|
1
|
1 <html>
|
|
|
2 <head>
|
|
|
3 <title>Documentation: Udis86 - Disassembler Library for x86 and AMD64</title>
|
|
|
4 <style type="text/css">@import 'style.css';</style>
|
|
|
5 <style>
|
|
|
6 #api_tab td {
|
|
|
7 vertical-align: top;
|
|
|
8 padding: .4em;
|
|
|
9 }
|
|
|
10 #api_tab {
|
|
|
11 width: 100%;
|
|
|
12 padding: 0em;
|
|
|
13 }
|
|
|
14 .func {
|
|
|
15 text-align: center;
|
|
|
16 font-family: monospace;
|
|
|
17 }
|
|
|
18
|
|
|
19 </style>
|
|
|
20 </head>
|
|
|
21 <body>
|
|
|
22 <div id="topbar"><h1>Udis86 - Disassembler Library for x86 and AMD64</h1></div>
|
|
|
23 <div id="wrapper">
|
|
|
24 <div id="content">
|
|
|
25
|
|
|
26 <a href="index.html">Home</a>
|
|
|
27
|
|
|
28 <h1>Documentation</h1>
|
|
|
29 <small><i>Dec 19, 2006</i> - Added new API function and Standalone build mode.</small>
|
|
|
30 <hr size="1"/>
|
|
|
31 <br/>
|
|
|
32 <a href="#sec1">1. Using the library - libudis86</a>
|
|
|
33 <blockquote>
|
|
|
34 <a href="#sec11">1.1 Compiling and Installing</a> <br/>
|
|
|
35 <blockquote>
|
|
|
36 <a href="#sec111">1.1.1 Standalone Udis86</a> <br/>
|
|
|
37 </blockquote>
|
|
|
38 <a href="#sec12">1.2 Interfacing With Your Program</a> <br/>
|
|
|
39 <a href="#sec13">1.3 A Quick Example</a><br/>
|
|
|
40 <a href="#sec14">1.4 The Udis86 Object</a><br/>
|
|
|
41 <a href="#sec15">1.5 Functions</a><br/>
|
|
|
42 <a href="#sec16">1.6 Examining an Instruction</a>
|
|
|
43 </blockquote>
|
|
|
44 <a href="#sec2">2. Using the command-line tool - udcli</a>
|
|
|
45 <blockquote>
|
|
|
46 <a href="#sec21">2.1 Usage</a> <br/>
|
|
|
47 <a href="#sec22">2.2 Command-line options</a> <br/>
|
|
|
48 <a href="#sec23">2.3 The hexadecimal input mode</a> <br/>
|
|
|
49 </blockquote>
|
|
|
50 <br/>
|
|
|
51 <hr size="1"/>
|
|
|
52
|
|
|
53 <a name="sec1"></a>
|
|
|
54 <h2>1. Using the library - libudis86</h2>
|
|
|
55
|
|
|
56 <p>libudis86 can be used in a variety of situations, and the extent to which you
|
|
|
57 need to know the API depends on the functionality you are looking for. At its
|
|
|
58 core, libudis86 is a disassembler engine, which when given an input stream of
|
|
|
59 machine code bytes, disassembles them for you to inspect. You could use it,
|
|
|
60 simply, to generate assembly language output of the code, or to inspect
|
|
|
61 individual instructions, their operands, etc.</p>
|
|
|
62
|
|
|
63 <a name="sec11"></a>
|
|
|
64 <h3>1.1 Compiling and installing</h3>
|
|
|
65
|
|
|
66 <p>libudis86 is developed for Unix-like environments, and steps to installing
|
|
|
67 it is very simple. Get the source tarball, unpack it, and,</p>
|
|
|
68 <pre>
|
|
|
69 $ ./configure
|
|
|
70 $ make
|
|
|
71 $ make install
|
|
|
72 </pre>
|
|
|
73 <p>is all you need to do. Ofcourse, you may need to have root privileges to make
|
|
|
74 install. The install scripts copy the necessary header and library files to
|
|
|
75 appropriate locations of in system.
|
|
|
76 </p>
|
|
|
77
|
|
|
78 <a name="sec111"></a>
|
|
|
79 <h4>1.1.1 Standalone Udis86</h4>
|
|
|
80
|
|
|
81 <p>Standalone udis86 is (for now) a simple build hack that lets you build
|
|
|
82 a single relocatable object file with all of the libudis86 functionality, that you
|
|
|
83 could possibly use in any environment, say, a kernel module. The standalone object
|
|
|
84 assumes the availablity of the following functionality in the environment.</p>
|
|
|
85
|
|
|
86 <pre>
|
|
|
87 - memset()
|
|
|
88 - vprintf()
|
|
|
89 - sscanf()
|
|
|
90 </pre>
|
|
|
91
|
|
|
92 <p> To build udis86 in standalone mode, do the following.</p>
|
|
|
93
|
|
|
94 <pre>
|
|
|
95 $ ./configure
|
|
|
96 $ make standalone
|
|
|
97 </pre>
|
|
|
98
|
|
|
99 which will generate <code>ud_standalone.o</code> in <code>ud/libudis86</code>. This build
|
|
|
100 mode is a little hack'ish in nature and hopefully is replaced with better configure scripts
|
|
|
101 in the future. If you have ideas, let me know!
|
|
|
102
|
|
|
103 <a name="sec12"></a>
|
|
|
104 <h3>1.2 Interfacing with your program</h3>
|
|
|
105
|
|
|
106 <p>Once you have installed libudis86, to use it with your program, first,
|
|
|
107 include in your program the udis86.h header file,
|
|
|
108 </p>
|
|
|
109
|
|
|
110 <pre>
|
|
|
111 #include <udis86.h>
|
|
|
112 </pre>
|
|
|
113
|
|
|
114 <p>and then, add the following flag to your GCC command-line options.</p>
|
|
|
115
|
|
|
116 <pre>
|
|
|
117 -ludis86
|
|
|
118 </pre>
|
|
|
119
|
|
|
120 <a name="sec13"></a>
|
|
|
121 <h3>1.3 A Quick Example</h3>
|
|
|
122
|
|
|
123 The following code is an example of a program that interfaces with libudis86 and
|
|
|
124 uses the API to generate assembly language output for 64-bit code, input from
|
|
|
125 STDIN.
|
|
|
126 <pre>
|
|
|
127 /* simple_example.c */
|
|
|
128
|
|
|
129 #include <stdio.h>
|
|
|
130 #include <udis86.h>
|
|
|
131
|
|
|
132 int main()
|
|
|
133 {
|
|
|
134 ud_t ud_obj;
|
|
|
135
|
|
|
136 ud_init(&ud_obj);
|
|
|
137 ud_set_input_file(&ud_obj, stdin);
|
|
|
138 ud_set_mode(&ud_obj, 64);
|
|
|
139 ud_set_syntax(&ud_obj, UD_SYN_INTEL);
|
|
|
140
|
|
|
141 while (ud_disassemble(&ud_obj)) {
|
|
|
142 printf("\t%s\n", ud_insn_asm(&ud_obj));
|
|
|
143 }
|
|
|
144
|
|
|
145 return 0;
|
|
|
146 }
|
|
|
147 </pre>
|
|
|
148 To compile the program:
|
|
|
149 <pre>
|
|
|
150 $ gcc -ludis86 simple_example.c -o simple_example
|
|
|
151 </pre>
|
|
|
152
|
|
|
153 <p>This example should give you an idea of how this library can
|
|
|
154 be used. The following sections describe, in detail, the complete API of
|
|
|
155 libudis86.</p>
|
|
|
156
|
|
|
157 <a name="sec14"></a>
|
|
|
158 <h3>1.4 The Udis86 Object</h3>
|
|
|
159
|
|
|
160 <p>To maintain reentrancy and thread safety, udis86 does not use static data.
|
|
|
161 All data related to the disassembly process are stored in a single object,
|
|
|
162 called the udis86 object. So, to use libudis86 you must create an instance of
|
|
|
163 this object,</p>
|
|
|
164
|
|
|
165 <pre>
|
|
|
166 ud_t my_ud_obj;
|
|
|
167 </pre>
|
|
|
168
|
|
|
169 and initialize it,
|
|
|
170
|
|
|
171 <pre>
|
|
|
172 ud_init(&my_ud_obj);
|
|
|
173 </pre>
|
|
|
174
|
|
|
175 Ofcourse, you can create multiple instances of libudis86 and spawn multiple
|
|
|
176 threads of disassembly. Thats entirely upto how you want to use the library.
|
|
|
177 libudis86 guarantees reentrancy and thread safety.
|
|
|
178
|
|
|
179 <a name="sec15"></a>
|
|
|
180 <h3>1.5 Functions</h3>
|
|
|
181
|
|
|
182 All functions in libudis86 take a pointer to the udis86 object (ud_t) as the first
|
|
|
183 argument. The following is a list of all functions available.
|
|
|
184
|
|
|
185
|
|
|
186 <ol>
|
|
|
187 <li>
|
|
|
188 <pre>void ud_init (ud_t* ud_obj)</pre>
|
|
|
189 ud_t object initializer. This function must be called on a udis86 object
|
|
|
190 before it can used anywhere else.
|
|
|
191 </li>
|
|
|
192
|
|
|
193 <li>
|
|
|
194 <pre>void ud_set_input_hook(ud_t* ud_obj, int (*hook)())</pre>
|
|
|
195
|
|
|
196 This function sets the input source for the library. To retrieve each
|
|
|
197 byte in the stream, libudis86 calls back the function pointed to by
|
|
|
198 "hook".
|
|
|
199
|
|
|
200 The hook function, defined by the user code, must return a single byte
|
|
|
201 of code each time it is called. To signal end-of-input, it must return the
|
|
|
202 constant, <code>UD_EOI</code>.
|
|
|
203 </li>
|
|
|
204
|
|
|
205 <li>
|
|
|
206 <pre>void ud_set_input_buffer(ud_t* ud_obj, unsigned char* buffer, size_t size);</pre>
|
|
|
207
|
|
|
208 This function sets the input source for the library to a buffer of fixed
|
|
|
209 size.
|
|
|
210 </li>
|
|
|
211
|
|
|
212 <li>
|
|
|
213 <pre>void ud_set_input_file(ud_t* ud_obj, FILE* filep);</pre>
|
|
|
214
|
|
|
215 This function sets the input source for the library to a file pointed to by
|
|
|
216 the passed FILE pointer. Note that the library does not perform any checks,
|
|
|
217 assuming the file pointer to be properly initialized.
|
|
|
218 </li>
|
|
|
219
|
|
|
220 <li>
|
|
|
221 <pre>void ud_set_mode(ud_t* ud_obj, uint8_t mode_bits);</pre>
|
|
|
222
|
|
|
223 Sets the mode of disassembly. Possible values are 16, 32, and 64. By
|
|
|
224 default, the library works in 32bit mode.
|
|
|
225 </li>
|
|
|
226
|
|
|
227 <li>
|
|
|
228 <pre>void ud_set_pc(ud_t*, uint64_t pc);</pre>
|
|
|
229
|
|
|
230 Sets the program counter (EIP/RIP). This changes the offset of the
|
|
|
231 assembly output generated, with direct effect on branch instructions.
|
|
|
232 </li>
|
|
|
233
|
|
|
234 <li>
|
|
|
235 <pre>void ud_set_syntax(ud_t*, void (*translator)(ud_t*));</pre>
|
|
|
236
|
|
|
237 libudis86 disassembles one instruction at a time into an intermediate
|
|
|
238 form that lets you inspect the instruction and its various aspects
|
|
|
239 individually. But to generate the assembly language output, this
|
|
|
240 intermediate form must be translated. This function sets the translator.
|
|
|
241 There are two inbuilt translators,
|
|
|
242 <br/>
|
|
|
243 <ul>
|
|
|
244 <li>UD_SYN_INTEL - for INTEL (NASM-like) syntax.</li>
|
|
|
245 <li>UD_SYN_ATT - for AT&T (GAS-like) syntax.</li>
|
|
|
246 </ul>
|
|
|
247 If you do not want libudis86 to translate, you can pass a NULL to the
|
|
|
248 function, with no more translations thereafter. This is particularily
|
|
|
249 useful for cases when you only want to identify chunks of code and then
|
|
|
250 create the assembly output if needed.
|
|
|
251 <br/><br/>
|
|
|
252 If you want to create your own translator, you must pass a pointer to
|
|
|
253 function that accepts a pointer to ud_t. This function will be called
|
|
|
254 by libudis86 after each instruction is decoded.
|
|
|
255 </li>
|
|
|
256
|
|
|
257 <li>
|
|
|
258 <pre>void ud_set_vendor(ud_t*, unsigned vendor);</pre>
|
|
|
259
|
|
|
260 Sets the vendor of whose instruction to choose from. This is only useful for
|
|
|
261 selecting the VMX or SVM instruction sets at which point INTEL and AMD have
|
|
|
262 diverged significantly. At a later stage, support for a more granular
|
|
|
263 selection of instruction sets maybe added.
|
|
|
264 <br/>
|
|
|
265 <ul>
|
|
|
266 <li>UD_VENDOR_INTEL - for INTEL instruction set.</li>
|
|
|
267 <li>UD_VEDNOR_ATT - for AMD instruction set.</li>
|
|
|
268 </ul>
|
|
|
269 </li>
|
|
|
270
|
|
|
271 <li>
|
|
|
272 <pre>unsigned int ud_disassemble(ud_t*);</pre>
|
|
|
273
|
|
|
274 This function disassembles the next instruction in the input stream.
|
|
|
275 <i>RETURNS</i>, the number of bytes disassembled. A 0 indicates end of
|
|
|
276 input.
|
|
|
277 <i>NOTE</i>, to restart disassembly, after the end of input, you must
|
|
|
278 call one of the input setting functions with the new input source.
|
|
|
279 </li>
|
|
|
280
|
|
|
281 <li>
|
|
|
282 <pre>unsigned int ud_insn_len(ud_t* u);</pre>
|
|
|
283 Returns the number of bytes disassembled.
|
|
|
284 </li>
|
|
|
285
|
|
|
286
|
|
|
287 <li>
|
|
|
288 <pre>uint64_t ud_insn_off(ud_t*);</pre>
|
|
|
289 Returns the starting offset of the disassembled instruction relative
|
|
|
290 to the program counter value specified initially.
|
|
|
291 </li>
|
|
|
292
|
|
|
293 <li>
|
|
|
294 <pre>char* ud_insn_hex(ud_t*);</pre>
|
|
|
295 Returns pointer to character string holding the hexadecimal
|
|
|
296 representation of the disassembled bytes.
|
|
|
297 </li>
|
|
|
298
|
|
|
299 <li>
|
|
|
300 <pre>uint8_t* ud_insn_ptr(ud_t* u);</pre>
|
|
|
301 Returns pointer to the buffer holding the instruction bytes. Use
|
|
|
302 ud_insn_len(), to determine the length of this buffer.
|
|
|
303 </li>
|
|
|
304
|
|
|
305 <li>
|
|
|
306 <pre>char* ud_insn_asm(ud_t* u);</pre>
|
|
|
307 If the syntax is specified, returns pointer to the character string holding
|
|
|
308 assembly language representation of the disassembled instruction.
|
|
|
309 </li>
|
|
|
310
|
|
|
311 <li>
|
|
|
312 <pre>void ud_input_skip(ud_t*, size_t n);</pre>
|
|
|
313 Skips <code>n</code> number of bytes in the input stream.
|
|
|
314 </li>
|
|
|
315 </ol>
|
|
|
316
|
|
|
317 <a name="sec16"></a>
|
|
|
318 <h3>1.6 Examining an Instruction</h3>
|
|
|
319
|
|
|
320 After calling ud_disassembly, instructions can be examined by accessing fields
|
|
|
321 of the ud_t object, as described below.
|
|
|
322
|
|
|
323 <ol>
|
|
|
324 <li>
|
|
|
325 <pre>ud_mnemonic_code_t ud_obj->mnemonic</pre>
|
|
|
326
|
|
|
327 The mnemonic code for the disassembled instruction. All codes are
|
|
|
328 prefixed by UD_I, such as, <code>UD_Imov, UD_Icall, UD_Ijmp</code>, etc.
|
|
|
329 See a list of mnemonic codes in mnemonics.h.
|
|
|
330 </li>
|
|
|
331
|
|
|
332 <li>
|
|
|
333 <pre>ud_operand_t ud_obj->operand[n]</pre>
|
|
|
334
|
|
|
335 The array of operands of the disassembled instruction. A maximum of
|
|
|
336 three operands are allowed, indexed as 0, 1, and 2. Operands can be
|
|
|
337 examined using the their sub-fields as described below.
|
|
|
338 </li>
|
|
|
339
|
|
|
340 <li>
|
|
|
341 <pre>ud_type_t ud_obj->operand[n].type</pre>
|
|
|
342 This field represents the type of the operand n. Possible values are -
|
|
|
343 <pre>
|
|
|
344 UD_OP_MEM - A Memory Addressing Operand.
|
|
|
345 UD_OP_REG - A Register Operand.
|
|
|
346 UD_OP_PTR - A Segment:Offset Pointer Operand.
|
|
|
347 UD_OP_IMM - An Immediate Operand
|
|
|
348 UD_OP_JIMM - An Immediate Operand for Branch Instructions.
|
|
|
349 UD_OP_CONST - A Constant Value Operand.
|
|
|
350 UD_NONE - No Operand.</pre>
|
|
|
351
|
|
|
352 </li>
|
|
|
353
|
|
|
354 <li>
|
|
|
355 <pre>ud_obj->operand[n].size</pre>
|
|
|
356 This field gives the size of operand n. Possible values are - 8, 16, 32, 48, 64.
|
|
|
357 </li>
|
|
|
358
|
|
|
359 <li>
|
|
|
360 <pre>
|
|
|
361 ud_obj->operand[n].base
|
|
|
362 ud_obj->operand[n].index
|
|
|
363 ud_obj->operand[n].scale
|
|
|
364 ud_obj->operand[n].offset
|
|
|
365 ud_obj->operand[n].lval</pre>
|
|
|
366
|
|
|
367 For operands of type <code>UD_OP_MEM</code>,
|
|
|
368 <ul>
|
|
|
369 <li><code>ud_obj->operand[n].base</code> is the base register (if any),</li>
|
|
|
370 <li><code>ud_obj->operand[n].index</code> is the index register (if any),</li>
|
|
|
371 <li><code>ud_obj->operand[n].scale</code> is the scale (if any), </li>
|
|
|
372 <li><code>ud_obj->operand[n].offset</code> is the size of displacement/offset to be added (8,16,32,64),</li>
|
|
|
373 <li><code>ud_obj->operand[n].lval</code> is displacement/offset (if any).</li>
|
|
|
374 </ul>
|
|
|
375
|
|
|
376 For operands of type <code>UD_OP_REG</code>,
|
|
|
377 <ul>
|
|
|
378 <li><code>ud_obj->operand[n].base</code> field gives the register.</li>
|
|
|
379 </ul>
|
|
|
380
|
|
|
381 For operands of type <code>UD_OP_PTR</code>,
|
|
|
382 <ul>
|
|
|
383 <li><code>ud_obj->operand[n].lval</code> holds the segment:offset.</li>
|
|
|
384 <li><code>ud_obj->operand[n].size</code> can have two values 32
|
|
|
385 (for 16:16 seg:off) and 48 (for 16:32 seg:off).</li>
|
|
|
386 </ul>
|
|
|
387
|
|
|
388 For operands of type <code>UD_OP_IMM, UD_OP_JIMM, UD_OP_CONST</code>,
|
|
|
389 <ul>
|
|
|
390 <li><code>ud_obj->operand[n].lval</code> holds the value.</li>
|
|
|
391 </ul>
|
|
|
392
|
|
|
393 Possible values for <code>ud_obj->operand[n].base</code> and <code>ud_obj->operand[n].index</code>.
|
|
|
394 <pre>
|
|
|
395 /* No register */
|
|
|
396 UD_NONE,
|
|
|
397
|
|
|
398 /* 8 bit GPRs */
|
|
|
399 UD_R_AL, UD_R_CL, UD_R_DL, UD_R_BL,
|
|
|
400 UD_R_AH, UD_R_CH, UD_R_DH, UD_R_BH,
|
|
|
401 UD_R_SPL, UD_R_BPL, UD_R_SIL, UD_R_DIL,
|
|
|
402 UD_R_R8B, UD_R_R9B, UD_R_R10B, UD_R_R11B,
|
|
|
403 UD_R_R12B, UD_R_R13B, UD_R_R14B, UD_R_R15B,
|
|
|
404
|
|
|
405 /* 16 bit GPRs */
|
|
|
406 UD_R_AX, UD_R_CX, UD_R_DX, UD_R_BX,
|
|
|
407 UD_R_SP, UD_R_BP, UD_R_SI, UD_R_DI,
|
|
|
408 UD_R_R8W, UD_R_R9W, UD_R_R10W, UD_R_R11W,
|
|
|
409 UD_R_R12W, UD_R_R13W, UD_R_R14W, UD_R_R15W,
|
|
|
410
|
|
|
411 /* 32 bit GPRs */
|
|
|
412 UD_R_EAX, UD_R_ECX, UD_R_EDX, UD_R_EBX,
|
|
|
413 UD_R_ESP, UD_R_EBP, UD_R_ESI, UD_R_EDI,
|
|
|
414 UD_R_R8D, UD_R_R9D, UD_R_R10D, UD_R_R11D,
|
|
|
415 UD_R_R12D, UD_R_R13D, UD_R_R14D, UD_R_R15D,
|
|
|
416
|
|
|
417 /* 64 bit GPRs */
|
|
|
418 UD_R_RAX, UD_R_RCX, UD_R_RDX, UD_R_RBX,
|
|
|
419 UD_R_RSP, UD_R_RBP, UD_R_RSI, UD_R_RDI,
|
|
|
420 UD_R_R8, UD_R_R9, UD_R_R10, UD_R_R11,
|
|
|
421 UD_R_R12, UD_R_R13, UD_R_R14, UD_R_R15,
|
|
|
422
|
|
|
423 /* segment registers */
|
|
|
424 UD_R_ES, UD_R_CS, UD_R_SS, UD_R_DS,
|
|
|
425 UD_R_FS, UD_R_GS,
|
|
|
426
|
|
|
427 /* control registers*/
|
|
|
428 UD_R_CR0, UD_R_CR1, UD_R_CR2, UD_R_CR3,
|
|
|
429 UD_R_CR4, UD_R_CR5, UD_R_CR6, UD_R_CR7,
|
|
|
430 UD_R_CR8, UD_R_CR9, UD_R_CR10, UD_R_CR11,
|
|
|
431 UD_R_CR12, UD_R_CR13, UD_R_CR14, UD_R_CR15,
|
|
|
432
|
|
|
433 /* debug registers */
|
|
|
434 UD_R_DR0, UD_R_DR1, UD_R_DR2, UD_R_DR3,
|
|
|
435 UD_R_DR4, UD_R_DR5, UD_R_DR6, UD_R_DR7,
|
|
|
436 UD_R_DR8, UD_R_DR9, UD_R_DR10, UD_R_DR11,
|
|
|
437 UD_R_DR12, UD_R_DR13, UD_R_DR14, UD_R_DR15,
|
|
|
438
|
|
|
439 /* mmx registers */
|
|
|
440 UD_R_MM0, UD_R_MM1, UD_R_MM2, UD_R_MM3,
|
|
|
441 UD_R_MM4, UD_R_MM5, UD_R_MM6, UD_R_MM7,
|
|
|
442
|
|
|
443 /* x87 registers */
|
|
|
444 UD_R_ST0, UD_R_ST1, UD_R_ST2, UD_R_ST3,
|
|
|
445 UD_R_ST4, UD_R_ST5, UD_R_ST6, UD_R_ST7,
|
|
|
446
|
|
|
447 /* extended multimedia registers */
|
|
|
448 UD_R_XMM0, UD_R_XMM1, UD_R_XMM2, UD_R_XMM3,
|
|
|
449 UD_R_XMM4, UD_R_XMM5, UD_R_XMM6, UD_R_XMM7,
|
|
|
450 UD_R_XMM8, UD_R_XMM9, UD_R_XMM10, UD_R_XMM11,
|
|
|
451 UD_R_XMM12, UD_R_XMM13, UD_R_XMM14, UD_R_XMM15,
|
|
|
452
|
|
|
453 UD_R_RIP</pre>
|
|
|
454
|
|
|
455 Possible values for <code>ud_obj->operand[n].lval</code> depend on <code>ud_obj->operand[n].size</code>,
|
|
|
456 based on which you could use its sub-fields to access the integer values.
|
|
|
457
|
|
|
458 <pre>
|
|
|
459 ud_obj->operand[n].lval.sbyte - Signed Byte
|
|
|
460 ud_obj->operand[n].lval.ubyte - Unsigned Byte
|
|
|
461 ud_obj->operand[n].lval.sword - Signed Word
|
|
|
462 ud_obj->operand[n].lval.uword - Unsigned Word
|
|
|
463 ud_obj->operand[n].lval.sdword - Signed Double Word
|
|
|
464 ud_obj->operand[n].lval.udword - Unsined Double Word
|
|
|
465 ud_obj->operand[n].lval.sqword - Signed Quad Word
|
|
|
466 ud_obj->operand[n].lval.uqword - Unsigned Quad Word
|
|
|
467 ud_obj->operand[n].lval.ptr.seg - Pointer Segment in Segment:Offset
|
|
|
468 ud_obj->operand[n].lval.ptr.off - Pointer Offset in Segment:Offset </pre>
|
|
|
469
|
|
|
470 <li>Prefix Fields - These fields store prefixes (if found). If a prefix
|
|
|
471 does not exists then the field corresponding to it has the value <code>UD_NONE</code>.
|
|
|
472 <pre>
|
|
|
473 ud_obj->operand[n].pfx_rex - 64-bit mode REX prefix
|
|
|
474 ud_obj->operand[n].pfx_seg - Segment register prefix
|
|
|
475 ud_obj->operand[n].pfx_opr - Operand-size prefix (66h)
|
|
|
476 ud_obj->operand[n].pfx_adr - Address-size prefix (67h)
|
|
|
477 ud_obj->operand[n].pfx_lock - Lock prefix
|
|
|
478 ud_obj->operand[n].pfx_rep - Rep prefix
|
|
|
479 ud_obj->operand[n].pfx_repe - Repe prefix
|
|
|
480 ud_obj->operand[n].pfx_repne - Repne prefix</pre>
|
|
|
481 </li>
|
|
|
482
|
|
|
483 Possible values for <code>ud_obj->operand[n].pfx_seg</code> are,
|
|
|
484 <pre>
|
|
|
485 UD_R_ES, UD_R_CS, UD_R_SS, UD_R_DS,
|
|
|
486 UD_R_FS, UD_R_GS, UD_NONE</pre>
|
|
|
487 </li>
|
|
|
488
|
|
|
489 <li>
|
|
|
490 <pre>uint4_t ud_obj->pc</pre>
|
|
|
491 The program counter.
|
|
|
492 </li>
|
|
|
493 </ol>
|
|
|
494
|
|
|
495 <a name="sec2"></a>
|
|
|
496 <h2>2. Using the command-line tool - udcli</h2>
|
|
|
497
|
|
|
498 A front-end incarnation of this library, udcli is a small command-line tool for
|
|
|
499 your quick disassembly needs.
|
|
|
500
|
|
|
501 <a name="sec21"></a>
|
|
|
502 <h3>2.1 Usage</h3>
|
|
|
503 <pre>$ udcli [-option[s]] file</pre>
|
|
|
504
|
|
|
505 <a name="sec22"></a>
|
|
|
506 <h3>2.2 Options</h3>
|
|
|
507 <pre>
|
|
|
508 -16 : Set the disassembly mode to 16 bits.
|
|
|
509 -32 : Set the disassembly mode to 32 bits. (default)
|
|
|
510 -64 : Set the disassembly mode to 64 bits.
|
|
|
511 -intel : Set the output to INTEL (NASM like) syntax. (default)
|
|
|
512 -att : Set the output to AT&T (GAS like) syntax.
|
|
|
513 -v <v> : Set vendor. <v> = {intel, amd}
|
|
|
514 -o <pc> : Set the value of program counter to <pc>. (default = 0)
|
|
|
515 -s <pc> : Set the number of bytes to skip before disassembly to <n>.
|
|
|
516 -c <pc> : Set the number of bytes to disassemble to <n>.
|
|
|
517 -x : Set the input mode to whitespace seperated 8-bit numbers in
|
|
|
518 hexadecimal representation. Example: 0f 01 ae 00
|
|
|
519 -noff : Do not display the offset of instructions.
|
|
|
520 -nohex : Do not display the hexadecimal code of instructions.
|
|
|
521 -h : Display help message.</pre>
|
|
|
522
|
|
|
523 <a name="sec23"></a>
|
|
|
524 <h3>2.3 The hexadecimal input mode</h3>
|
|
|
525
|
|
|
526 Noteworthy among the command-line options of the udcli is "-x" which sets the
|
|
|
527 input mode to whitespace seperated 8-bit numbers in hexadecimal representation.
|
|
|
528 This could come as a handy tool, for quickly disassembling hexadecimal
|
|
|
529 representation of machine code, like those generated during software crashes, etc.
|
|
|
530
|
|
|
531 <div style="text-align:center; padding: 1em;">
|
|
|
532 <img src="ss.jpg" style="border: 1px double; padding: 2px;"/>
|
|
|
533 </div>
|
|
|
534
|
|
|
535 <div style="text-align:center"><small>© 2006 Vivek Mohan</small></div>
|
|
|
536 </body>
|
|
|
537 </html>
|
