├── Docs ├── lib文件结构图.JPG ├── obj文件格式.jpg └── 解析静态库(Lib)文件.docx ├── LibParser.rar ├── LibParser.sln ├── LibParser ├── LibParser.cpp ├── LibParser.h ├── LibParser.vcproj ├── ObjParser.cpp ├── ObjParser.h ├── ParserMain.cpp └── ReadMe.txt ├── LibScanner ├── LibScanner.CPP ├── LibScanner.H ├── LibScanner.vcproj ├── PEInfo.cpp ├── PEInfo.h ├── PVDasm │ ├── Disasm.cpp │ ├── Disasm.h │ └── Dsasm_Functions.cpp ├── ReadMe.txt └── ScannerMain.cpp ├── Libs ├── VC2003Lib │ ├── LIBC.flb │ ├── LIBCD.flb │ ├── libc.lib │ └── libcd.lib ├── VC2005Lib │ ├── LIBCMT.flb │ ├── LIBCMTD.flb │ ├── libcmt.lib │ └── libcmtd.lib ├── VC2008Lib │ ├── LIBCMT.flb │ ├── LIBCMTD.flb │ ├── libcmt.lib │ └── libcmtd.lib └── VC6Lib │ ├── LIBC.LIB │ ├── LIBC.flb │ ├── LIBCD.LIB │ └── LIBCD.flb ├── README.md └── Test ├── test.exe └── test.log /Docs/lib文件结构图.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Docs/lib文件结构图.JPG -------------------------------------------------------------------------------- /Docs/obj文件格式.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Docs/obj文件格式.jpg -------------------------------------------------------------------------------- /Docs/解析静态库(Lib)文件.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Docs/解析静态库(Lib)文件.docx -------------------------------------------------------------------------------- /LibParser.rar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibParser.rar -------------------------------------------------------------------------------- /LibParser.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 10.00 3 | # Visual Studio 2008 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LibParser", "LibParser\LibParser.vcproj", "{CFD1CBD8-716A-4CF9-B36C-A3914F2F3242}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LibScanner", "LibScanner\LibScanner.vcproj", "{14523F05-B47B-4498-8515-A7E54E43BD61}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Release|Win32 = Release|Win32 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {CFD1CBD8-716A-4CF9-B36C-A3914F2F3242}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {CFD1CBD8-716A-4CF9-B36C-A3914F2F3242}.Debug|Win32.Build.0 = Debug|Win32 16 | {CFD1CBD8-716A-4CF9-B36C-A3914F2F3242}.Release|Win32.ActiveCfg = Release|Win32 17 | {CFD1CBD8-716A-4CF9-B36C-A3914F2F3242}.Release|Win32.Build.0 = Release|Win32 18 | {14523F05-B47B-4498-8515-A7E54E43BD61}.Debug|Win32.ActiveCfg = Debug|Win32 19 | {14523F05-B47B-4498-8515-A7E54E43BD61}.Debug|Win32.Build.0 = Debug|Win32 20 | {14523F05-B47B-4498-8515-A7E54E43BD61}.Release|Win32.ActiveCfg = Release|Win32 21 | {14523F05-B47B-4498-8515-A7E54E43BD61}.Release|Win32.Build.0 = Release|Win32 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /LibParser/LibParser.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibParser/LibParser.cpp -------------------------------------------------------------------------------- /LibParser/LibParser.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibParser/LibParser.h -------------------------------------------------------------------------------- /LibParser/LibParser.vcproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibParser/LibParser.vcproj -------------------------------------------------------------------------------- /LibParser/ObjParser.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibParser/ObjParser.cpp -------------------------------------------------------------------------------- /LibParser/ObjParser.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibParser/ObjParser.h -------------------------------------------------------------------------------- /LibParser/ParserMain.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibParser/ParserMain.cpp -------------------------------------------------------------------------------- /LibParser/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | 控制台应用程序:LibParser 项目概述 3 | ======================================================================== 4 | 5 | 应用程序向导已为您创建了此 LibParser 应用程序。 6 | 7 | 本文件概要介绍组成 LibParser 应用程序的 8 | 的每个文件的内容。 9 | 10 | 11 | LibParser.vcproj 12 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件, 13 | 其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。 14 | 15 | LibParser.cpp 16 | 这是主应用程序源文件。 17 | 18 | ///////////////////////////////////////////////////////////////////////////// 19 | 其他标准文件: 20 | 21 | StdAfx.h, StdAfx.cpp 22 | 这些文件用于生成名为 LibParser.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。 23 | 24 | ///////////////////////////////////////////////////////////////////////////// 25 | 其他注释: 26 | 27 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。 28 | 29 | ///////////////////////////////////////////////////////////////////////////// -------------------------------------------------------------------------------- /LibScanner/LibScanner.CPP: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibScanner/LibScanner.CPP -------------------------------------------------------------------------------- /LibScanner/LibScanner.H: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibScanner/LibScanner.H -------------------------------------------------------------------------------- /LibScanner/LibScanner.vcproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibScanner/LibScanner.vcproj -------------------------------------------------------------------------------- /LibScanner/PEInfo.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibScanner/PEInfo.cpp -------------------------------------------------------------------------------- /LibScanner/PEInfo.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibScanner/PEInfo.h -------------------------------------------------------------------------------- /LibScanner/PVDasm/Disasm.cpp: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | 8888888b. 888 888 d8b 4 | 888 Y88b 888 888 Y8P 5 | 888 888 888 888 6 | 888 d88P 888d888 .d88b. Y88b d88P 888 .d88b. 888 888 888 7 | 8888888P" 888P" d88""88b Y88b d88P 888 d8P Y8b 888 888 888 8 | 888 888 888 888 Y88o88P 888 88888888 888 888 888 9 | 888 888 Y88..88P Y888P 888 Y8b. Y88b 888 d88P 10 | 888 888 "Y88P" Y8P 888 "Y8888 "Y8888888P" 11 | 12 | 13 | Dissasembler Engine Core 14 | ~~~~~~~~~~~~~~~~~~~~~~~~ 15 | 16 | Written by Bengaly (R) 2003-2005. 17 | As a part of the Proview (a.k.a PVDasm). 18 | Permission is granted to make and distribute verbatim copies of this 19 | Program provided the copyright notice and this permission notice are 20 | Preserved on all copies. 21 | 22 | File: Disasm.cpp (main) 23 | 24 | Disassembler Core Version: 1.04b 25 | */ 26 | 27 | #include "Disasm.h" 28 | 29 | 30 | const char *Regs[3][9] = { 31 | {"al", "cl", "dl", "bl", "ah", "ch", "dh", "bh"}, 32 | {"ax", "cx", "dx", "bx", "sp", "bp", "si", "di"}, 33 | {"eax","ecx","edx","ebx","esp","ebp","esi","edi"} 34 | }; 35 | 36 | const char *RegSize[4] = {"Qword","Dword","Word","Byte"}; 37 | const char *Segs[8] = {"ES","CS","SS","DS","FS","GS","SEG?","SEG?"}; 38 | PBYTE pCodeBase; 39 | DWORD BaseAddress; 40 | 41 | void Decode(DISASSEMBLY *Disasm,char *Opcode,DWORD *Index) 42 | { 43 | /* 44 | This function is the Main decoding rutine. 45 | The function gets 3 params: 46 | 1. DISASSEMBLY struct pointer 47 | 2. Opcode pointer, point to the linear address to decode 48 | 3. Index pointer, this is the distance from the beginning<>end of the linear 49 | 50 | The function First searches for Prefixes + Repeated prefixes, 51 | This is the first step to do in any disasm engine. 52 | Prefixes determine behavior of instruction and the way they 53 | Are decoded. 54 | Once prefies has been found, we changes params (such as default r/m size, Lock..) 55 | 56 | The function than searched for the byte to be decoded, the actual 57 | Menemonic referenced in CPU form (Opcode), 58 | I have not used big table - time prob -, although it is highly recomended! (hopefully in future) 59 | */ 60 | 61 | // intializations 62 | DWORD dwMem=0,dwOp=0; 63 | int i=*Index,RegRepeat=0,LockRepeat=0,SegRepeat=0,RepRepeat=0,AddrRepeat=0; // Repeated Prefixes 64 | int RM=REG32,SEG=SEG_DS,ADDRM=REG32; // default modes 65 | int PrefixesSize=0,PrefixesRSize=0; // PrefixesSize = all Prefixes(no rep), PrefixesRsize (with Rep Prefix) 66 | WORD wMem=0,wOp=0; 67 | bool RegPrefix=0,LockPrefix=0,SegPrefix=0,RepPrefix=0,AddrPrefix=0; // default size of Prefixes 68 | BYTE Bit_D=0, Bit_W=0; // bit d/w for R/M 69 | char menemonic[256]=""; 70 | char RSize[10]="Dword"; // default size of menemonic 71 | BYTE Op=(BYTE)Opcode[i]; // current opcode 72 | 73 | 74 | 75 | //======================================================= 76 | // Decoding Prefixes // 77 | //======================================================= 78 | 79 | // we first assume there is prefix ! 80 | // if we skip this, our decoding might be currupted 81 | 82 | while( // check only RegPreifix/LockProfix/SegPrefixes/RepPrefix/AddrPerfix 83 | (Op==0x66) || (Op==0x0F0)|| (Op==0x2E) || (Op==0x36) || 84 | (Op==0x3E) || (Op==0x26) || (Op==0x64) || (Op==0x65) || 85 | (Op==0xF2) || (Op==0xF3) || (Op==0x67) 86 | ) 87 | { 88 | switch(Op) 89 | { 90 | case 0x66: // reg prefix, change default size, dword->word 91 | { 92 | RM=REG16; // 66 prefix, change default size 93 | RegPrefix=1; 94 | BYTE temp; 95 | wsprintf(RSize,"%s",RegSize[2]); // change default size of menemonic to 'Word' 96 | //LockPrefix=0; 97 | lstrcat(Disasm->Opcode,"66:"); 98 | i++; 99 | ++(*Index); 100 | Op=(BYTE)Opcode[i]; 101 | temp=(BYTE)Opcode[i+1]; 102 | RegRepeat++; 103 | if(RegRepeat>1) 104 | { 105 | strcpy_s(Disasm->Opcode,30,"66:"); 106 | strcpy_s(Disasm->Remarks,256,"Prefix DataSize:"); 107 | Disasm->OpcodeSize=1; 108 | Disasm->PrefixSize=0; 109 | (*Index)-=RegRepeat; 110 | return; 111 | } 112 | } 113 | break; 114 | 115 | case 0x67: // Addr prefix, change default Reg size, (EDI->DI) and more! 116 | { 117 | ADDRM=REG16; // 67 prefix, change default size, in this case: Memory Reg Size 118 | AddrPrefix=1; 119 | BYTE temp; 120 | lstrcat(Disasm->Opcode,"67:"); 121 | i++; 122 | ++(*Index); 123 | Op=(BYTE)Opcode[i]; 124 | temp=(BYTE)Opcode[i+1]; 125 | AddrRepeat++; 126 | if(AddrRepeat>1) 127 | { 128 | strcpy_s(Disasm->Opcode,30,"67:"); 129 | strcpy_s(Disasm->Remarks,256,"Prefix AddrSize:"); 130 | Disasm->OpcodeSize=1; 131 | Disasm->PrefixSize=0; 132 | (*Index)-=AddrRepeat; 133 | return; 134 | } 135 | } 136 | break; 137 | 138 | case 0x0F0: // LockPrefix, Add bus lock menemonic opcode in front of every menemonic 139 | { 140 | //BYTE temp; 141 | LockPrefix=1; 142 | //RegPrefix=0; 143 | lstrcat(Disasm->Opcode,"F0:"); 144 | strcpy(Disasm->Assembly,"lock "); 145 | i++; 146 | ++(*Index); 147 | Op=(BYTE)Opcode[i]; 148 | //temp=(BYTE)Opcode[i+1]; 149 | LockRepeat++; 150 | if(LockRepeat>1) 151 | { 152 | strcpy_s(Disasm->Assembly,256,""); 153 | strcpy_s(Disasm->Opcode,30,"F0:"); 154 | strcpy_s(Disasm->Remarks,256,"Prefix LOCK:"); 155 | Disasm->OpcodeSize=1; 156 | Disasm->PrefixSize=0; 157 | (*Index)-=LockRepeat; 158 | return; 159 | } 160 | } 161 | break; 162 | 163 | case 0xF2: case 0xF3: // RepPrefix (only string instruction!!) 164 | { 165 | BYTE NextOp=(BYTE)Opcode[i+1]; // Next followed opcode 166 | BYTE NextOp2=(BYTE)Opcode[i+2]; 167 | RepPrefix=1; 168 | wsprintf(menemonic,"%02X:",Op); 169 | lstrcat(Disasm->Opcode,menemonic); 170 | switch(Op) 171 | { 172 | case 0xF2:wsprintf(menemonic,"repne ");break; 173 | case 0xF3:wsprintf(menemonic,"repe ");break; 174 | } 175 | lstrcat(Disasm->Assembly,menemonic); 176 | i++; 177 | ++(*Index); 178 | Op=(BYTE)Opcode[i]; 179 | RepRepeat++; 180 | // REPE/REPNE Prefixes affect only string operations: 181 | // MOVS/LODS/SCAS/CMPS/STOS/CMPSS.CMPPS..etc (NewSet Instructions) 182 | if(!( 183 | (Op>=0xA4 && Op<=0xA7) || 184 | (Op>=0xAA && Op<=0xAF) || 185 | (NextOp==0x0F && NextOp2==0x2A) || 186 | (NextOp==0x0F && NextOp2==0x10) || 187 | (NextOp==0x0F && NextOp2==0x11) || 188 | (NextOp==0x0F && NextOp2==0x2C) || 189 | (NextOp==0x0F && NextOp2==0x2D) || 190 | (NextOp==0x0F && NextOp2==0x51) || 191 | (NextOp==0x0F && NextOp2==0x52) || 192 | (NextOp==0x0F && NextOp2==0x53) || 193 | (NextOp==0x0F && NextOp2==0x58) || 194 | (NextOp==0x0F && NextOp2==0x59) || 195 | (NextOp==0x0F && NextOp2==0x5C) || 196 | (NextOp==0x0F && NextOp2==0x5D) || 197 | (NextOp==0x0F && NextOp2==0x5E) || 198 | (NextOp==0x0F && NextOp2==0x5F) || 199 | (NextOp==0x0F && NextOp2==0xC2) 200 | ) 201 | ) 202 | { 203 | strcpy(Disasm->Assembly,""); 204 | strcpy(Disasm->Remarks,"Prefix REP:"); 205 | Disasm->OpcodeSize=1; 206 | Disasm->PrefixSize=0; 207 | (*Index)-=RepRepeat; 208 | return; 209 | } 210 | 211 | } 212 | break; 213 | 214 | case 0x2E: case 0x36: // Segment Prefixes 215 | case 0x3E: case 0x26: // Segment Prefixes 216 | case 0x64: case 0x65: // Segment Prefixes 217 | { 218 | BYTE temp; 219 | switch(Op) 220 | { 221 | // Change Default Segment 222 | case 0x2E: SEG = SEG_CS; break; // Segment CS 223 | case 0x36: SEG = SEG_SS; break; // Segment SS 224 | case 0x3E: SEG = SEG_DS; break; // Segment DS 225 | case 0x26: SEG = SEG_ES; break; // Segment ES 226 | case 0x64: SEG = SEG_FS; break; // Segment FS 227 | case 0x65: SEG = SEG_GS; break; // Segment GS 228 | } 229 | 230 | SegPrefix=1; 231 | wsprintf(menemonic,"%02X:",Op); 232 | lstrcat(Disasm->Opcode,menemonic); 233 | i++; 234 | ++(*Index); 235 | Op=(BYTE)Opcode[i]; 236 | temp=(BYTE)Opcode[i-2]; 237 | SegRepeat++; 238 | 239 | // Check if SegPrefix is repeating 240 | if(SegRepeat>1) 241 | { 242 | BYTE opc=(BYTE)Opcode[i-1]; 243 | 244 | if( temp==0x2E || temp==0x36 || 245 | temp==0x3E || temp==0x26 || 246 | temp==0x64 || temp==0x65 || 247 | temp==0x66 || temp==0xF0 || 248 | temp==0x67 249 | ) 250 | { 251 | // Check if last byte was an seg prefix and show it 252 | if(temp==0x66 || temp==0xF0 || temp==0x67) 253 | { 254 | opc=(BYTE)Opcode[i-3]; 255 | SegRepeat++; 256 | } 257 | else 258 | opc=(BYTE)Opcode[i-2]; 259 | 260 | switch(opc) 261 | { 262 | // Change Segment, accurding to last segPrefix (if repeated) 263 | case 0x2E: SEG = SEG_CS; break; // Segment CS 264 | case 0x36: SEG = SEG_SS; break; // Segment SS 265 | case 0x3E: SEG = SEG_DS; break; // Segment DS 266 | case 0x26: SEG = SEG_ES; break; // Segment ES 267 | case 0x64: SEG = SEG_FS; break; // Segment FS 268 | case 0x65: SEG = SEG_GS; break; // Segment GS 269 | } 270 | 271 | 272 | strcpy(Disasm->Assembly,""); 273 | wsprintf(menemonic,"%02X:",opc); 274 | strcpy_s(Disasm->Opcode,30,menemonic); 275 | wsprintf(menemonic,"Prefix %s:",Segs[SEG]); 276 | strcpy(Disasm->Remarks,menemonic); 277 | Disasm->OpcodeSize=0; 278 | Disasm->PrefixSize=1; 279 | (*Index)-=SegRepeat; 280 | } 281 | return; 282 | } 283 | } 284 | break; 285 | 286 | default: 287 | { 288 | // reset prefixes/repeats to default 289 | LockRepeat=0; 290 | RegRepeat=0; 291 | SegRepeat=0; 292 | RegPrefix=0; 293 | LockPrefix=0; 294 | SegPrefix=0; 295 | strcpy(RSize,RegSize[1]); // Default size 296 | } 297 | break; 298 | } 299 | } 300 | 301 | 302 | //============================================= 303 | // Main Decoding starts here! // 304 | //============================================= 305 | 306 | // Calculate Prefixes Sizes 307 | PrefixesSize = RegPrefix+LockPrefix+SegPrefix+AddrPrefix; // No RepPrefix 308 | PrefixesRSize = PrefixesSize+RepPrefix; // Special Case (Rep Prefix is being used -> String menemonics only) 309 | 310 | switch(Op) // Find & Decode Big Set Opcodes 311 | { 312 | case 0x00: case 0x01: case 0x02: case 0x03: // ADD XX/XXX, XX/XXX 313 | case 0x08: case 0x09: case 0x0A: case 0x0B: // OR XX/XXX, XX/XXX 314 | case 0x10: case 0x11: case 0x12: case 0x13: // ADC XX/XXX, XX/XXX 315 | case 0x18: case 0x19: case 0x1A: case 0x1B: // SBB XX/XXX, XX/XXX 316 | case 0x20: case 0x21: case 0x22: case 0x23: // AND XX/XXX, XX/XXX 317 | case 0x28: case 0x29: case 0x2A: case 0x2B: // SUB XX/XXX, XX/XXX 318 | case 0x30: case 0x31: case 0x32: case 0x33: // XOR XX/XXX, XX/XXX 319 | case 0x38: case 0x39: case 0x3A: case 0x3B: // CMP XX/XXX, XX/XXX 320 | case 0x88: case 0x89: case 0x8A: case 0x8B: // MOV XX/XXX, XX/XXX 321 | case 0x8C: case 0x8E: // MOV XX/XXX, XX/XXX 322 | case 0x62: case 0x63: // BOUND / ARPL XX/XXX, XX/XXX 323 | case 0x69: // IMUL RM,IIM32 (DWORD) 324 | case 0x6B: // IMUL , 325 | case 0x80: case 0x81: case 0x82: case 0x83: // MIXED Instructions 326 | case 0x84: case 0x85: // TEST 327 | case 0x86: case 0x87: // XCHG 328 | case 0x8D: // LEA 329 | case 0x8F: // POP 330 | case 0xC0: case 0xC1: // MIXED Instructions 331 | case 0xC4: case 0xC5: // LES / LDS REG,MEM 332 | case 0xC6: case 0xC7: // MOV [MEM],IIM8/16/32 333 | case 0xD0: case 0xD1: case 0xD2: case 0xD3: // MIXED Bitwise Instructions 334 | case 0xD8: case 0xD9: case 0xDA: case 0xDB: // FPU Instructions 335 | case 0xDC: case 0xDD: case 0xDE: case 0xDF: // FPU Instructions 336 | case 0xF6: case 0xF7: case 0xFE: case 0xFF: // MIX Instructions 337 | { 338 | if(((BYTE)Opcode[i+1] & 0xC0)==0xC0) // Check Opcode Range 339 | { 340 | char mene[10]=""; 341 | 342 | GetInstruction(Op,mene); // Get instruction from Opcode Byte 343 | Bit_D=(Op&0x02)>>1; // Get bit d (direction) 344 | Bit_W=(Op&0x01); // Get bit w (full/partial reg size) 345 | 346 | // Check Special Cases for alone Opcodes 347 | switch(Op) 348 | { 349 | case 0x63:{Bit_D=0;Bit_W=1;} break; 350 | case 0x62:{Bit_D=1;Bit_W=1;} break; 351 | case 0x86:{Bit_D=0;Bit_W=0;} break; 352 | case 0x87:{Bit_D=0;Bit_W=1;} break; 353 | case 0x80: case 0x82: { Bit_D=0;Bit_W=0; } break; 354 | case 0x81: case 0x83: { Bit_D=0;Bit_W=1; } break; 355 | case 0x8C:{ Bit_D=0;Bit_W=0;} break; 356 | case 0x8E:{ Bit_D=1;Bit_W=0;} break; 357 | case 0xC4: case 0xC5: { Bit_D=1;Bit_W=1; } break; 358 | } 359 | 360 | Mod_11_RM(Bit_D,Bit_W,&Opcode,&Disasm,mene,RegPrefix,Op,&Index); // Decode with bits 361 | Disasm->PrefixSize=PrefixesSize; // PrefixSize (if prefix present) 362 | break; 363 | } 364 | 365 | // operand doesn't have byte(s) extension in addressing mode 366 | if((BYTE)Opcode[i+1]>=0x00 && (BYTE)Opcode[i+1]<=0xBF) 367 | { 368 | char mene[10]=""; 369 | GetInstruction(Op,mene); // Get instruction from Opcode Byte 370 | Bit_D=(Op&0x02)>>1; // Get bit d (direction) 371 | Bit_W=(Op&0x01); // Get bit w (full/partial reg size) 372 | Mod_RM_SIB(&Disasm,&Opcode,i,AddrPrefix,SEG,&Index,Bit_D,Bit_W,mene,Op,RegPrefix,SegPrefix,AddrPrefix); 373 | Disasm->PrefixSize=PrefixesSize; 374 | break; 375 | } 376 | } 377 | break; 378 | 379 | case 0x04:case 0x0C:case 0x14: // INSTRUCTION AL,XX 380 | case 0x1C:case 0x24:case 0x2C: // INSTRUCTION AL,XX 381 | case 0x34:case 0x3C:case 0xA8: // INSTRUCTION AL,XX 382 | case 0xE4: 383 | { 384 | char mene[10]=""; 385 | GetInstruction(Op,mene); // Get instruction for a specified Byte 386 | wsprintf(menemonic,"%s al, %02X",mene,(BYTE)Opcode[i+1]); 387 | lstrcat(Disasm->Assembly,menemonic); 388 | strcpy(Disasm->Remarks,""); 389 | wsprintf(menemonic,"%02X%02X",Op,(BYTE)*(Opcode+i+1)); 390 | lstrcat(Disasm->Opcode,menemonic); 391 | Disasm->OpcodeSize=2; 392 | Disasm->PrefixSize=PrefixesSize; 393 | ++(*Index); 394 | } 395 | break; 396 | 397 | case 0x05:case 0x0D:case 0x15: // INSTRUCTION EAX/AX,XXXXXXXX 398 | case 0x1D:case 0x25:case 0x2D: // INSTRUCTION EAX/AX,XXXXXXXX 399 | case 0x35:case 0x3D:case 0xA9: // INSTRUCTION EAX/AX,XXXXXXXX 400 | { 401 | char mene[10]=""; 402 | GetInstruction(Op,mene); // Get instruction for a specified Byte 403 | 404 | if(RegPrefix==0) // no prefix 405 | { 406 | // read 4 bytes into EAX 407 | SwapDword((BYTE*)(Opcode+i+1),&dwOp,&dwMem); 408 | wsprintf(menemonic,"%s %s, %08X",mene,Regs[REG32][0],dwMem); 409 | lstrcat(Disasm->Assembly,menemonic); 410 | wsprintf(menemonic,"%02X %08X",Op,dwOp); 411 | lstrcat(Disasm->Opcode,menemonic); 412 | Disasm->OpcodeSize=5; 413 | Disasm->PrefixSize=PrefixesSize; 414 | (*Index)+=4; 415 | } 416 | else if(RegPrefix==1) // RegPrefix is being used 417 | { 418 | // read 2 bytes into AX (REG16) 419 | SwapWord((BYTE*)(Opcode+i+1),&wOp,&wMem); 420 | wsprintf(menemonic,"%s %s, %04X",mene,Regs[REG16][0],wMem); 421 | lstrcat(Disasm->Assembly,menemonic); 422 | wsprintf(menemonic,"%02X %04X",Op,wOp); 423 | lstrcat(Disasm->Opcode,menemonic); 424 | Disasm->OpcodeSize=3; 425 | Disasm->PrefixSize=PrefixesSize; 426 | (*Index)+=2; 427 | } 428 | } 429 | break; 430 | 431 | case 0x06: // PUSH ES 432 | { 433 | lstrcat(Disasm->Assembly,"push es"); 434 | strcpy(Disasm->Remarks,"Push ES register to the stack"); 435 | lstrcat(Disasm->Opcode,"06"); 436 | Disasm->PrefixSize=PrefixesSize; 437 | } 438 | break; 439 | 440 | case 0x07: // POP ES 441 | { 442 | lstrcat(Disasm->Assembly,"pop es"); 443 | strcpy(Disasm->Remarks,"Pop top stack to ES"); 444 | lstrcat(Disasm->Opcode,"07"); 445 | Disasm->PrefixSize=PrefixesSize; 446 | } 447 | break; 448 | 449 | case 0x0E: // PUSH CS 450 | { 451 | lstrcat(Disasm->Assembly,"push cs"); 452 | strcpy(Disasm->Remarks,"Push CS register to the stack"); 453 | lstrcat(Disasm->Opcode,"0E"); 454 | Disasm->PrefixSize=PrefixesSize; 455 | } 456 | break; 457 | 458 | // INTEL - NEW SET (MMX/3DNow!/SSE/SSE2) 459 | case 0x0F: 460 | { 461 | char Instruction[128],m_bytes[128]; 462 | int RetVal; 463 | BYTE Code=(BYTE)Opcode[i+1]; 464 | 465 | lstrcat(Disasm->Opcode,"0F"); 466 | RetVal=GetNewInstruction(Code,Instruction,RegPrefix); 467 | 468 | switch(RetVal) // check if we need to decode instruction 469 | { 470 | case 0: 471 | { 472 | // Decode SIB + ModRM 473 | if((BYTE)Opcode[i+2]>=0x00 && (BYTE)Opcode[i+2]<=0xBF) 474 | { 475 | (*Index)++; 476 | i=*Index; 477 | Bit_D=(Op&0x02)>>1; // Get bit d (direction) 478 | Bit_W=(Op&0x01); // Get bit w (full/partial reg size) 479 | Mod_RM_SIB_EX(&Disasm,&Opcode,i,AddrPrefix,SEG,&Index,Code,RegPrefix,SegPrefix,AddrPrefix,Bit_D,Bit_W,RepPrefix); 480 | Disasm->PrefixSize=PrefixesSize; 481 | Disasm->OpcodeSize++; // 0F extra Byte 482 | break; 483 | } 484 | else 485 | { 486 | if(((BYTE)Opcode[i+2] & 0xC0)==0xC0) 487 | { 488 | Bit_D=(Op&0x02)>>1; // Get bit d (direction) 489 | Bit_W=(Op&0x01); // Get bit w (full/partial reg size) 490 | (*Index)++; 491 | i=*Index; 492 | Mod_11_RM_EX(Bit_D,Bit_W,&Opcode,&Disasm,RegPrefix,Code,&Index,RepPrefix); // Decode with bits 493 | Disasm->PrefixSize=PrefixesSize; 494 | Disasm->OpcodeSize++; // 0F extra Byte 495 | } 496 | break; 497 | } 498 | } 499 | break; // big set instructions 500 | 501 | case 1: // 1 byte instructions set 502 | { 503 | lstrcat(Disasm->Assembly,Instruction); 504 | wsprintf(Instruction,"%02X",Code); 505 | lstrcat(Disasm->Opcode,Instruction); 506 | Disasm->OpcodeSize=2; 507 | Disasm->PrefixSize=PrefixesSize; 508 | (*Index)++; 509 | } 510 | break; 511 | 512 | case 2: // NEAR JUMP (JXX) 513 | { 514 | SwapDword((BYTE*)(Opcode+i+2),&dwOp,&dwMem); 515 | dwMem+=Disasm->Address+PrefixesSize+6; // calculate dest addr 516 | wsprintf(m_bytes,"%08X",dwMem); 517 | strcat(Instruction,m_bytes); 518 | lstrcat(Disasm->Assembly,Instruction); 519 | 520 | wsprintf(m_bytes,"%08X",dwOp); 521 | wsprintf(Instruction,"%02X ",Code); 522 | lstrcat(Disasm->Opcode,Instruction); 523 | lstrcat(Disasm->Opcode,m_bytes); 524 | Disasm->OpcodeSize=6; 525 | Disasm->PrefixSize=PrefixesSize; 526 | (*Index)+=5; 527 | 528 | } 529 | break; // jump instructions set 530 | 531 | case 3: 532 | { 533 | if(((BYTE)Opcode[i+2]&0xC0)==0xC0) 534 | { 535 | Bit_D=(Op&0x02)>>1; // Get bit d (direction) 536 | Bit_W=(Op&0x01); // Get bit w (full/partial reg size) 537 | (*Index)++; 538 | i=*Index; 539 | Mod_11_RM_EX(Bit_D,Bit_W,&Opcode,&Disasm,RegPrefix,Code,&Index,RepPrefix); // Decode with bits 540 | Disasm->PrefixSize=PrefixesSize; 541 | Disasm->OpcodeSize++; // 0F extra Byte 542 | } 543 | else 544 | { 545 | lstrcat(Disasm->Assembly,Instruction); 546 | wsprintf(Instruction,"%02X",Code); 547 | lstrcat(Disasm->Opcode,Instruction); 548 | Disasm->OpcodeSize=2; 549 | Disasm->PrefixSize=PrefixesSize; 550 | (*Index)++; 551 | } 552 | } 553 | break; 554 | 555 | case 4: 556 | { 557 | if( ((BYTE)Opcode[i+2]>=0x08) && ((BYTE)Opcode[i+2]<=0x0F) ) 558 | { 559 | (*Index)++; 560 | i=*Index; 561 | Bit_D=(Op&0x02)>>1; // Get bit d (direction) 562 | Bit_W=(Op&0x01); // Get bit w (full/partial reg size) 563 | Mod_RM_SIB_EX(&Disasm,&Opcode,i,AddrPrefix,SEG,&Index,Code,RegPrefix,SegPrefix,AddrPrefix,Bit_D,Bit_W,RepPrefix); 564 | Disasm->PrefixSize=PrefixesSize; 565 | Disasm->OpcodeSize++; // 0F extra Byte 566 | } 567 | else{ 568 | lstrcat(Disasm->Assembly,"???"); 569 | wsprintf(Instruction,"%02X",Code); 570 | lstrcat(Disasm->Opcode,Instruction); 571 | Disasm->OpcodeSize=2; 572 | Disasm->PrefixSize=PrefixesSize; 573 | (*Index)++; 574 | } 575 | } 576 | break; 577 | } 578 | 579 | 580 | } 581 | break; 582 | 583 | case 0x16: // PUSH SS 584 | { 585 | lstrcat(Disasm->Assembly,"push ss"); 586 | strcpy(Disasm->Remarks,"Push SS register to the stack"); 587 | lstrcat(Disasm->Opcode,"16"); 588 | Disasm->PrefixSize=PrefixesSize; 589 | } 590 | break; 591 | 592 | case 0x17: // POP SS 593 | { 594 | lstrcat(Disasm->Assembly,"pop ss"); 595 | strcpy(Disasm->Remarks,"Pop top stack to SS"); 596 | lstrcat(Disasm->Opcode,"17"); 597 | Disasm->PrefixSize=PrefixesSize; 598 | } 599 | break; 600 | 601 | case 0x1E: // PUSH DS 602 | { 603 | lstrcat(Disasm->Assembly,"push ds"); 604 | strcpy(Disasm->Remarks,"Push DS register to the stack"); 605 | lstrcat(Disasm->Opcode,"1E"); 606 | Disasm->PrefixSize=PrefixesSize; 607 | } 608 | break; 609 | 610 | case 0x1F: // POP DS 611 | { 612 | lstrcat(Disasm->Assembly,"pop ds"); 613 | strcpy(Disasm->Remarks,"Pop top stack to DS"); 614 | lstrcat(Disasm->Opcode,"1F"); 615 | Disasm->PrefixSize=PrefixesSize; 616 | } 617 | break; 618 | 619 | case 0x27: // DAA 620 | { 621 | lstrcat(Disasm->Assembly,"daa"); 622 | lstrcat(Disasm->Opcode,"27"); 623 | Disasm->PrefixSize=PrefixesSize; 624 | } 625 | break; 626 | 627 | case 0x2F: // DAS 628 | { 629 | lstrcat(Disasm->Assembly,"das"); 630 | lstrcat(Disasm->Opcode,"2F"); 631 | Disasm->PrefixSize=PrefixesSize; 632 | } 633 | break; 634 | 635 | case 0x37: // AAA 636 | { 637 | lstrcat(Disasm->Assembly,"aaa"); 638 | lstrcat(Disasm->Opcode,"37"); 639 | Disasm->PrefixSize=PrefixesSize; 640 | } 641 | break; 642 | 643 | case 0x3F: // AAS 644 | { 645 | lstrcat(Disasm->Assembly,"aas"); 646 | lstrcat(Disasm->Opcode,"3F"); 647 | Disasm->PrefixSize=PrefixesSize; 648 | } 649 | break; 650 | 651 | case 0x40:case 0x41: // INC XXX/XX 652 | case 0x42:case 0x43: // INC XXX/XX 653 | case 0x44:case 0x45: // INC XXX/XX 654 | case 0x46:case 0x47: // INC XXX/XX 655 | { 656 | wsprintf(menemonic,"inc %s",Regs[RM][Op&0x0F]); // Find reg by Masking (Op&0x0F) 657 | lstrcat(Disasm->Assembly,menemonic); 658 | wsprintf(menemonic,"%02X",Op); 659 | lstrcat(Disasm->Opcode,menemonic); 660 | Disasm->PrefixSize=PrefixesSize; 661 | } 662 | break; 663 | 664 | case 0x48:case 0x49: // DEC XXX/XX 665 | case 0x4A:case 0x4B: // DEC XXX/XX 666 | case 0x4C:case 0x4D: // DEC XXX/XX 667 | case 0x4E:case 0x4F: // DEC XXX/XX 668 | { 669 | wsprintf(menemonic,"dec %s",Regs[RM][Op&0x0F-0x08]);// Find reg by Masking (Op&0x0F-0x08) 670 | lstrcat(Disasm->Assembly,menemonic); 671 | wsprintf(menemonic,"%02X",Op); 672 | lstrcat(Disasm->Opcode,menemonic); 673 | Disasm->PrefixSize=PrefixesSize; 674 | } 675 | break; 676 | 677 | case 0x50:case 0x51: // PUSH XXX/XX 678 | case 0x52:case 0x53: // PUSH XXX/XX 679 | case 0x54:case 0x55: // PUSH XXX/XX 680 | case 0x56:case 0x57: // PUSH XXX/XX 681 | { 682 | wsprintf(menemonic,"push %s",Regs[RM][Op&0x0F]);// Find reg by Masking (Op&0x0F) 683 | lstrcat(Disasm->Assembly,menemonic); 684 | wsprintf(menemonic,"%02X",Op); 685 | lstrcat(Disasm->Opcode,menemonic); 686 | Disasm->PrefixSize=PrefixesSize; 687 | } 688 | break; 689 | 690 | case 0x58:case 0x59: // POP XXX/XX 691 | case 0x5A:case 0x5B: // POP XXX/XX 692 | case 0x5C:case 0x5D: // POP XXX/XX 693 | case 0x5E:case 0x5F: // POP XXX/XX 694 | { 695 | wsprintf(menemonic,"pop %s",Regs[RM][(Op&0x0F)-0x08]);// Find reg by Masking (Op&0x0F-0x08) 696 | lstrcat(Disasm->Assembly,menemonic); 697 | wsprintf(menemonic,"%02X",Op); 698 | lstrcat(Disasm->Opcode,menemonic); 699 | Disasm->PrefixSize=PrefixesSize; 700 | } 701 | break; 702 | 703 | case 0x60: // PUSHAD/W (Prefix) 704 | { 705 | if(!RegPrefix) // if RegPrefix == 0 706 | lstrcat(Disasm->Assembly,"pushad"); 707 | else if(RegPrefix==1)// Change Reg Size 708 | lstrcat(Disasm->Assembly,"pushaw"); 709 | 710 | lstrcat(Disasm->Opcode,"60"); 711 | Disasm->PrefixSize=PrefixesSize; 712 | } 713 | break; 714 | 715 | case 0x61: // POPAD/W (Prefix) 716 | { 717 | if(!RegPrefix) // if RegPrefix == 0 718 | lstrcat(Disasm->Assembly,"popad"); 719 | else if(RegPrefix==1)// Change Reg Size 720 | lstrcat(Disasm->Assembly,"popaw"); 721 | 722 | lstrcat(Disasm->Opcode,"61"); 723 | Disasm->PrefixSize=PrefixesSize; 724 | } 725 | break; 726 | 727 | case 0x68: // PUSH XXXXXXXX 728 | { 729 | if(RegPrefix==0) 730 | { // PUSH 4 bytes 731 | SwapDword((BYTE*)(Opcode+i+1),&dwOp,&dwMem); 732 | wsprintf(menemonic,"push %08X",dwMem); 733 | lstrcat(Disasm->Assembly,menemonic); 734 | wsprintf(menemonic,"68 %08X",dwOp); 735 | lstrcat(Disasm->Opcode,menemonic); 736 | Disasm->OpcodeSize=5; 737 | Disasm->PrefixSize=PrefixesSize; 738 | (*Index)+=4; 739 | } 740 | else 741 | { 742 | // PUSH 2 bytes 743 | SwapWord((BYTE*)(Opcode+i+1),&wOp,&wMem); 744 | wsprintf(menemonic,"push %04X",wMem); 745 | lstrcat(Disasm->Assembly,menemonic); 746 | wsprintf(menemonic,"68 %04X",wOp); 747 | lstrcat(Disasm->Opcode,menemonic); 748 | Disasm->OpcodeSize=3; 749 | Disasm->PrefixSize=PrefixesSize; 750 | (*Index)+=2; 751 | } 752 | } 753 | break; 754 | 755 | case 0x6A: // PUSH XX 756 | { 757 | if((BYTE)Opcode[i+1]>=0x80) // Signed Numebers (Negative) 758 | wsprintf(menemonic,"push -%02X",(0x100-(BYTE)Opcode[i+1])); 759 | else 760 | wsprintf(menemonic,"push %02X",(BYTE)Opcode[i+1]); // Unsigned Numbers (Positive) 761 | lstrcat(Disasm->Assembly,menemonic); 762 | wsprintf(menemonic,"6A%02X",(BYTE)*(Opcode+i+1)); 763 | lstrcat(Disasm->Opcode,menemonic); 764 | Disasm->OpcodeSize=2; 765 | Disasm->PrefixSize=PrefixesSize; 766 | ++(*Index); 767 | } 768 | break; 769 | 770 | case 0x6C: case 0x6D: // INSB/INSW/INSD 771 | { 772 | if((Op&0x0F)==0x0C) 773 | { 774 | lstrcat(Disasm->Assembly,"insb"); 775 | wsprintf(menemonic,"Byte ptr ES:[%s], DX",Regs[ADDRM][7]); 776 | strcpy(Disasm->Remarks,menemonic); 777 | } 778 | else if((Op&0x0F)==0x0D) 779 | if(!RegPrefix) // If RegPrefix == 0 780 | { 781 | lstrcat(Disasm->Assembly,"insd"); 782 | wsprintf(menemonic,"Dword ptr ES:[%s], DX",Regs[ADDRM][7]); 783 | strcpy(Disasm->Remarks,menemonic); 784 | } 785 | else if(RegPrefix==1) // Found RegPrefix == 1 786 | { 787 | lstrcat(Disasm->Assembly,"insw"); 788 | wsprintf(menemonic,"Word ptr ES:[%s], DX",Regs[ADDRM][7]); 789 | strcpy(Disasm->Remarks,menemonic); 790 | } 791 | 792 | wsprintf(menemonic,"%02X",Op); 793 | lstrcat(Disasm->Opcode,menemonic); 794 | Disasm->PrefixSize=PrefixesSize; 795 | } 796 | break; 797 | 798 | case 0x6E: case 0x6F: // OUTSB/OUTSW/OUTSD 799 | { 800 | if((Op&0x0F)==0x0E) 801 | { 802 | lstrcat(Disasm->Assembly,"outsb"); 803 | wsprintf(menemonic,"DX, Byte ptr ES:[%s]",Regs[ADDRM][7]); 804 | strcpy(Disasm->Remarks,menemonic); 805 | } 806 | else if((Op&0x0F)==0x0F) 807 | if(!RegPrefix) // If RegPrefix == 0 808 | { 809 | lstrcat(Disasm->Assembly,"outsd"); 810 | wsprintf(menemonic,"DX, Dword ptr ES:[%s]",Regs[ADDRM][7]); 811 | strcpy(Disasm->Remarks,menemonic); 812 | } 813 | else if(RegPrefix==1) // Found RegPrefix == 1 814 | { 815 | lstrcat(Disasm->Assembly,"outsw"); 816 | wsprintf(menemonic,"DX, Word ptr ES:[%s]",Regs[ADDRM][7]); 817 | strcpy(Disasm->Remarks,menemonic); 818 | } 819 | 820 | wsprintf(menemonic,"%02X",Op); 821 | lstrcat(Disasm->Opcode,menemonic); 822 | Disasm->PrefixSize=PrefixesSize; 823 | } 824 | break; 825 | 826 | case 0x70: case 0x71: case 0x72: case 0x73: //JUMP XXXXXXXX 827 | case 0x74: case 0x75: case 0x76: case 0x77: //JUMP XXXXXXXX 828 | case 0x78: case 0x79: case 0x7A: case 0x7B: //JUMP XXXXXXXX 829 | case 0x7C: case 0x7D: case 0x7E: case 0x7F: //JUMP XXXXXXXX 830 | case 0xE0: case 0xE1: case 0xE2: case 0xEB: //JUMP XXXXXXXX 831 | case 0xE3: 832 | { 833 | DWORD JumpAddress=0; 834 | BYTE JumpSize; 835 | char temp[10]; 836 | JumpSize=(BYTE)Opcode[i+1]; 837 | 838 | // Short Jump $+2 839 | if((BYTE)Opcode[i+1]>0x7F) 840 | JumpAddress=Disasm->Address + ((2 + PrefixesSize + JumpSize)-0x100); 841 | else 842 | JumpAddress=Disasm->Address + 2 + JumpSize +PrefixesSize; 843 | 844 | GetJumpInstruction(Op,temp); 845 | if(Op==0xE3 && AddrPrefix==1) 846 | strcpy(temp,"jcxz"); 847 | 848 | wsprintf(menemonic,"%s %08X",temp,JumpAddress); 849 | lstrcat(Disasm->Assembly,menemonic); 850 | wsprintf(menemonic,"%02X%02X",Op,(BYTE)Opcode[i+1]); 851 | lstrcat(Disasm->Opcode,menemonic); 852 | Disasm->OpcodeSize=2; 853 | Disasm->PrefixSize=PrefixesSize; 854 | ++(*Index); 855 | } 856 | break; 857 | 858 | case 0x90: // NOP (XCHG EAX, EAX) 859 | { 860 | lstrcat(Disasm->Assembly,"nop"); 861 | lstrcat(Disasm->Opcode,"90"); 862 | Disasm->PrefixSize=PrefixesSize; 863 | } 864 | break; 865 | 866 | case 0x91:case 0x92: // XCHG XXX, XXX 867 | case 0x93:case 0x94: // XCHG XXX, XXX 868 | case 0x95:case 0x96: // XCHG XXX, XXX 869 | case 0x97: // XCHG XXX, XXX 870 | { 871 | Mod_11_RM(1,1,&Opcode,&Disasm,"xchg",RegPrefix,Op,&Index);//+ 0x30 872 | Disasm->PrefixSize=PrefixesSize; 873 | } 874 | break; 875 | 876 | case 0x98: // CWDE/CDW (Prefix) 877 | { 878 | if(!RegPrefix) 879 | lstrcat(Disasm->Assembly,"cwde"); 880 | else if(RegPrefix==1) 881 | lstrcat(Disasm->Assembly,"cbw"); 882 | 883 | lstrcat(Disasm->Opcode,"98"); 884 | Disasm->PrefixSize=PrefixesSize; 885 | } 886 | break; 887 | 888 | case 0x99: // CWDE/CDW (Prefix) 889 | { 890 | if(!RegPrefix) 891 | lstrcat(Disasm->Assembly,"cdq"); 892 | else if(RegPrefix==1) 893 | lstrcat(Disasm->Assembly,"cwd"); 894 | 895 | lstrcat(Disasm->Opcode,"98"); 896 | Disasm->PrefixSize=PrefixesSize; 897 | } 898 | break; 899 | 900 | case 0x9A: case 0xEA: // CALL/JMP XXXX:XXXXXXXX (FAR CALL) 901 | { 902 | char temp[10]; 903 | 904 | switch(Op) 905 | { 906 | case 0x9A:strcpy(temp,"call");break; 907 | case 0xEA:strcpy(temp,"jmp");break; 908 | } 909 | 910 | if(AddrPrefix==0) 911 | { 912 | SwapDword((BYTE*)(Opcode+i+1),&dwOp,&dwMem); 913 | SwapWord((BYTE*)(Opcode+i+5),&wOp,&wMem); 914 | 915 | wsprintf(menemonic,"%s %04X:%08X",temp,wMem,dwMem); 916 | lstrcat(Disasm->Assembly,menemonic); 917 | wsprintf(menemonic,"%02X %08X %04X",Op,dwOp,wOp); 918 | lstrcat(Disasm->Opcode,menemonic); 919 | Disasm->OpcodeSize=7; 920 | Disasm->PrefixSize=PrefixesSize; 921 | (*Index)+=6; 922 | 923 | // if (Op==0x9A) 924 | // { 925 | // DWORD CallOff=dwMem-BASEADDRES; 926 | // PBYTE pCallData=pCodeBase+CallOff; 927 | // CallHandle(pCallData,Disasm); 928 | // } 929 | } 930 | else 931 | { 932 | WORD w_op,w_mem; 933 | SwapWord((BYTE*)(Opcode+i+3),&wOp,&wMem); 934 | SwapWord((BYTE*)(Opcode+i+1),&w_op,&w_mem); 935 | 936 | wsprintf(menemonic,"%s %04X:%08X",temp,wMem,w_mem); 937 | lstrcat(Disasm->Assembly,menemonic); 938 | wsprintf(menemonic,"%02X %04X %04X",Op,w_op,wOp); 939 | lstrcat(Disasm->Opcode,menemonic); 940 | Disasm->OpcodeSize=5; 941 | Disasm->PrefixSize=PrefixesSize; 942 | (*Index)+=4; 943 | 944 | // if (Op==0x9A) 945 | // { 946 | // DWORD CallOff=w_mem-BASEADDRES; 947 | // PBYTE pCallData=pCodeBase+CallOff; 948 | // CallHandle(pCallData,Disasm); 949 | // } 950 | } 951 | wsprintf(menemonic,"Far %s",temp); 952 | strcpy(Disasm->Remarks,menemonic); 953 | 954 | } 955 | break; 956 | 957 | case 0x9B: // WAIT 958 | { 959 | lstrcat(Disasm->Assembly,"wait"); 960 | lstrcat(Disasm->Opcode,"9B"); 961 | Disasm->PrefixSize=PrefixesSize; 962 | } 963 | break; 964 | 965 | case 0x9C: // PUSHFD/PUSHFW 966 | { 967 | if(!RegPrefix) 968 | lstrcat(Disasm->Assembly,"pushfd"); 969 | else if(RegPrefix==1) 970 | lstrcat(Disasm->Assembly,"pushfw"); 971 | 972 | lstrcat(Disasm->Opcode,"9C"); 973 | Disasm->PrefixSize=PrefixesSize; 974 | } 975 | break; 976 | 977 | case 0x9D: // POPFD/POPFW 978 | { 979 | if(!RegPrefix) 980 | lstrcat(Disasm->Assembly,"popfd"); 981 | else if(RegPrefix==1) 982 | lstrcat(Disasm->Assembly,"popfw"); 983 | 984 | lstrcat(Disasm->Opcode,"9D"); 985 | Disasm->PrefixSize=PrefixesSize; 986 | } 987 | break; 988 | 989 | case 0x9E: // SAHF 990 | { 991 | lstrcat(Disasm->Assembly,"sahf"); 992 | lstrcat(Disasm->Opcode,"9E"); 993 | Disasm->PrefixSize=PrefixesSize; 994 | } 995 | break; 996 | 997 | case 0x9F: // LAHF 998 | { 999 | lstrcat(Disasm->Assembly,"lahf"); 1000 | lstrcat(Disasm->Opcode,"9F"); 1001 | Disasm->PrefixSize=PrefixesSize; 1002 | } 1003 | break; 1004 | 1005 | case 0xA0:case 0xA2: // MOV AL, BYTE PTR XX:[XXXXXXXX], AL 1006 | { 1007 | if(!AddrPrefix) 1008 | { 1009 | SwapDword((BYTE*)(Opcode+i+1),&dwOp,&dwMem); 1010 | switch(Op) 1011 | { 1012 | case 0xA0:wsprintf(menemonic,"mov al, Byte ptr %s:[%08X]",Segs[SEG],dwMem);break; 1013 | case 0xA2:wsprintf(menemonic,"mov Byte ptr %s:[%08X], al",Segs[SEG],dwMem);break; 1014 | } 1015 | 1016 | lstrcat(Disasm->Assembly,menemonic); 1017 | wsprintf(menemonic,"%02X %08X",Op,dwOp); 1018 | lstrcat(Disasm->Opcode,menemonic); 1019 | Disasm->OpcodeSize=5; 1020 | Disasm->PrefixSize=PrefixesSize; 1021 | (*Index)+=4; 1022 | } 1023 | else 1024 | { 1025 | SwapWord((BYTE*)(Opcode+i+1),&wOp,&wMem); 1026 | switch(Op) 1027 | { 1028 | case 0xA0:wsprintf(menemonic,"mov al, Byte ptr %s:[%04X]",Segs[SEG],wMem);break; 1029 | case 0xA2:wsprintf(menemonic,"mov Byte ptr %s:[%04X], al",Segs[SEG],wMem);break; 1030 | } 1031 | lstrcat(Disasm->Assembly,menemonic); 1032 | wsprintf(menemonic,"%02X %04X",Op,wOp); 1033 | lstrcat(Disasm->Opcode,menemonic); 1034 | Disasm->OpcodeSize=3; 1035 | Disasm->PrefixSize=PrefixesSize; 1036 | (*Index)+=2; 1037 | } 1038 | } 1039 | break; 1040 | 1041 | case 0xA1:case 0xA3: // MOV EAX/AX, BYTE PTR XX:[XXXXXXXX], EAX/AX 1042 | { 1043 | if(!AddrPrefix)// no addr size change 1044 | { 1045 | SwapDword((BYTE*)(Opcode+i+1),&dwOp,&dwMem); 1046 | switch(Op) 1047 | { 1048 | case 0xA1:wsprintf(menemonic,"mov %s, %s ptr %s:[%08X]",Regs[RM][0],RSize,Segs[SEG],dwMem);break; 1049 | case 0xA3:wsprintf(menemonic,"mov %s ptr %s:[%08X], %s",RSize,Segs[SEG],dwMem,Regs[RM][0]);break; 1050 | } 1051 | lstrcat(Disasm->Assembly,menemonic); 1052 | wsprintf(menemonic,"%02X %08X",Op,dwOp); 1053 | lstrcat(Disasm->Opcode,menemonic); 1054 | Disasm->OpcodeSize=5; 1055 | Disasm->PrefixSize=PrefixesSize; 1056 | (*Index)+=4; 1057 | } 1058 | else if(AddrPrefix==1) 1059 | { 1060 | SwapWord((BYTE*)(Opcode+i+1),&wOp,&wMem); 1061 | switch(Op) // change addr size DWORD->WORD 1062 | { 1063 | case 0xA1:wsprintf(menemonic,"mov %s, %s ptr %s:[%04X]",Regs[RM][0],RSize,Segs[SEG],wMem);break; 1064 | case 0xA3:wsprintf(menemonic,"mov %s ptr %s:[%04X], %s",RSize,Segs[SEG],wMem,Regs[RM][0]);break; 1065 | } 1066 | lstrcat(Disasm->Assembly,menemonic); 1067 | wsprintf(menemonic,"%02X %04X",Op,wOp); 1068 | lstrcat(Disasm->Opcode,menemonic); 1069 | Disasm->OpcodeSize=3; 1070 | Disasm->PrefixSize=PrefixesSize; 1071 | (*Index)+=2; 1072 | } 1073 | } 1074 | break; 1075 | 1076 | case 0xA4:case 0xA5: // MOVSB/MOVSW/MOVSD 1077 | { 1078 | if(RepPrefix==1 && (BYTE)Opcode[i-1]==0xF3) 1079 | strcpy(Disasm->Assembly,"rep "); 1080 | 1081 | if((Op&0x0F)==0x04) 1082 | wsprintf(menemonic,"Byte ptr %s:[%s], Byte ptr %s:[%s]",Segs[SEG_ES],Regs[ADDRM][7],Segs[SEG],Regs[ADDRM][6]); 1083 | else if((Op&0x0F)==0x05) 1084 | wsprintf(menemonic,"%s ptr %s:[%s], %s ptr %s:[%s]",RSize,Segs[SEG_ES],Regs[ADDRM][7],RSize,Segs[SEG],Regs[ADDRM][6]); 1085 | 1086 | lstrcat(Disasm->Assembly,"movs"); 1087 | strcpy(Disasm->Remarks,menemonic); 1088 | wsprintf(menemonic,"%02X",Op); 1089 | lstrcat(Disasm->Opcode,menemonic); 1090 | Disasm->PrefixSize=PrefixesRSize; 1091 | } 1092 | break; 1093 | 1094 | case 0xA6:case 0xA7: // CMPSB/CMPSW/CMPSD 1095 | { 1096 | if((Op&0x0F)==0x06) 1097 | { 1098 | if(RepPrefix==1) 1099 | wsprintf(menemonic,"Byte ptr %s:[%s], Byte ptr %s:[%s]",Segs[SEG_ES],Regs[ADDRM][7],Segs[SEG],Regs[ADDRM][6]); 1100 | else 1101 | wsprintf(menemonic,"Byte ptr %s:[%s], Byte ptr %s:[%s]",Segs[SEG],Regs[ADDRM][6],Segs[SEG_ES],Regs[ADDRM][7]); 1102 | } 1103 | else if((Op&0x0F)==0x07) 1104 | { 1105 | if(RepPrefix==1) 1106 | wsprintf(menemonic,"%s ptr %s:[%s], %s ptr %s:[%s]",RSize,Segs[SEG_ES],Regs[ADDRM][7],RSize,Segs[SEG],Regs[ADDRM][6]); 1107 | else 1108 | wsprintf(menemonic,"%s ptr %s:[%s], %s ptr %s:[%s]",RSize,Segs[SEG],Regs[ADDRM][6],RSize,Segs[SEG_ES],Regs[ADDRM][7]); 1109 | } 1110 | 1111 | lstrcat(Disasm->Assembly,"cmps"); 1112 | strcpy(Disasm->Remarks,menemonic); 1113 | wsprintf(menemonic,"%02X",Op); 1114 | lstrcat(Disasm->Opcode,menemonic); 1115 | Disasm->PrefixSize=PrefixesRSize; 1116 | } 1117 | break; 1118 | 1119 | case 0xAA:case 0xAB: // STOSB/STOSW/STOSD 1120 | { 1121 | if(RepPrefix==1 && (BYTE)Opcode[i-1]==0xF3) 1122 | strcpy(Disasm->Assembly,"rep "); 1123 | 1124 | if((Op&0x0F)==0x0A) 1125 | wsprintf(menemonic,"Byte ptr %s:[%s]",Segs[SEG_ES],Regs[ADDRM][7]); 1126 | else if((Op&0x0F)==0x0B) 1127 | wsprintf(menemonic,"%s ptr %s:[%s]",RSize,Segs[SEG_ES],Regs[ADDRM][7]); 1128 | 1129 | lstrcat(Disasm->Assembly,"stos"); 1130 | strcpy(Disasm->Remarks,menemonic); 1131 | wsprintf(menemonic,"%02X",Op); 1132 | lstrcat(Disasm->Opcode,menemonic); 1133 | Disasm->PrefixSize=PrefixesRSize; 1134 | } 1135 | break; 1136 | 1137 | case 0xAC:case 0xAD: // LODSB/LODSW/LODSD 1138 | { 1139 | if(RepPrefix==1 && (BYTE)Opcode[i-1]==0xF3) 1140 | strcpy(Disasm->Assembly,"rep "); 1141 | 1142 | if((Op&0x0F)==0x0C) 1143 | wsprintf(menemonic,"Byte ptr %s:[%s]",Segs[SEG_DS],Regs[ADDRM][6]); 1144 | else if((Op&0x0F)==0x0D) 1145 | wsprintf(menemonic,"%s ptr %s:[%s]",RSize,Segs[SEG_DS],Regs[ADDRM][6]); 1146 | 1147 | lstrcat(Disasm->Assembly,"lods"); 1148 | strcpy(Disasm->Remarks,menemonic); 1149 | wsprintf(menemonic,"%02X",Op); 1150 | lstrcat(Disasm->Opcode,menemonic); 1151 | Disasm->PrefixSize=PrefixesRSize; 1152 | } 1153 | break; 1154 | 1155 | case 0xAE:case 0xAF: // SCASB/SCASW/SCASD 1156 | { 1157 | if((Op&0x0F)==0x0E) 1158 | wsprintf(menemonic,"Byte ptr %s:[%s]",Segs[SEG_ES],Regs[ADDRM][7]); 1159 | else if((Op&0x0F)==0x0F) 1160 | wsprintf(menemonic,"%s ptr %s:[%s]",RSize,Segs[SEG_ES],Regs[ADDRM][7]); 1161 | 1162 | lstrcat(Disasm->Assembly,"scas"); 1163 | strcpy(Disasm->Remarks,menemonic); 1164 | wsprintf(menemonic,"%02X",Op); 1165 | lstrcat(Disasm->Opcode,menemonic); 1166 | Disasm->PrefixSize=PrefixesRSize; 1167 | } 1168 | break; 1169 | 1170 | case 0xB0:case 0xB1: // MOV XX, XX 1171 | case 0xB2:case 0xB3: // MOV XX, XX 1172 | case 0xB4:case 0xB5: // MOV XX, XX 1173 | case 0xB6:case 0xB7: // MOV XX, XX 1174 | { 1175 | wsprintf(menemonic,"mov %s, %02X",Regs[REG8][Op&0xF],(BYTE)Opcode[i+1]); 1176 | lstrcat(Disasm->Assembly,menemonic); 1177 | wsprintf(menemonic,"%02X%02X",Op,(BYTE)*(Opcode+i+1)); 1178 | lstrcat(Disasm->Opcode,menemonic); 1179 | Disasm->OpcodeSize=2; 1180 | Disasm->PrefixSize=PrefixesSize; 1181 | ++(*Index); 1182 | } 1183 | break; 1184 | 1185 | case 0xB8:case 0xB9: // MOV XX/XXX, XXXXXXXX 1186 | case 0xBA:case 0xBB: // MOV XX/XXX, XXXXXXXX 1187 | case 0xBC:case 0xBD: // MOV XX/XXX, XXXXXXXX 1188 | case 0xBE:case 0xBF: // MOV XX/XXX, XXXXXXXX 1189 | { 1190 | if(!RegPrefix) // check if default prefix has changed 1191 | { 1192 | SwapDword((BYTE*)(Opcode+i+1),&dwOp,&dwMem); 1193 | wsprintf(menemonic,"mov %s, %08X",Regs[RM][(Op&0xF)-0x08],dwMem); 1194 | lstrcat(Disasm->Assembly,menemonic); 1195 | wsprintf(menemonic,"%02X %08X",Op,dwOp); 1196 | lstrcat(Disasm->Opcode,menemonic); 1197 | Disasm->OpcodeSize=5; 1198 | Disasm->PrefixSize=PrefixesSize; 1199 | (*Index)+=4; 1200 | } 1201 | else 1202 | { 1203 | SwapWord((BYTE*)(Opcode+i+1),&wOp,&wMem); 1204 | wsprintf(menemonic,"mov %s, %04X",Regs[RM][(Op&0xF)-0x08],wMem); 1205 | lstrcat(Disasm->Assembly,menemonic); 1206 | wsprintf(menemonic,"%02X %04X",Op,wOp); 1207 | lstrcat(Disasm->Opcode,menemonic); 1208 | Disasm->OpcodeSize=3; 1209 | Disasm->PrefixSize=PrefixesSize; 1210 | (*Index)+=2; 1211 | } 1212 | } 1213 | break; 1214 | 1215 | case 0xC2:case 0xCA: // RET/F XXXX 1216 | { 1217 | char code[6]; 1218 | switch(Op) 1219 | { 1220 | case 0xC2:wsprintf(code,"ret");break; 1221 | case 0xCA:wsprintf(code,"retf");break; 1222 | } 1223 | 1224 | SwapWord((BYTE*)(Opcode+i+1),&wOp,&wMem); 1225 | if(wMem>=0xA000) 1226 | wsprintf(menemonic,"%s %05X",code,wMem); 1227 | else 1228 | wsprintf(menemonic,"%s %04X",code,wMem); 1229 | 1230 | lstrcat(Disasm->Assembly,menemonic); 1231 | wsprintf(menemonic,"%02X %04X",Op,wOp); 1232 | lstrcat(Disasm->Opcode,menemonic); 1233 | Disasm->OpcodeSize=3; 1234 | Disasm->PrefixSize=PrefixesSize; 1235 | if(LockPrefix==1) 1236 | lstrcat(Disasm->Remarks,""); 1237 | 1238 | (*Index)+=2; 1239 | } 1240 | break; 1241 | 1242 | case 0xC3: // RET 1243 | { 1244 | lstrcat(Disasm->Assembly,"ret"); 1245 | lstrcat(Disasm->Opcode,"C3"); 1246 | Disasm->PrefixSize=PrefixesSize; 1247 | lstrcat(Disasm->Remarks,"Pop IP"); 1248 | } 1249 | break; 1250 | 1251 | case 0xC8: // ENTER XXXX, XX 1252 | { 1253 | SwapWord((BYTE*)(Opcode+i+1),&wOp,&wMem); 1254 | wsprintf(menemonic,"enter %04X, %02X",wMem,(BYTE)Opcode[i+3]); 1255 | lstrcat(Disasm->Assembly,menemonic); 1256 | wsprintf(menemonic,"C8 %04X %02X",wOp,(BYTE)Opcode[i+3]); 1257 | lstrcat(Disasm->Opcode,menemonic); 1258 | Disasm->OpcodeSize=4; 1259 | Disasm->PrefixSize=PrefixesSize; 1260 | (*Index)+=3; 1261 | } 1262 | break; 1263 | 1264 | case 0xC9: // LEAVE 1265 | { 1266 | lstrcat(Disasm->Assembly,"leave"); 1267 | lstrcat(Disasm->Opcode,"C9"); 1268 | Disasm->PrefixSize=PrefixesSize; 1269 | } 1270 | break; 1271 | 1272 | case 0xCB: // RETF 1273 | { 1274 | lstrcat(Disasm->Assembly,"retf"); 1275 | lstrcat(Disasm->Opcode,"CB"); 1276 | Disasm->PrefixSize=PrefixesSize; 1277 | } 1278 | break; 1279 | 1280 | case 0xCC: // INT 3 1281 | { 1282 | lstrcat(Disasm->Assembly,"int3"); 1283 | lstrcat(Disasm->Opcode,"CC"); 1284 | Disasm->PrefixSize=PrefixesSize; 1285 | } 1286 | break; 1287 | 1288 | case 0xCD: // INT XX 1289 | { 1290 | wsprintf(menemonic,"int %02X",(BYTE)Opcode[i+1]); 1291 | lstrcat(Disasm->Assembly,menemonic); 1292 | wsprintf(menemonic,"CD %02X",(BYTE)*(Opcode+i+1)); 1293 | lstrcat(Disasm->Opcode,menemonic); 1294 | Disasm->OpcodeSize=2; 1295 | Disasm->PrefixSize=PrefixesSize; 1296 | ++(*Index); 1297 | } 1298 | break; 1299 | 1300 | case 0xCE: // INTO 1301 | { 1302 | lstrcat(Disasm->Assembly,"into"); 1303 | lstrcat(Disasm->Opcode,"CE"); 1304 | Disasm->PrefixSize=PrefixesSize; 1305 | } 1306 | break; 1307 | 1308 | case 0xCF: // IRETD/W 1309 | { 1310 | if(!RegPrefix){ 1311 | lstrcat(Disasm->Assembly,"iretd"); 1312 | } 1313 | else if(RegPrefix==1){ 1314 | lstrcat(Disasm->Assembly,"iretw"); 1315 | } 1316 | lstrcat(Disasm->Opcode,"CF"); 1317 | Disasm->PrefixSize=PrefixesSize; 1318 | } 1319 | break; 1320 | 1321 | case 0xD4:case 0xD5: // AAM/AAD 1322 | { 1323 | char opcode[5]; 1324 | switch(Op) 1325 | { 1326 | case 0xD4:wsprintf(opcode,"aam");break; 1327 | case 0xD5:wsprintf(opcode,"aad");break; 1328 | } 1329 | wsprintf(menemonic,"%s %02X",opcode,(BYTE)Opcode[i+1]); 1330 | lstrcat(Disasm->Assembly,menemonic); 1331 | wsprintf(menemonic,"%02X%02X",Op,(BYTE)*(Opcode+i+1)); 1332 | lstrcat(Disasm->Opcode,menemonic); 1333 | Disasm->OpcodeSize=2; 1334 | Disasm->PrefixSize=PrefixesSize; 1335 | ++(*Index); 1336 | } 1337 | break; 1338 | 1339 | case 0xD6: // SALC 1340 | { 1341 | lstrcat(Disasm->Assembly,"salc"); 1342 | lstrcat(Disasm->Opcode,"D6"); 1343 | Disasm->PrefixSize=PrefixesSize; 1344 | } 1345 | break; 1346 | 1347 | case 0xD7: // XLAT 1348 | { 1349 | lstrcat(Disasm->Assembly,"xlat"); 1350 | lstrcat(Disasm->Opcode, "D7"); 1351 | wsprintf(menemonic,"Byte ptr %s:[%s+al]",Segs[SEG],Regs[ADDRM][3]); 1352 | lstrcat(Disasm->Remarks,menemonic); 1353 | Disasm->PrefixSize=PrefixesSize; 1354 | } 1355 | break; 1356 | 1357 | // 0xE4 is at 'in al, xxx' cases 1358 | case 0xE5: // IN EAX/AX, XX 1359 | { 1360 | // special case Opcode, insted of reading DWORD (4 bytes), we read 1 BYTE. 1361 | char mene[10]=""; 1362 | GetInstruction(Op,mene); // get instruction from opcode 1363 | 1364 | if(RegPrefix==0) // no prefix 1365 | { 1366 | // read 4 bytes into EAX 1367 | wsprintf(menemonic,"%s %s, %02X",mene,Regs[REG32][0],(BYTE)Opcode[i+1]); 1368 | lstrcat(Disasm->Assembly,menemonic); 1369 | } 1370 | else if(RegPrefix==1) // prefix is being used 1371 | { 1372 | // read 2 bytes into AX 1373 | wsprintf(menemonic,"%s %s, %02X",mene,Regs[REG16][0],(BYTE)Opcode[i+1]); 1374 | lstrcat(Disasm->Assembly,menemonic); 1375 | } 1376 | wsprintf(menemonic,"%02X%02X",Op,(BYTE)Opcode[i+1]); 1377 | lstrcat(Disasm->Opcode,menemonic); 1378 | Disasm->OpcodeSize=2; 1379 | Disasm->PrefixSize=PrefixesSize; 1380 | lstrcat(Disasm->Remarks,"I/O Instruction"); 1381 | ++(*Index); 1382 | } 1383 | break; 1384 | 1385 | case 0xE6: // OUT XX, AL 1386 | { 1387 | char mene[10]=""; 1388 | GetInstruction(Op,mene); 1389 | wsprintf(menemonic,"%s %02X, al",mene,(BYTE)Opcode[i+1]); 1390 | lstrcat(Disasm->Assembly,menemonic); 1391 | strcpy(Disasm->Remarks,""); 1392 | wsprintf(menemonic,"%02X%02X",Op,(BYTE)*(Opcode+i+1)); 1393 | lstrcat(Disasm->Opcode,menemonic); 1394 | Disasm->OpcodeSize=2; 1395 | Disasm->PrefixSize=PrefixesSize; 1396 | lstrcat(Disasm->Remarks,"I/O Instruction"); 1397 | ++(*Index); 1398 | } 1399 | break; 1400 | 1401 | case 0xE7: // OUT XX, AX/EAX 1402 | { 1403 | // special case Opcode, insted of reading DWORD (4 bytes), we read 1 BYTE. 1404 | char mene[10]=""; 1405 | GetInstruction(Op,mene); // get instruction from opcode 1406 | 1407 | if(RegPrefix==0) // no prefix 1408 | { 1409 | // read 1 byte into EAX 1410 | wsprintf(menemonic,"%s %02X, %s",mene,(BYTE)Opcode[i+1],Regs[REG32][0]); 1411 | lstrcat(Disasm->Assembly,menemonic); 1412 | } 1413 | else if(RegPrefix==1) // prefix is being used 1414 | { 1415 | // read 1 byte into AX 1416 | wsprintf(menemonic,"%s %02X, %s",mene,(BYTE)Opcode[i+1],Regs[REG16][0]); 1417 | lstrcat(Disasm->Assembly,menemonic); 1418 | } 1419 | wsprintf(menemonic,"%02X%02X",Op,(BYTE)Opcode[i+1]); 1420 | lstrcat(Disasm->Opcode,menemonic); 1421 | Disasm->OpcodeSize=2; 1422 | Disasm->PrefixSize=PrefixesSize; 1423 | lstrcat(Disasm->Remarks,"I/O Instruction"); 1424 | ++(*Index); 1425 | } 1426 | break; 1427 | 1428 | case 0xE8:case 0xE9: // CALL/JMP XXXX/XXXXXXXX 1429 | { 1430 | DWORD CallAddress=0; 1431 | DWORD CallSize=0; 1432 | char temp[10]; 1433 | 1434 | switch(Op) 1435 | { 1436 | case 0xE8:strcpy(temp,"call");break; 1437 | case 0xE9:strcpy(temp,"jmp");break; 1438 | } 1439 | 1440 | if(!RegPrefix) 1441 | { 1442 | SwapDword((BYTE*)(Opcode+i+1),&dwOp,&dwMem); 1443 | dwMem+= Disasm->Address + CallSize + 5 + (PrefixesSize-RegPrefix); 1444 | wsprintf(menemonic,"%s %08X",temp,dwMem); 1445 | lstrcat(Disasm->Assembly,menemonic); 1446 | wsprintf(menemonic,"%02X %08X",Op,dwOp); 1447 | lstrcat(Disasm->Opcode,menemonic); 1448 | Disasm->OpcodeSize=5; 1449 | Disasm->PrefixSize = PrefixesSize; 1450 | (*Index)+=4; 1451 | 1452 | if (Op==0xE8) 1453 | { 1454 | DWORD CallOff=dwMem-BaseAddress; 1455 | PBYTE pCallData=pCodeBase+CallOff; 1456 | CallHandle(pCallData,Disasm); 1457 | } 1458 | } 1459 | else 1460 | { 1461 | SwapWord((BYTE*)(Opcode+i+1),&wOp,&wMem); 1462 | if(wMem>=0x0000F000) 1463 | CallAddress = (wMem + 4 + (PrefixesSize-RegPrefix))-0x0000F000; 1464 | else 1465 | CallAddress = (Disasm->Address-0x00400000) + wMem + 4 + (PrefixesSize-RegPrefix); 1466 | wsprintf(menemonic,"%s %08X",temp, CallAddress); 1467 | lstrcat(Disasm->Assembly,menemonic); 1468 | wsprintf(menemonic,"%02X %04X",Op,wOp); 1469 | lstrcat(Disasm->Opcode,menemonic); 1470 | Disasm->OpcodeSize=3; 1471 | Disasm->PrefixSize = PrefixesSize; 1472 | (*Index)+=2; 1473 | 1474 | if (Op==0xE8) 1475 | { 1476 | DWORD CallOff=CallAddress-BaseAddress; 1477 | PBYTE pCallData=pCodeBase+CallOff; 1478 | CallHandle(pCallData,Disasm); 1479 | } 1480 | } 1481 | } 1482 | break; 1483 | 1484 | case 0xEC: // IN AL, DX 1485 | { 1486 | lstrcat(Disasm->Assembly,"in al, dx"); 1487 | lstrcat(Disasm->Opcode,"EC"); 1488 | Disasm->PrefixSize=PrefixesSize; 1489 | lstrcat(Disasm->Remarks,"I/O Instruction"); 1490 | } 1491 | break; 1492 | 1493 | case 0xED: // IN AX/EAX, DX 1494 | { 1495 | wsprintf(menemonic,"in %s, dx",Regs[RM][0]); 1496 | lstrcat(Disasm->Assembly,menemonic); 1497 | lstrcat(Disasm->Opcode,"ED"); 1498 | Disasm->PrefixSize=PrefixesSize; 1499 | lstrcat(Disasm->Remarks,"I/O Instruction"); 1500 | } 1501 | break; 1502 | 1503 | case 0xEE: // OUT DX, AL 1504 | { 1505 | lstrcat(Disasm->Assembly,"out dx, al"); 1506 | lstrcat(Disasm->Opcode,"EE"); 1507 | Disasm->PrefixSize=PrefixesSize; 1508 | lstrcat(Disasm->Remarks,"I/O Instruction"); 1509 | } 1510 | break; 1511 | 1512 | case 0xEF: // OUT DX, AX/EAX 1513 | { 1514 | wsprintf(menemonic,"out dx, %s",Regs[RM][0]); 1515 | lstrcat(Disasm->Assembly,menemonic); 1516 | lstrcat(Disasm->Opcode,"EF"); 1517 | Disasm->PrefixSize=PrefixesSize; 1518 | lstrcat(Disasm->Remarks,"I/O Instruction"); 1519 | } 1520 | break; 1521 | 1522 | case 0xF1: // ICEBP (INT1) 1523 | { 1524 | lstrcat(Disasm->Assembly,"int1"); 1525 | lstrcat(Disasm->Opcode,"F1"); 1526 | Disasm->PrefixSize=PrefixesSize; 1527 | lstrcat(Disasm->Remarks,"(icebp)"); 1528 | } 1529 | break; 1530 | 1531 | case 0xF4: // HLT (HALT) 1532 | { 1533 | lstrcat(Disasm->Assembly,"hlt"); 1534 | lstrcat(Disasm->Opcode,"F4"); 1535 | Disasm->PrefixSize=PrefixesSize; 1536 | lstrcat(Disasm->Remarks,"Halts CPU until RESET"); 1537 | } 1538 | break; 1539 | 1540 | case 0xF5: // CMC 1541 | { 1542 | lstrcat(Disasm->Assembly,"cmc"); 1543 | lstrcat(Disasm->Opcode,"F4"); 1544 | Disasm->PrefixSize=PrefixesSize; 1545 | lstrcat(Disasm->Remarks,"inverts the Carry Flag"); 1546 | } 1547 | break; 1548 | 1549 | case 0xF8: // CLC 1550 | { 1551 | lstrcat(Disasm->Assembly,"clc"); 1552 | lstrcat(Disasm->Opcode,"F8"); 1553 | Disasm->PrefixSize=PrefixesSize; 1554 | lstrcat(Disasm->Remarks,"Clears the Carry Flag"); 1555 | } 1556 | break; 1557 | 1558 | case 0xF9: // STC 1559 | { 1560 | lstrcat(Disasm->Assembly,"stc"); 1561 | lstrcat(Disasm->Opcode,"F9"); 1562 | Disasm->PrefixSize=PrefixesSize; 1563 | lstrcat(Disasm->Remarks,"Sets the Carry Flag to 1"); 1564 | } 1565 | break; 1566 | 1567 | case 0xFA: // CLI 1568 | { 1569 | lstrcat(Disasm->Assembly,"cli"); 1570 | lstrcat(Disasm->Opcode,"FA"); 1571 | Disasm->PrefixSize=PrefixesSize; 1572 | lstrcat(Disasm->Remarks,"Set Interrupt flag to 0"); 1573 | } 1574 | break; 1575 | 1576 | case 0xFB: // STI 1577 | { 1578 | lstrcat(Disasm->Assembly,"sti"); 1579 | lstrcat(Disasm->Opcode,"FB"); 1580 | Disasm->PrefixSize=PrefixesSize; 1581 | lstrcat(Disasm->Remarks,"Set Interrupt flag to 1"); 1582 | } 1583 | break; 1584 | 1585 | case 0xFC: // CLD 1586 | { 1587 | lstrcat(Disasm->Assembly,"cld"); 1588 | lstrcat(Disasm->Opcode,"FC"); 1589 | Disasm->PrefixSize=PrefixesSize; 1590 | lstrcat(Disasm->Remarks,"Set Direction Flag to 0"); 1591 | } 1592 | break; 1593 | 1594 | case 0xFD: // STD 1595 | { 1596 | lstrcat(Disasm->Assembly,"std"); 1597 | lstrcat(Disasm->Opcode,"FD"); 1598 | Disasm->PrefixSize=PrefixesSize; 1599 | lstrcat(Disasm->Remarks,"Set Direction Flag to 1"); 1600 | } 1601 | break; 1602 | } 1603 | } 1604 | 1605 | void ShowDecoded(DISASSEMBLY* pDisasm,FILE* pfile) 1606 | { 1607 | // Printed all information regarding a 1608 | // Decoded instruction 1609 | 1610 | fprintf_s(pfile,"%08X: %-30s %s /%d ; %s",pDisasm->Address, 1611 | pDisasm->Opcode, 1612 | pDisasm->Assembly, 1613 | pDisasm->OpcodeSize+pDisasm->PrefixSize, 1614 | pDisasm->Remarks 1615 | ); 1616 | } 1617 | 1618 | void FlushDecoded(DISASSEMBLY *Disasm) 1619 | { 1620 | // Clear all information of an decoded 1621 | // Instruction 1622 | 1623 | strcpy_s(Disasm->Assembly,256,""); // Clear menemonic 1624 | strcpy_s(Disasm->Remarks,256,""); // Clear commets 1625 | strcpy_s(Disasm->Opcode,30,""); // Clear opcodes linear 1626 | Disasm->OpcodeSize=1; // Smallest opcode size 1627 | Disasm->PrefixSize=0; // No Prefixes 1628 | } 1629 | 1630 | void PVDasm(const PBYTE pCodeData,const DWORD CodeDatSize,DWORD baseAddress,FILE* pFile) 1631 | { 1632 | DISASSEMBLY Disasm; // Creates an Disasm Struct 1633 | // Linear Address to be decoded 1634 | // Pointer to linear address 1635 | char *Linear=""; 1636 | // Index of opcoded to decode 1637 | DWORD Index=0; 1638 | 1639 | pCodeBase=pCodeData; 1640 | Linear=(char*)pCodeData; // Points to the address of array to decode. 1641 | BaseAddress=baseAddress; 1642 | Disasm.Address=BaseAddress; // Common Entry Point (usually default..) 1643 | FlushDecoded(&Disasm); // reset all content 1644 | 1645 | for(Index=0;Index 28 | #include 29 | #include 30 | #include 31 | 32 | #ifndef _DISASM_H_ 33 | #define _DISASM_H_ 34 | 35 | 36 | typedef struct Decoded{ 37 | 38 | // Define Decoded instruction struct 39 | 40 | char Assembly[256]; // Menemonics 41 | char Remarks[256]; // Menemonic addons 42 | char Opcode[30]; // Opcode Byte forms 43 | DWORD Address; // Current address of decoded instruction 44 | BYTE OpcodeSize; // Opcode Size 45 | BYTE PrefixSize; // Size of all prefixes used 46 | 47 | } DISASSEMBLY; 48 | 49 | // Register(s) Size 50 | #define REG8 0 51 | #define REG16 1 52 | #define REG32 2 53 | #define FPU 3 // Not in use. 54 | 55 | // 8Bit Registers 56 | #define REG_AL 0 57 | #define REG_CL 1 58 | #define REG_DL 2 59 | #define REG_BL 3 60 | #define REG_AH 4 61 | #define REG_CH 5 62 | #define REG_DH 6 63 | #define REG_BH 7 64 | 65 | // 16Bit Registers 66 | #define REG_AX 0 67 | #define REG_CX 1 68 | #define REG_DX 2 69 | #define REG_BX 3 70 | #define REG_SP 4 71 | #define REG_BP 5 72 | #define REG_SI 6 73 | #define REG_DI 7 74 | 75 | // 32bit Registers 76 | #define REG_EAX 0 77 | #define REG_ECX 1 78 | #define REG_EDX 2 79 | #define REG_EBX 3 80 | #define REG_ESP 4 81 | #define REG_EBP 5 82 | #define REG_ESI 6 83 | #define REG_EDI 7 84 | 85 | // Segments 86 | #define SEG_ES 0 87 | #define SEG_CS 1 88 | #define SEG_SS 2 89 | #define SEG_DS 3 90 | #define SEG_FS 4 91 | #define SEG_GS 5 92 | 93 | // Sib extention 94 | #define SIB_EX 4 95 | // Disasm Fucntions 96 | 97 | void Mod_RM_SIB( 98 | DISASSEMBLY **Disasm, 99 | char **Opcode, int pos, 100 | bool AddrPrefix, 101 | int SEG, 102 | DWORD **index, 103 | BYTE Bit_d, BYTE Bit_w, 104 | char *instruction,BYTE Op, 105 | bool PrefixReg, 106 | bool PrefixSeg, 107 | bool PrefixAddr 108 | ); 109 | 110 | void Mod_11_RM( 111 | BYTE d, 112 | BYTE w, 113 | char **Opcode, 114 | DISASSEMBLY **Disasm, 115 | char instruction[], 116 | bool PrefixReg, 117 | BYTE Op, 118 | DWORD **index 119 | ); 120 | 121 | 122 | // NEW SET OF INSTRUCTIONS FUNCTIONS 123 | 124 | void Mod_11_RM_EX( 125 | BYTE d, 126 | BYTE w, 127 | char **Opcode, 128 | DISASSEMBLY **Disasm, 129 | bool PrefixReg, 130 | BYTE Op, 131 | DWORD **index, 132 | bool RepPrefix 133 | ); 134 | 135 | void Mod_RM_SIB_EX( 136 | DISASSEMBLY **Disasm, 137 | char **Opcode, int pos, 138 | bool AddrPrefix, 139 | int SEG, 140 | DWORD **index, 141 | BYTE Op, 142 | bool PrefixReg, 143 | bool PrefixSeg, 144 | bool PrefixAddr, 145 | BYTE Bit_d, 146 | BYTE Bit_w, 147 | bool RepPrefix 148 | ); 149 | 150 | void GetInstruction(BYTE Opcode,char *menemonic); 151 | void GetJumpInstruction(BYTE Opcode,char *menemonic); 152 | DWORD StringToDword(char *Text); 153 | WORD StringToWord(char *Text); 154 | void Decode(DISASSEMBLY *Disasm,char *Opcode,DWORD *Index); 155 | void ShowDecoded(DISASSEMBLY* pDisasm,FILE* pfile); 156 | void FlushDecoded(DISASSEMBLY *Disasm); 157 | int GetNewInstruction(BYTE Op,char *ASM,bool RegPrefix); 158 | void SwapDword(BYTE *MemPtr,DWORD *Original,DWORD* Mirrored); 159 | void SwapWord(BYTE *MemPtr,WORD *Original,WORD* Mirrored); 160 | 161 | void PVDasm(const PBYTE pCodeData,const DWORD CodeDatSize,DWORD baseAddress,FILE* pFile); 162 | extern void CallHandle(PBYTE pCallData,DISASSEMBLY* Disasm); 163 | 164 | #endif -------------------------------------------------------------------------------- /LibScanner/PVDasm/Dsasm_Functions.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibScanner/PVDasm/Dsasm_Functions.cpp -------------------------------------------------------------------------------- /LibScanner/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | 控制台应用程序:LibScanner 项目概述 3 | ======================================================================== 4 | 5 | 应用程序向导已为您创建了此 LibScanner 应用程序。 6 | 7 | 本文件概要介绍组成 LibScanner 应用程序的 8 | 的每个文件的内容。 9 | 10 | 11 | LibScanner.vcproj 12 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件, 13 | 其中包含生成该文件的 Visual C++ 的版本信息,以及有关使用应用程序向导选择的平台、配置和项目功能的信息。 14 | 15 | LibScanner.cpp 16 | 这是主应用程序源文件。 17 | 18 | ///////////////////////////////////////////////////////////////////////////// 19 | 其他标准文件: 20 | 21 | StdAfx.h, StdAfx.cpp 22 | 这些文件用于生成名为 LibScanner.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。 23 | 24 | ///////////////////////////////////////////////////////////////////////////// 25 | 其他注释: 26 | 27 | 应用程序向导使用“TODO:”注释来指示应添加或自定义的源代码部分。 28 | 29 | ///////////////////////////////////////////////////////////////////////////// -------------------------------------------------------------------------------- /LibScanner/ScannerMain.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/LibScanner/ScannerMain.cpp -------------------------------------------------------------------------------- /Libs/VC2003Lib/LIBC.flb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2003Lib/LIBC.flb -------------------------------------------------------------------------------- /Libs/VC2003Lib/LIBCD.flb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2003Lib/LIBCD.flb -------------------------------------------------------------------------------- /Libs/VC2003Lib/libc.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2003Lib/libc.lib -------------------------------------------------------------------------------- /Libs/VC2003Lib/libcd.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2003Lib/libcd.lib -------------------------------------------------------------------------------- /Libs/VC2005Lib/LIBCMT.flb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2005Lib/LIBCMT.flb -------------------------------------------------------------------------------- /Libs/VC2005Lib/LIBCMTD.flb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2005Lib/LIBCMTD.flb -------------------------------------------------------------------------------- /Libs/VC2005Lib/libcmt.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2005Lib/libcmt.lib -------------------------------------------------------------------------------- /Libs/VC2005Lib/libcmtd.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2005Lib/libcmtd.lib -------------------------------------------------------------------------------- /Libs/VC2008Lib/LIBCMT.flb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2008Lib/LIBCMT.flb -------------------------------------------------------------------------------- /Libs/VC2008Lib/LIBCMTD.flb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2008Lib/LIBCMTD.flb -------------------------------------------------------------------------------- /Libs/VC2008Lib/libcmt.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2008Lib/libcmt.lib -------------------------------------------------------------------------------- /Libs/VC2008Lib/libcmtd.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC2008Lib/libcmtd.lib -------------------------------------------------------------------------------- /Libs/VC6Lib/LIBC.LIB: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC6Lib/LIBC.LIB -------------------------------------------------------------------------------- /Libs/VC6Lib/LIBC.flb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC6Lib/LIBC.flb -------------------------------------------------------------------------------- /Libs/VC6Lib/LIBCD.LIB: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC6Lib/LIBCD.LIB -------------------------------------------------------------------------------- /Libs/VC6Lib/LIBCD.flb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Libs/VC6Lib/LIBCD.flb -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | libparser 2 | ========= 3 | 4 | 解析静态库(Lib)文件,提取出所有函数信息,组织成自定义格式文件 5 | 6 | 1. LibParser 把Libs目录下的各个VC版本的CRT库(.lib)中的函数信息(函数名,函数数据)提取出来,再组织成自定义文件格式 7 | 函数库文件(.flb)函数库文件格式:签名-函数头表-函数名称段-函数数据段 8 | 9 | 2. LibScanner 解析PE文件,把其中的CRT库函数的调用指令打印出来 10 | 11 | 测试例子,test.exe 结果文件test.log 12 | -------------------------------------------------------------------------------- /Test/test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhaolong/libparser/811c711a1d550d808df2bbefef0da3541fbf9d35/Test/test.exe -------------------------------------------------------------------------------- /Test/test.log: -------------------------------------------------------------------------------- 1 | 00401084: E8 77040000 call 00401500 /5 ; Call LibFunc:_printf 2 | 00401095: E8 66040000 call 00401500 /5 ; Call LibFunc:_printf 3 | 004010A6: E8 55040000 call 00401500 /5 ; Call LibFunc:_printf 4 | 004010B3: E8 48040000 call 00401500 /5 ; Call LibFunc:_printf 5 | 004010C4: E8 D7030000 call 004014A0 /5 ; Call LibFunc:_scanf 6 | 004010D8: E8 83000000 call 00401160 /5 ; Call LibFunc:_memcpy 7 | 004010E9: E8 12040000 call 00401500 /5 ; Call LibFunc:_printf 8 | 004010FA: E8 01040000 call 00401500 /5 ; Call LibFunc:_printf 9 | 0040110C: E8 6F040000 call 00401580 /5 ; Call LibFunc:__chkesp 10 | 004014C5: E8 E6190000 call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 11 | 004014E6: E8 65020000 call 00401750 /5 ; Call LibFunc:__input 12 | 00401525: E8 86190000 call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 13 | 0040153E: E8 0D200000 call 00403550 /5 ; Call LibFunc:__stbuf 14 | 0040156A: E8 41210000 call 004036B0 /5 ; Call LibFunc:__ftbuf 15 | 004015A1: E8 0A190000 call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 16 | 0040165B: E8 A03C0000 call 00405300 /5 ; Call LibFunc:__ioinit 17 | 0040166B: E8 703A0000 call 004050E0 /5 ; Call LibFunc:___crtGetEnvironmentStringsA 18 | 00401675: E8 56350000 call 00404BD0 /5 ; Call LibFunc:__setargv 19 | 0040167A: E8 01340000 call 00404A80 /5 ; Call LibFunc:__setenvp 20 | 0040167F: E8 1C300000 call 004046A0 /5 ; Call LibFunc:__cinit 21 | 004016B3: E8 28300000 call 004046E0 /5 ; Call LibFunc:_exit 22 | 004016CA: E8 A1310000 call 00404870 /5 ; Call LibFunc:__XcptFilter 23 | 004016DA: E8 21300000 call 00404700 /5 ; Call LibFunc:__exit 24 | 004016FC: E8 4F450000 call 00405C50 /5 ; Call LibFunc:__FF_MSGBANNER 25 | 00401705: E8 96450000 call 00405CA0 /5 ; Call LibFunc:__NMSG_WRITE 26 | 0040172C: E8 1F450000 call 00405C50 /5 ; Call LibFunc:__FF_MSGBANNER 27 | 00401735: E8 66450000 call 00405CA0 /5 ; Call LibFunc:__NMSG_WRITE 28 | 00401775: E8 36170000 call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 29 | 004017A2: E8 09170000 call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 30 | 004017E9: E8 724C0000 call 00406460 /5 ; Call LibFunc:__isctype 31 | 00401855: E8 76490000 call 004061D0 /5 ; Call LibFunc:_isspace 32 | 004018F9: E8 624B0000 call 00406460 /5 ; Call LibFunc:__isctype 33 | 00401BD8: E8 33440000 call 00406010 /5 ; Call LibFunc:_memset 34 | 00401E9E: E8 0D400000 call 00405EB0 /5 ; Call LibFunc:_mbtowc 35 | 004020E6: E8 75430000 call 00406460 /5 ; Call LibFunc:__isctype 36 | 00402127: E8 F4430000 call 00406520 /5 ; Call LibFunc:__allshl 37 | 00402168: E8 F3420000 call 00406460 /5 ; Call LibFunc:__isctype 38 | 004021B5: E8 66430000 call 00406520 /5 ; Call LibFunc:__allshl 39 | 004021D8: E8 43430000 call 00406520 /5 ; Call LibFunc:__allshl 40 | 004021E8: E8 33430000 call 00406520 /5 ; Call LibFunc:__allshl 41 | 004022D6: E8 85410000 call 00406460 /5 ; Call LibFunc:__isctype 42 | 0040234B: E8 10410000 call 00406460 /5 ; Call LibFunc:__isctype 43 | 0040254E: E8 0D3F0000 call 00406460 /5 ; Call LibFunc:__isctype 44 | 0040264B: E8 103E0000 call 00406460 /5 ; Call LibFunc:__isctype 45 | 004027AF: E8 AC3C0000 call 00406460 /5 ; Call LibFunc:__isctype 46 | 00402B45: E8 16390000 call 00406460 /5 ; Call LibFunc:__isctype 47 | 00402BCF: E8 6C390000 call 00406540 /5 ; Call LibFunc:__filbuf 48 | 00402C01: E8 1A3B0000 call 00406720 /5 ; Call LibFunc:_ungetc 49 | 00402C34: E8 97350000 call 004061D0 /5 ; Call LibFunc:_isspace 50 | 00402C90: E8 0B400000 call 00406CA0 /5 ; Call LibFunc:__calloc_dbg 51 | 00402CC5: E8 D63F0000 call 00406CA0 /5 ; Call LibFunc:__calloc_dbg 52 | 00402CDD: E8 0EEAFFFF call 004016F0 /5 ; Call LibFunc:__amsg_exit 53 | 00402D83: E8 285C0000 call 004089B0 /5 ; Call LibFunc:__flushall 54 | 00402D93: E8 485A0000 call 004087E0 /5 ; Call LibFunc:__fcloseall 55 | 00402EB8: E8 43620000 call 00409100 /5 ; Call LibFunc:__alloca_probe 56 | 00402FC3: E8 D8FDFFFF call 00402DA0 /5 ; Call LibFunc:__getdrives 57 | 00402FED: E8 0E600000 call 00409000 /5 ; Call LibFunc:__vsnprintf 58 | 00403005: E8 065F0000 call 00408F10 /5 ; Call LibFunc:__mbscpy 59 | 0040303D: E8 CE5E0000 call 00408F10 /5 ; Call LibFunc:__mbscpy 60 | 00403053: E8 C85E0000 call 00408F20 /5 ; Call LibFunc:__mbscat 61 | 0040307E: E8 9D5E0000 call 00408F20 /5 ; Call LibFunc:__mbscat 62 | 00403092: E8 895E0000 call 00408F20 /5 ; Call LibFunc:__mbscat 63 | 004030C0: E8 4B5D0000 call 00408E10 /5 ; Call LibFunc:__snprintf 64 | 004030D8: E8 335E0000 call 00408F10 /5 ; Call LibFunc:__mbscpy 65 | 004030F0: E8 1B5E0000 call 00408F10 /5 ; Call LibFunc:__mbscpy 66 | 0040316A: E8 215C0000 call 00408D90 /5 ; Call LibFunc:_strlen 67 | 004031CD: E8 CE580000 call 00408AA0 /5 ; Call LibFunc:__itoa 68 | 00403248: E8 B35E0000 call 00409100 /5 ; Call LibFunc:__alloca_probe 69 | 00403266: E8 45FCFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 70 | 00403273: E8 28FBFFFF call 00402DA0 /5 ; Call LibFunc:__getdrives 71 | 004032A2: E8 695C0000 call 00408F10 /5 ; Call LibFunc:__mbscpy 72 | 004032B7: E8 D45A0000 call 00408D90 /5 ; Call LibFunc:_strlen 73 | 004032C8: E8 C35A0000 call 00408D90 /5 ; Call LibFunc:_strlen 74 | 004032E5: E8 36630000 call 00409620 /5 ; Call LibFunc:_strncpy 75 | 00403306: E8 855A0000 call 00408D90 /5 ; Call LibFunc:_strlen 76 | 0040331A: E8 715A0000 call 00408D90 /5 ; Call LibFunc:_strlen 77 | 00403340: E8 DB620000 call 00409620 /5 ; Call LibFunc:_strncpy 78 | 004034DD: E8 2E590000 call 00408E10 /5 ; Call LibFunc:__snprintf 79 | 004034F5: E8 165A0000 call 00408F10 /5 ; Call LibFunc:__mbscpy 80 | 0040350E: E8 4D600000 call 00409560 /5 ; Call LibFunc:___crtMessageBoxA 81 | 00403527: E8 145E0000 call 00409340 /5 ; Call LibFunc:_raise 82 | 00403531: E8 CA110000 call 00404700 /5 ; Call LibFunc:__exit 83 | 0040356F: E8 3CF9FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 84 | 00403590: E8 8B610000 call 00409720 /5 ; Call LibFunc:__isatty 85 | 004036D6: E8 D5F7FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 86 | 00403709: E8 E2510000 call 004088F0 /5 ; Call LibFunc:__flush 87 | 00403752: E8 99510000 call 004088F0 /5 ; Call LibFunc:__flush 88 | 004038A0: E8 0BF6FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 89 | 00403B41: E8 0A5C0000 call 00409750 /5 ; Call LibFunc:_wctomb 90 | 00403BC6: E8 C5510000 call 00408D90 /5 ; Call LibFunc:_strlen 91 | 00403EF3: E8 984E0000 call 00408D90 /5 ; Call LibFunc:_strlen 92 | 00404171: E8 EA560000 call 00409860 /5 ; Call LibFunc:__aullrem 93 | 00404196: E8 55560000 call 004097F0 /5 ; Call LibFunc:__aulldiv 94 | 0040437C: E8 CF530000 call 00409750 /5 ; Call LibFunc:_wctomb 95 | 0040457A: E8 61530000 call 004098E0 /5 ; Call LibFunc:__flsbuf 96 | 004047FB: E8 20350000 call 00407D20 /5 ; Call LibFunc:__CrtSetDbgFlag 97 | 00404814: E8 773E0000 call 00408690 /5 ; Call LibFunc:__CrtDumpMemoryLeaks 98 | 00404A8F: E8 5C580000 call 0040A2F0 /5 ; Call LibFunc:___initmbctable 99 | 00404AC5: E8 C6420000 call 00408D90 /5 ; Call LibFunc:_strlen 100 | 00404B0C: E8 DFCBFFFF call 004016F0 /5 ; Call LibFunc:__amsg_exit 101 | 00404B35: E8 56420000 call 00408D90 /5 ; Call LibFunc:_strlen 102 | 00404B72: E8 79CBFFFF call 004016F0 /5 ; Call LibFunc:__amsg_exit 103 | 00404B84: E8 87430000 call 00408F10 /5 ; Call LibFunc:__mbscpy 104 | 00404BDF: E8 0C570000 call 0040A2F0 /5 ; Call LibFunc:___initmbctable 105 | 00404C66: E8 85CAFFFF call 004016F0 /5 ; Call LibFunc:__amsg_exit 106 | 004052DC: E8 7FBEFFFF call 00401160 /5 ; Call LibFunc:_memcpy 107 | 0040532A: E8 C1C3FFFF call 004016F0 /5 ; Call LibFunc:__amsg_exit 108 | 004056D8: E8 233A0000 call 00409100 /5 ; Call LibFunc:__alloca_probe 109 | 0040578E: E8 4D500000 call 0040A7E0 /5 ; Call LibFunc:_strncmp 110 | 0040580D: E8 4E4F0000 call 0040A760 /5 ; Call LibFunc:_strstr 111 | 00405831: E8 6A4E0000 call 0040A6A0 /5 ; Call LibFunc:_strchr 112 | 00405893: E8 884A0000 call 0040A320 /5 ; Call LibFunc:_strtol 113 | 00405B09: E8 40000000 call 00405B4E /5 ; Call LibFunc:__NLG_Notify 114 | 00405BCA: E8 A9FEFFFF call 00405A78 /5 ; Call LibFunc:__global_unwind2 115 | 00405BD7: E8 DEFEFFFF call 00405ABA /5 ; Call LibFunc:__local_unwind2 116 | 00405BE8: E8 61FFFFFF call 00405B4E /5 ; Call LibFunc:__NLG_Notify 117 | 00405C17: E8 9EFEFFFF call 00405ABA /5 ; Call LibFunc:__local_unwind2 118 | 00405C3C: E8 79FEFFFF call 00405ABA /5 ; Call LibFunc:__local_unwind2 119 | 00405C73: E8 28000000 call 00405CA0 /5 ; Call LibFunc:__NMSG_WRITE 120 | 00405C8F: E8 0C000000 call 00405CA0 /5 ; Call LibFunc:__NMSG_WRITE 121 | 00405D06: E8 A5D1FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 122 | 00405D40: E8 4B300000 call 00408D90 /5 ; Call LibFunc:_strlen 123 | 00405D99: E8 72310000 call 00408F10 /5 ; Call LibFunc:__mbscpy 124 | 00405DAE: E8 DD2F0000 call 00408D90 /5 ; Call LibFunc:_strlen 125 | 00405DC5: E8 C62F0000 call 00408D90 /5 ; Call LibFunc:_strlen 126 | 00405DE2: E8 39380000 call 00409620 /5 ; Call LibFunc:_strncpy 127 | 00405DF6: E8 15310000 call 00408F10 /5 ; Call LibFunc:__mbscpy 128 | 00405E09: E8 12310000 call 00408F20 /5 ; Call LibFunc:__mbscat 129 | 00405E1D: E8 FE300000 call 00408F20 /5 ; Call LibFunc:__mbscat 130 | 00405E37: E8 E4300000 call 00408F20 /5 ; Call LibFunc:__mbscat 131 | 00405E50: E8 0B370000 call 00409560 /5 ; Call LibFunc:___crtMessageBoxA 132 | 00405ED8: E8 D3CFFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 133 | 00406086: E8 D5030000 call 00406460 /5 ; Call LibFunc:__isctype 134 | 004060D3: E8 88030000 call 00406460 /5 ; Call LibFunc:__isctype 135 | 00406113: E8 48030000 call 00406460 /5 ; Call LibFunc:__isctype 136 | 00406153: E8 08030000 call 00406460 /5 ; Call LibFunc:__isctype 137 | 00406196: E8 C5020000 call 00406460 /5 ; Call LibFunc:__isctype 138 | 004061E3: E8 78020000 call 00406460 /5 ; Call LibFunc:__isctype 139 | 00406223: E8 38020000 call 00406460 /5 ; Call LibFunc:__isctype 140 | 00406266: E8 F5010000 call 00406460 /5 ; Call LibFunc:__isctype 141 | 004062B6: E8 A5010000 call 00406460 /5 ; Call LibFunc:__isctype 142 | 00406306: E8 55010000 call 00406460 /5 ; Call LibFunc:__isctype 143 | 00406353: E8 08010000 call 00406460 /5 ; Call LibFunc:__isctype 144 | 004063B8: E8 A3000000 call 00406460 /5 ; Call LibFunc:__isctype 145 | 00406418: E8 43000000 call 00406460 /5 ; Call LibFunc:__isctype 146 | 004064F8: E8 23700000 call 0040D520 /5 ; Call LibFunc:___crtGetStringTypeA 147 | 0040655F: E8 4CC9FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 148 | 004065E1: E8 5A750000 call 0040DB40 /5 ; Call LibFunc:__getbuf 149 | 0040660B: E8 D0700000 call 0040D6E0 /5 ; Call LibFunc:__read 150 | 0040673D: E8 6EC7FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 151 | 0040679C: E8 9F730000 call 0040DB40 /5 ; Call LibFunc:__getbuf 152 | 00406874: E8 67000000 call 004068E0 /5 ; Call LibFunc:__nh_malloc_dbg 153 | 004068AA: E8 31000000 call 004068E0 /5 ; Call LibFunc:__nh_malloc_dbg 154 | 004068D1: E8 0A000000 call 004068E0 /5 ; Call LibFunc:__nh_malloc_dbg 155 | 00406914: E8 27730000 call 0040DC40 /5 ; Call LibFunc:__callnewh 156 | 00406988: E8 23C5FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 157 | 004069F1: E8 BAC4FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 158 | 00406A19: E8 92C4FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 159 | 00406A78: E8 33C4FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 160 | 00406ACC: E8 DFC3FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 161 | 00406C15: E8 F6F3FFFF call 00406010 /5 ; Call LibFunc:_memset 162 | 00406C33: E8 D8F3FFFF call 00406010 /5 ; Call LibFunc:_memset 163 | 00406C4E: E8 BDF3FFFF call 00406010 /5 ; Call LibFunc:_memset 164 | 00406C82: E8 19000000 call 00406CA0 /5 ; Call LibFunc:__calloc_dbg 165 | 00406D12: E8 19000000 call 00406D30 /5 ; Call LibFunc:__realloc_dbg 166 | 00406DDE: E8 CDC0FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 167 | 00406E49: E8 62C0FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 168 | 00406E71: E8 3AC0FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 169 | 00406EA3: E8 08C0FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 170 | 00406EF2: E8 B9BFFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 171 | 00406F29: E8 82BFFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 172 | 00406F84: E8 27BFFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 173 | 00406FEA: E8 C1BEFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 174 | 004070E7: E8 24EFFFFF call 00406010 /5 ; Call LibFunc:_memset 175 | 00407100: E8 0BEFFFFF call 00406010 /5 ; Call LibFunc:_memset 176 | 00407159: E8 52BDFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 177 | 004071B8: E8 F3BCFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 178 | 0040720C: E8 9FBCFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 179 | 00407292: E8 19000000 call 004072B0 /5 ; Call LibFunc:__expand_dbg 180 | 0040732F: E8 7CBBFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 181 | 0040737F: E8 2CBBFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 182 | 004073BB: E8 F0BAFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 183 | 0040741D: E8 8EBAFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 184 | 0040748C: E8 1FBAFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 185 | 004074F2: E8 B9B9FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 186 | 00407537: E8 74B9FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 187 | 00407562: E8 A9EAFFFF call 00406010 /5 ; Call LibFunc:_memset 188 | 004075AF: E8 FCB8FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 189 | 0040761A: E8 91B8FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 190 | 00407670: E8 3BB8FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 191 | 004076A6: E8 65E9FFFF call 00406010 /5 ; Call LibFunc:_memset 192 | 004076DD: E8 2EE9FFFF call 00406010 /5 ; Call LibFunc:_memset 193 | 00407741: E8 6AB7FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 194 | 00407778: E8 33B7FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 195 | 004077DA: E8 D1B6FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 196 | 0040782B: E8 80B6FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 197 | 004078E5: E8 C6B5FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 198 | 00407991: E8 1AB5FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 199 | 00407A30: E8 7BB4FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 200 | 00407A5B: E8 50B4FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 201 | 00407A83: E8 28B4FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 202 | 00407AAB: E8 00B4FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 203 | 00407AD3: E8 D8B3FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 204 | 00407BAA: E8 01B3FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 205 | 00407C07: E8 A4B2FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 206 | 00407C60: E8 4BB2FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 207 | 00407CA9: E8 02B2FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 208 | 00407CDC: E8 CFB1FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 209 | 00407E1E: E8 8DFFFFFF call 00407DB0 /5 ; Call LibFunc:__CrtIsValidPointer 210 | 00407E41: E8 8A2B0000 call 0040A9D0 /5 ; Call LibFunc:___sbh_find_block 211 | 00407E5D: E8 CE2B0000 call 0040AA30 /5 ; Call LibFunc:___sbh_verify_block 212 | 00407F92: E8 19FEFFFF call 00407DB0 /5 ; Call LibFunc:__CrtIsValidPointer 213 | 00408051: E8 5AAEFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 214 | 0040814E: E8 5DADFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 215 | 004081C4: E8 E7ACFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 216 | 004082E2: E8 C9ABFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 217 | 00408383: E8 28FAFFFF call 00407DB0 /5 ; Call LibFunc:__CrtIsValidPointer 218 | 004083A3: E8 08ABFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 219 | 004083D4: E8 D7AAFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 220 | 004083FC: E8 AFAAFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 221 | 0040844B: E8 60AAFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 222 | 004084B6: E8 F5A9FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 223 | 00408513: E8 98A9FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 224 | 0040854A: E8 61A9FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 225 | 004085D6: E8 85DEFFFF call 00406460 /5 ; Call LibFunc:__isctype 226 | 0040863F: E8 9C5E0000 call 0040E4E0 /5 ; Call LibFunc:_sprintf 227 | 00408669: E8 42A8FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 228 | 0040869D: E8 8EF9FFFF call 00408030 /5 ; Call LibFunc:__CrtMemCheckpoint 229 | 004086D6: E8 D5A7FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 230 | 004086EC: E8 CFFBFFFF call 004082C0 /5 ; Call LibFunc:__CrtMemDumpAllObjectsSince 231 | 00408768: E8 43A7FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 232 | 00408792: E8 19A7FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 233 | 004087BA: E8 F1A6FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 234 | 0040883D: E8 9E5D0000 call 0040E5E0 /5 ; Call LibFunc:_fclose 235 | 004088A9: E8 42000000 call 004088F0 /5 ; Call LibFunc:__flush 236 | 004088D1: E8 EA5D0000 call 0040E6C0 /5 ; Call LibFunc:__commit 237 | 00408947: E8 245E0000 call 0040E770 /5 ; Call LibFunc:__write 238 | 00408A32: E8 59FEFFFF call 00408890 /5 ; Call LibFunc:_fflush 239 | 00408A73: E8 18FEFFFF call 00408890 /5 ; Call LibFunc:_fflush 240 | 00408CB9: E8 A20B0000 call 00409860 /5 ; Call LibFunc:__aullrem 241 | 00408CD0: E8 1B0B0000 call 004097F0 /5 ; Call LibFunc:__aulldiv 242 | 00408E3B: E8 70A0FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 243 | 00408E65: E8 46A0FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 244 | 00408EF4: E8 E7090000 call 004098E0 /5 ; Call LibFunc:__flsbuf 245 | 00409025: E8 869EFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 246 | 0040904F: E8 5C9EFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 247 | 004090DE: E8 FD070000 call 004098E0 /5 ; Call LibFunc:__flsbuf 248 | 004093EA: E8 11B3FFFF call 00404700 /5 ; Call LibFunc:__exit 249 | 004098FF: E8 AC95FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 250 | 00409A07: E8 14FDFFFF call 00409720 /5 ; Call LibFunc:__isatty 251 | 00409A17: E8 24410000 call 0040DB40 /5 ; Call LibFunc:__getbuf 252 | 00409A55: E8 5694FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 253 | 00409AA9: E8 C24C0000 call 0040E770 /5 ; Call LibFunc:__write 254 | 00409AF4: E8 274F0000 call 0040EA20 /5 ; Call LibFunc:__lseek 255 | 00409B1C: E8 4F4C0000 call 0040E770 /5 ; Call LibFunc:__write 256 | 0040A0AC: E8 6F340000 call 0040D520 /5 ; Call LibFunc:___crtGetStringTypeA 257 | 0040A0E1: E8 2A4A0000 call 0040EB10 /5 ; Call LibFunc:___crtLCMapStringA 258 | 0040A116: E8 F5490000 call 0040EB10 /5 ; Call LibFunc:___crtLCMapStringA 259 | 0040A2FE: E8 5DF8FFFF call 00409B60 /5 ; Call LibFunc:__setmbcp 260 | 0040A379: E8 E2C0FFFF call 00406460 /5 ; Call LibFunc:__isctype 261 | 0040A4BA: E8 A1BFFFFF call 00406460 /5 ; Call LibFunc:__isctype 262 | 0040A50C: E8 4FBFFFFF call 00406460 /5 ; Call LibFunc:__isctype 263 | 0040A541: E8 3A490000 call 0040EE80 /5 ; Call LibFunc:_toupper 264 | 0040B020: E8 8B3F0000 call 0040EFB0 /5 ; Call LibFunc:_memcpy 265 | 0040B1B2: E8 F9030000 call 0040B5B0 /5 ; Call LibFunc:___sbh_alloc_new_region 266 | 0040B1CB: E8 F0040000 call 0040B6C0 /5 ; Call LibFunc:___sbh_alloc_new_group 267 | 0040BFAB: E8 00300000 call 0040EFB0 /5 ; Call LibFunc:_memcpy 268 | 0040C790: E8 7B98FFFF call 00406010 /5 ; Call LibFunc:_memset 269 | 0040CD23: E8 E892FFFF call 00406010 /5 ; Call LibFunc:_memset 270 | 0040D515: E8 D641FFFF call 004016F0 /5 ; Call LibFunc:__amsg_exit 271 | 0040D636: E8 C5BAFFFF call 00409100 /5 ; Call LibFunc:__alloca_probe 272 | 0040D653: E8 B889FFFF call 00406010 /5 ; Call LibFunc:_memset 273 | 0040D859: E8 921A0000 call 0040F2F0 /5 ; Call LibFunc:__dosmaperr 274 | 0040DAFC: E8 1F0F0000 call 0040EA20 /5 ; Call LibFunc:__lseek 275 | 0040DB5D: E8 4E53FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 276 | 0040DC7E: E8 0D000000 call 0040DC90 /5 ; Call LibFunc:__nh_malloc_base 277 | 0040DCD1: E8 6AFFFFFF call 0040DC40 /5 ; Call LibFunc:__callnewh 278 | 0040DD0C: E8 5FD3FFFF call 0040B070 /5 ; Call LibFunc:___sbh_alloc_block 279 | 0040DDF4: E8 D7CBFFFF call 0040A9D0 /5 ; Call LibFunc:___sbh_find_block 280 | 0040DE23: E8 88DAFFFF call 0040B8B0 /5 ; Call LibFunc:___sbh_resize_block 281 | 0040DFAE: E8 1DCAFFFF call 0040A9D0 /5 ; Call LibFunc:___sbh_find_block 282 | 0040DFDE: E8 CDD8FFFF call 0040B8B0 /5 ; Call LibFunc:___sbh_resize_block 283 | 0040DFF6: E8 75D0FFFF call 0040B070 /5 ; Call LibFunc:___sbh_alloc_block 284 | 0040E035: E8 2631FFFF call 00401160 /5 ; Call LibFunc:_memcpy 285 | 0040E041: E8 8AC9FFFF call 0040A9D0 /5 ; Call LibFunc:___sbh_find_block 286 | 0040E0C4: E8 9730FFFF call 00401160 /5 ; Call LibFunc:_memcpy 287 | 0040E130: E8 0BFBFFFF call 0040DC40 /5 ; Call LibFunc:__callnewh 288 | 0040E224: E8 372FFFFF call 00401160 /5 ; Call LibFunc:_memcpy 289 | 0040E291: E8 CA2EFFFF call 00401160 /5 ; Call LibFunc:_memcpy 290 | 0040E2E4: E8 57F9FFFF call 0040DC40 /5 ; Call LibFunc:__callnewh 291 | 0040E34F: E8 ECF8FFFF call 0040DC40 /5 ; Call LibFunc:__callnewh 292 | 0040E38E: E8 3DC6FFFF call 0040A9D0 /5 ; Call LibFunc:___sbh_find_block 293 | 0040E454: E8 77DBFFFF call 0040BFD0 /5 ; Call LibFunc:___sbh_heap_check 294 | 0040E50B: E8 A049FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 295 | 0040E535: E8 7649FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 296 | 0040E5C5: E8 16B3FFFF call 004098E0 /5 ; Call LibFunc:__flsbuf 297 | 0040E62B: E8 8048FFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 298 | 0040E652: E8 99A2FFFF call 004088F0 /5 ; Call LibFunc:__flush 299 | 0040E661: E8 0A0E0000 call 0040F470 /5 ; Call LibFunc:__freebuf 300 | 0040E670: E8 0B0D0000 call 0040F380 /5 ; Call LibFunc:__close 301 | 0040E720: E8 9B100000 call 0040F7C0 /5 ; Call LibFunc:__get_osfhandle 302 | 0040E803: E8 18020000 call 0040EA20 /5 ; Call LibFunc:__lseek 303 | 0040E9B1: E8 3A090000 call 0040F2F0 /5 ; Call LibFunc:__dosmaperr 304 | 0040EA70: E8 4B0D0000 call 0040F7C0 /5 ; Call LibFunc:__get_osfhandle 305 | 0040EAC9: E8 22080000 call 0040F2F0 /5 ; Call LibFunc:__dosmaperr 306 | 0040EC3C: E8 BFA4FFFF call 00409100 /5 ; Call LibFunc:__alloca_probe 307 | 0040ED32: E8 C9A3FFFF call 00409100 /5 ; Call LibFunc:__alloca_probe 308 | 0040EEC4: E8 9775FFFF call 00406460 /5 ; Call LibFunc:__isctype 309 | 0040EF6B: E8 A0FBFFFF call 0040EB10 /5 ; Call LibFunc:___crtLCMapStringA 310 | 0040F3CF: E8 EC030000 call 0040F7C0 /5 ; Call LibFunc:__get_osfhandle 311 | 0040F3EA: E8 D1030000 call 0040F7C0 /5 ; Call LibFunc:__get_osfhandle 312 | 0040F3F6: E8 C5030000 call 0040F7C0 /5 ; Call LibFunc:__get_osfhandle 313 | 0040F406: E8 B5030000 call 0040F7C0 /5 ; Call LibFunc:__get_osfhandle 314 | 0040F42F: E8 BC020000 call 0040F6F0 /5 ; Call LibFunc:__free_osfhnd 315 | 0040F459: E8 92FEFFFF call 0040F2F0 /5 ; Call LibFunc:__dosmaperr 316 | 0040F48C: E8 1F3AFFFF call 00402EB0 /5 ; Call LibFunc:__CrtDbgReport 317 | 0040F882: E8 69FAFFFF call 0040F2F0 /5 ; Call LibFunc:__dosmaperr 318 | 0040F8AF: E8 5CFCFFFF call 0040F510 /5 ; Call LibFunc:__alloc_osfhnd 319 | 0040F8DE: E8 5DFDFFFF call 0040F640 /5 ; Call LibFunc:__set_osfhnd 320 | --------------------------------------------------------------------------------