETF 0x0000002E // 16:16/16:32-bit push of far retaddr
#define B_PUSHA 0x0000002F // 16/32-bit push all registers
#define B_EBPMEM 0x00000030 // 16/32-bit int at [EBP]
#define B_SEG 0x00000031 // Segment register in Reg
#define B_SEGNOCS 0x00000032 // Segment register in Reg, but not CS
#define B_SEGCS 0x00000033 // Segment register CS
#define B_SEGDS 0x00000034 // Segment register DS
#define B_SEGES 0x00000035 // Segment register ES
#define B_SEGFS 0x00000036 // Segment register FS
#define B_SEGGS 0x00000037 // Segment register GS
#define B_SEGSS 0x00000038 // Segment register SS
#define B_ST 0x00000039 // 80-bit FPU register in last cmd byte
#define B_ST0 0x0000003A // 80-bit FPU register ST0
#define B_ST1 0x0000003B // 80-bit FPU register ST1
#define B_FLOAT32 0x0000003C // 32-bit float in ModRM, memory only
#define B_FLOAT64 0x0000003D // 64-bit float in ModRM, memory only
#define B_FLOAT80 0x0000003E // 80-bit float in ModRM, memory only
#define B_BCD 0x0000003F // 80-bit BCD in ModRM, memory only
#define B_MREG8x8 0x00000040 // MMX register as 8 8-bit integers
#define B_MMX8x8 0x00000041 // MMX reg/memory as 8 8-bit integers
#define B_MMX8x8DI 0x00000042 // MMX 8 8-bit integers at [DS:(E)DI]
#define B_MREG16x4 0x00000043 // MMX register as 4 16-bit integers
#define B_MMX16x4 0x00000044 // MMX reg/memory as 4 16-bit integers
#define B_MREG32x2 0x00000045 // MMX register as 2 32-bit integers
#define B_MMX32x2 0x00000046 // MMX reg/memory as 2 32-bit integers
#define B_MREG64 0x00000047 // MMX register as 1 64-bit integer
#define B_MMX64 0x00000048 // MMX reg/memory as 1 64-bit integer
#define B_3DREG 0x00000049 // 3DNow! register as 2 32-bit floats
#define B_3DNOW 0x0000004A // 3DNow! reg/memory as 2 32-bit floats
#define B_XMM0I32x4 0x0000004B // XMM0 as 4 32-bit integers
#define B_XMM0I64x2 0x0000004C // XMM0 as 2 64-bit integers
#define B_XMM0I8x16 0x0000004D // XMM0 as 16 8-bit integers
#define B_SREGF32x4 0x0000004E // SSE register as 4 32-bit floats
#define B_SREGF32L 0x0000004F // Low 32-bit float in SSE register
#define B_SREGF32x2L 0x00000050 // Low 2 32-bit floats in SSE register
#define B_SSEF32x4 0x00000051 // SSE reg/memory as 4 32-bit floats
#define B_SSEF32L 0x00000052 // Low 32-bit float in SSE reg/memory
#define B_SSEF32x2L 0x00000053 // Low 2 32-bit floats in SSE reg/memory
#define B_SREGF64x2 0x00000054 // SSE register as 2 64-bit floats
#define B_SREGF64L 0x00000055 // Low 64-bit float in SSE register
#define B_SSEF64x2 0x00000056 // SSE reg/memory as 2 64-bit floats
#define B_SSEF64L 0x00000057 // Low 64-bit float in SSE reg/memory
#define B_SREGI8x16 0x00000058 // SSE register as 16 8-bit sigints
#define B_SSEI8x16 0x00000059 // SSE reg/memory as 16 8-bit sigints
#define B_SSEI8x16DI 0x0000005A // SSE 16 8-bit sigints at [DS:(E)DI]
#define B_SSEI8x8L 0x0000005B // Low 8 8-bit ints in SSE reg/memory
#define B_SSEI8x4L 0x0000005C // Low 4 8-bit ints in SSE reg/memory
#define B_SSEI8x2L 0x0000005D // Low 2 8-bit ints in SSE reg/memory
#define B_SREGI16x8 0x0000005E // SSE register as 8 16-bit sigints
#define B_SSEI16x8 0x0000005F // SSE reg/memory as 8 16-bit sigints
#define B_SSEI16x4L 0x00000060 // Low 4 16-bit ints in SSE reg/memory
#define B_SSEI16x2L 0x00000061 // Low 2 16-bit ints in SSE reg/memory
#define B_SREGI32x4 0x00000062 // SSE register as 4 32-bit sigints
#define B_SREGI32L 0x00000063 // Low 32-bit sigint in SSE register
#define B_SREGI32x2L 0x00000064 // Low 2 32-bit sigints in SSE register
#define B_SSEI32x4 0x00000065 // SSE reg/memory as 4 32-bit sigints
#define B_SSEI32x2L 0x00000066 // Low 2 32-bit sigints in SSE reg/memory
#define B_SREGI64x2 0x00000067 // SSE register as 2 64-bit sigints
#define B_SSEI64x2 0x00000068 // SSE reg/memory as 2 64-bit sigints
#define B_SREGI64L 0x00000069 // Low 64-bit sigint in SSE register
#define B_EFL 0x0000006A // Flags register EFL
#define B_FLAGS8 0x0000006B // Flags (low byte)
#define B_OFFSET 0x0000006C // 16/32 const offset from next command
#define B_BYTEOFFS 0x0000006D // 8-bit sxt const offset from next cmd
#define B_FARCONST 0x0000006E // 16:16/16:32 absolute address constant
#define B_DESCR 0x0000006F // 16:32 descriptor in ModRM
#define B_1 0x00000070 // Immediate constant 1
#define B_CONST8 0x00000071 // Immediate 8-bit constant
#define B_CONST8_2 0x00000072 // Immediate 8-bit const, second in cmd
#define B_CONST16 0x00000073 // Immediate 16-bit constant
#define B_CONST 0x00000074 // Immediate 8/16/32-bit constant
#define B_CONSTL 0x00000075 // Immediate 16/32-bit constant
#define B_SXTCONST 0x00000076 // Immediate 8-bit sign-extended to size
#define B_CR 0x00000077 // Control register in Reg
#define B_CR0 0x00000078 // Control register CR0
#define B_DR 0x00000079 // Debug register in Reg
#define B_FST 0x0000007A // FPU status register
#define B_FCW 0x0000007B // FPU control register
#define B_MXCSR 0x0000007C // SSE media control and status register
#define B_SVEXF32x4 0x0000007D // SSE reg in VEX as 4 32-bit floats
#define B_SVEXF32L 0x0000007E // Low 32-bit float in SSE in VEX
#define B_SVEXF64x2 0x0000007F // SSE reg in VEX as 2 64-bit floats
#define B_SVEXF64L 0x00000080 // Low 64-bit float in SSE in VEX
#define B_SVEXI8x16 0x00000081 // SSE reg in VEX as 16 8-bit sigints
#define B_SVEXI16x8 0x00000082 // SSE reg in VEX as 8 16-bit sigints
#define B_SVEXI32x4 0x00000083 // SSE reg in VEX as 4 32-bit sigints
#define B_SVEXI64x2 0x00000084 // SSE reg in VEX as 2 64-bit sigints
#define B_SIMMI8x16 0x00000085 // SSE reg in immediate 8-bit constant
// Type modifiers, used for interpretation of contents, only one is allowed.
#define B_MODMASK 0x000F0000 // Mask to extract type modifier
#define B_NONSPEC 0x00000000 // Non-specific operand
#define B_UNSIGNED 0x00010000 // Decode as unsigned decimal
#define B_SIGNED 0x00020000 // Decode as signed decimal
#define B_BINARY 0x00030000 // Decode as binary (full hex) data
#define B_BITCNT 0x00040000 // Bit count
#define B_SHIFTCNT 0x00050000 // Shift count
#define B_COUNT 0x00060000 // General-purpose count
#define B_NOADDR 0x00070000 // Not an address
#define B_JMPCALL 0x00080000 // Near jump/call/return destination
#define B_JMPCALLFAR 0x00090000 // Far jump/call/return destination
#define B_STACKINC 0x000A0000 // Unsigned stack increment/decrement
#define B_PORT 0x000B0000 // I/O port
#define B_ADDR 0x000F0000 // Used internally
// Validity markers.
#define B_MEMORY 0x00100000 // Memory only, reg version different
#define B_REGISTER 0x00200000 // Register only, mem version different
#define B_MEMONLY 0x00400000 // Warn if operand in register
#define B_REGONLY 0x00800000 // Warn if operand in memory
#define B_32BITONLY 0x01000000 // Warn if 16-bit operand
#define B_NOESP 0x02000000 // ESP is not allowed
// Miscellaneous options.
#define B_NOVEXSIZE 0x04000000 // Always 128-bit SSE in 256-bit AVX
#define B_SHOWSIZE 0x08000000 // Always show argument size in disasm
#define B_CHG 0x10000000 // Changed, old contents is not used
#define B_UPD 0x20000000 // Modified using old contents
#define B_PSEUDO 0x40000000 // Pseoudooperand, not in assembler cmd
#define B_NOSEG 0x80000000 // Don't add offset of selector
// Location of operand, only one bit is allowed.
#define OP_SOMEREG 0x000000FF // Mask for any kind of register
#define OP_REGISTER 0x00000001 // Operand is a general-purpose register
#define OP_SEGREG 0x00000002 // Operand is a segment register
#define OP_FPUREG 0x00000004 // Operand is a FPU register
#define OP_MMXREG 0x00000008 // Operand is a MMX register
#define OP_3DNOWREG 0x00000010 // Operand is a 3DNow! register
#define OP_SSEREG 0x00000020 // Operand is a SSE register
#define OP_CREG 0x00000040 // Operand is a control register
#define OP_DREG 0x00000080 // Operand is a debug register
#define OP_MEMORY 0x00000100 // Operand is in memory
#define OP_CONST 0x00000200 // Operand is an immediate constant
// Additional operand properties.
#define OP_PORT 0x00000400 // Used to access I/O port
#define OP_OTHERREG 0x00000800 // Special register like EFL or MXCSR
#define OP_INVALID 0x00001000 // Invalid operand, like reg in mem-only
#define OP_PSEUDO 0x00002000 // Pseudooperand (not in mnenonics)
#define OP_MOD 0x00004000 // Command may change/update operand
#define OP_MODREG 0x00008000 // Memory, but modifies reg (POP,MOVSD)
#define OP_IMPORT 0x00020000 // Value imported from different module
#define OP_SELECTOR 0x00040000 // Includes immediate selector
// Additional properties of memory address.
#define OP_INDEXED 0x00080000 // Memory address contains registers
#define OP_OPCONST 0x00100000 // Memory address contains constant
#define OP_ADDR16 0x00200000 // 16-bit memory address
#define OP_ADDR32 0x00400000 // Explicit 32-bit memory address
#define DAMODE_MASM 0 // MASM assembling/disassembling style
#define DAMODE_IDEAL 1 // IDEAL assembling/disassembling style
#define DAMODE_HLA 2 // HLA assembling/disassembling style
#define DAMODE_ATT 3 // AT&T disassembling style
#define NUM_STYLE 0x0003 // Mask to extract hex style
#define NUM_STD 0x0000 // 123, 12345678h, 0ABCD1234h
#define NUM_X 0x0001 // 123, 0x12345678, 0xABCD1234
#define NUM_OLLY 0x0002 // 123., 12345678, 0ABCD1234
#define NUM_LONG 0x0010 // 00001234h instead of 1234h
#define NUM_DECIMAL 0x0020 // 123 instead of 7Bh if under DECLIMIT
// Disassembling options.
#define DA_TEXT 0x00000001 // Decode command to text and comment
#define DA_HILITE 0x00000002 // Use syntax highlighting
#define DA_JZ 0x00000004 // JZ, JNZ instead of JE, JNE
#define DA_JC 0x00000008 // JC, JNC instead of JAE, JB
#define DA_DUMP 0x00000020 // Dump command to hexadecimal text
#define DA_PSEUDO 0x00000400 // List pseudooperands
// Disassembling errors.
#define DAE_NOERR 0x00000000 // No errors
#define DAE_BADCMD 0x00000001 // Unrecognized command
#define DAE_CROSS 0x00000002 // Command crosses end of memory block
#define DAE_MEMORY 0x00000004 // Register where only memory allowed
#define DAE_REGISTER 0x00000008 // Memory where only register allowed
#define DAE_LOCK 0x00000010 // LOCK prefix is not allowed
#define DAE_BADSEG 0x00000020 // Invalid segment register
#define DAE_SAMEPREF 0x00000040 // Two prefixes from the same group
#define DAE_MANYPREF 0x00000080 // More than 4 prefixes
#define DAE_BADCR 0x00000100 // Invalid CR register
#define DAE_INTERN 0x00000200 // Internal error
// Disassembling warnings.
#define DAW_NOWARN 0x00000000 // No warnings
#define DAW_DATASIZE 0x00000001 // Superfluous data size prefix
#define DAW_ADDRSIZE 0x00000002 // Superfluous address size prefix
#define DAW_SEGPREFIX 0x00000004 // Superfluous segment override prefix
#define DAW_REPPREFIX 0x00000008 // Superfluous REPxx prefix
#define DAW_DEFSEG 0x00000010 // Segment prefix coincides with default
#define DAW_JMP16 0x00000020 // 16-bit jump, call or return
#define DAW_FARADDR 0x00000040 // Far jump or call
#define DAW_SEGMOD 0x00000080 // Modifies segment register
#define DAW_PRIV 0x00000100 // Privileged command
#define DAW_IO 0x00000200 // I/O command
#define DAW_SHIFT 0x00000400 // Shift out of range 1..31
#define DAW_LOCK 0x00000800 // Command with valid LOCK prefix
#define DAW_STACK 0x00001000 // Unaligned stack operation
#define DAW_NOESP 0x00002000 // Suspicious use of stack pointer
#define DAW_RARE 0x00004000 // Rare, seldom used command
#define DAW_NONCLASS 0x00008000 // Non-standard or non-documented code
#define DAW_INTERRUPT 0x00010000 // Interrupt command
// List of prefixes.
#define PF_SEGMASK 0x0000003F // Mask for segment override prefixes
#define PF_ES 0x00000001 // 0x26, ES segment override
#define PF_CS 0x00000002 // 0x2E, CS segment override
#define PF_SS 0x00000004 // 0x36, SS segment override
#define PF_DS 0x00000008 // 0x3E, DS segment override
#define PF_FS 0x00000010 // 0x64, FS segment override
#define PF_GS 0x00000020 // 0x65, GS segment override
#define PF_DSIZE 0x00000040 // 0x66, data size override
#define PF_ASIZE 0x00000080 // 0x67, address size override
#define PF_LOCK 0x00000100 // 0xF0, bus lock
#define PF_REPMASK 0x00000600 // Mask for repeat prefixes
#define PF_REPNE 0x00000200 // 0xF2, REPNE prefix
#define PF_REP 0x00000400 // 0xF3, REP/REPE prefix
#define PF_BYTE 0x00000800 // Size bit in command, used in cmdexec
#define PF_MUSTMASK D_MUSTMASK // Necessary prefixes, used in t_asmmod
#define PF_VEX2 0x00010000 // 2-byte VEX prefix
#define PF_VEX3 0x00020000 // 3-byte VEX prefix
// Useful shortcuts.
#define PF_66 PF_DSIZE // Alternative names for SSE prefixes
#define PF_F2 PF_REPNE
#define PF_F3 PF_REP
#define PF_HINT (PF_CS|PF_DS) // Alternative names for branch hints
#define PF_NOTTAKEN PF_CS
#define PF_TAKEN PF_DS
#define PF_VEX (PF_VEX2|PF_VEX3)
typedef struct t_modrm { // ModRM byte decoding
ulong size; // Total size with SIB and disp, bytes
struct t_modrm *psib; // Pointer to SIB table or NULL
ulong dispsize; // Size of displacement or 0 if none
ulong features; // Operand features, set of OP_xxx
int reg; // Register index or REG_UNDEF
int defseg; // Default selector (SEG_xxx)
uchar scale[NREG]; // Scales of registers in memory address
ulong aregs; // List of registers used in address
int basereg; // Register used as base or REG_UNDEF
tchar ardec[SHORTNAME]; // Register part of address, INTEL fmt
tchar aratt[SHORTNAME]; // Register part of address, AT&T fmt
} t_modrm;
typedef struct t_bincmd { // Description of 80x86 command
tchar *name; // Symbolic name for this command
ulong cmdtype; // Command's features, set of D_xxx
ulong exttype; // More features, set of DX_xxx
ulong length; // Length of main code (before ModRM/SIB)
ulong mask; // Mask for first 4 bytes of the command
ulong code; // Compare masked bytes with this
ulong postbyte; // Postbyte
ulong arg[NOPERAND]; // Types of arguments, set of B_xxx
} t_bincmd;
typedef struct t_chain { // Element of command chain
const t_bincmd *pcmd; // Pointer to command descriptor or NULL
struct t_chain *pnext; // Pointer to next element in chain
} t_chain;
typedef struct t_config { // Disassembler configuration
int disasmmode; // Main style, one of DAMODE_xxx
int memmode; // Constant part of address, NUM_xxx
int jmpmode; // Jump/call destination, NUM_xxx
int binconstmode; // Binary constants, NUM_xxx
int constmode; // Numeric constants, NUM_xxx
int lowercase; // Force lowercase display
int tabarguments; // Tab between mnemonic and arguments
int extraspace; // Extra space between arguments
int useretform; // Use RET instead of RETN
int shortstringcmds; // Use short form of string commands
int putdefseg; // Display default segments in listing
int showmemsize; // Always show memory size
int shownear; // Show NEAR modifiers
int ssesizemode; // How to decode size of SSE operands
int jumphintmode; // How to decode jump hints
int sizesens; // How to decode size-sensitive mnemonics
int simplifiedst; // How to decode top of FPU stack
int hiliteoperands; // Highlight operands
} t_config;
typedef struct t_operand { // Description of disassembled operand
// Description of operand.
ulong features; // Operand features, set of OP_xxx
ulong arg; // Operand type, set of B_xxx
// int optype; // DEC_INT, DEC_FLOAT or DEC_UNKNOWN
int opsize; // Total size of data, bytes
int granularity; // Size of element (opsize exc. MMX/SSE)
int reg; // REG_xxx (also ESP in POP) or REG_UNDEF
ulong uses; // List of used regs (not in address!)
ulong modifies; // List of modified regs (not in addr!)
// Description of memory address.
int seg; // Selector (SEG_xxx)
uchar scale[NREG]; // Scales of registers in memory address
ulong aregs; // List of registers used in address
ulong opconst; // Constant or const part of address
ulong selector; // Immediate selector in far jump/call
// Textual decoding.
tchar text[TEXTLEN]; // Operand, decoded to text
} t_operand;
// Note that used registers are those which contents is necessary to create
// result. Modified registers are those which value is changed. For example,
// command MOV EAX,[EBX+ECX] uses EBX and ECX and modifies EAX. Command
// ADD ESI,EDI uses ESI and EDI and modifies ESI.
typedef struct t_disasm { // Disassembled command
ulong ip; // Address of first command byte
ulong size; // Full length of command, bytes
ulong cmdtype; // Type of command, D_xxx
ulong exttype; // More features, set of DX_xxx
ulong prefixes; // List of prefixes, set of PF_xxx
ulong nprefix; // Number of prefixes, including SSE2
ulong memfixup; // Offset of first 4-byte fixup or -1
ulong immfixup; // Offset of second 4-byte fixup or -1
int errors; // Set of DAE_xxx
int warnings; // Set of DAW_xxx
ulong uses; // List of used registers
ulong modifies; // List of modified registers
ulong memconst; // Constant in memory address or 0
ulong stackinc; // Data size in ENTER/RETN/RETF
t_operand op[NOPERAND]; // Operands
tchar dump[TEXTLEN]; // Hex dump of the command
tchar result[TEXTLEN]; // Fully decoded command as text
uchar mask[TEXTLEN]; // Mask to highlight result
int masksize; // Length of mask corresponding to result
} t_disasm;
extern t_modrm modrm16[256]; // 16-bit ModRM decodings
extern t_modrm modrm32[256]; // 32-bit ModRM decodings without SIB
extern t_modrm sib0[256]; // ModRM-SIB decodings with Mod=00
extern t_modrm sib1[256]; // ModRM-SIB decodings with Mod=01
extern t_modrm sib2[256]; // ModRM-SIB decodings with Mod=10
extern const t_bincmd bincmd[]; // List of 80x86 commands
extern t_chain *cmdchain; // Commands sorted by first CMDMASK bits
int Preparedisasm(void);
void Finishdisasm(void);
ulong Disasm(uchar const *cmd,ulong cmdsize,ulong cmdip,
t_disasm *da,int cmdmode,t_config *cmdconfig,
int (*decodeaddress)(tchar *s,ulong addr));
tchar *Geterrwarnmessage(ulong errors,ulong warnings);