private byte[] GetOldCode(IntPtr codeAddress, int maxBytes)
{
SharpDisasm.ArchitectureMode mode = (IntPtr.Size == 8) ? SharpDisasm.ArchitectureMode.x86_64 : SharpDisasm.ArchitectureMode.x86_32;
List <byte> entranceCodes = new List <byte>();
int totalLen = 0;
using (var disasm = new SharpDisasm.Disassembler(codeAddress, maxBytes + NativeMethods.MaxLengthOpCode, mode))
{
foreach (var insn in disasm.Disassemble())
{
if (SharpDisasm.Udis86.ud_mnemonic_code.UD_Ija <= insn.Mnemonic && insn.Mnemonic <= SharpDisasm.Udis86.ud_mnemonic_code.UD_Ijz)
{
return(null);
}
for (int i = 0; i < insn.Length; i++)
{
entranceCodes.Add(codeAddress.ReadByte(totalLen + i));
}
totalLen += insn.Length;
if (totalLen >= maxBytes)
{
return(entranceCodes.ToArray());
}
}
}
return(null);
}
static IntPtr GetExportFunctionPtrInfo(IntPtr funcAddr, out IntPtr ptrContainingFuncAddress)
{
ptrContainingFuncAddress = IntPtr.Zero;
SharpDisasm.ArchitectureMode mode = (IntPtr.Size == 8) ? SharpDisasm.ArchitectureMode.x86_64 : SharpDisasm.ArchitectureMode.x86_32;
SharpDisasm.Disassembler.Translator.IncludeAddress = true;
SharpDisasm.Disassembler.Translator.IncludeBinary = true;
const int maxOpCode = 5;
byte[] code = funcAddr.ReadBytes(NativeMethods.MaxLengthOpCode * maxOpCode);
var disasm = new SharpDisasm.Disassembler(code, mode, (ulong)funcAddr.ToInt64(), true);
foreach (var insn in disasm.Disassemble().Take(maxOpCode))
{
switch (insn.Mnemonic)
{
case SharpDisasm.Udis86.ud_mnemonic_code.UD_Imov:
if (insn.Operands.Length == 2)
{
long value = insn.Operands[1].Value;
IntPtr jumpPtr = new IntPtr(value);
ptrContainingFuncAddress = jumpPtr;
return(new IntPtr(IntPtr.Size == 8 ? jumpPtr.ReadInt64() : jumpPtr.ReadInt32()));
}
break;
case SharpDisasm.Udis86.ud_mnemonic_code.UD_Ijmp:
// 48 FF 25 C1 D2 05 00 jmp qword ptr [7FFD2E8B7398h]
if (insn.Operands.Length == 1)
{
long value = insn.Operands[0].Value;
IntPtr jumpPtr = new IntPtr(value);
if (IntPtr.Size == 8)
{
jumpPtr = new IntPtr((long)insn.PC + value);
}
ptrContainingFuncAddress = jumpPtr;
return(new IntPtr(IntPtr.Size == 8 ? jumpPtr.ReadInt64() : jumpPtr.ReadInt32()));
}
break;
}
}
return(IntPtr.Zero);
}
static void Main(string[] args)
{
// Determine the architecture mode or us 32-bit by default
SharpDisasm.ArchitectureMode mode = SharpDisasm.ArchitectureMode.x86_32;
if (args.Length > 0)
{
switch (args[0])
{
case "16": { mode = SharpDisasm.ArchitectureMode.x86_16; break; }
case "32": { mode = SharpDisasm.ArchitectureMode.x86_32; break; }
case "64": { mode = SharpDisasm.ArchitectureMode.x86_64; break; }
default:
break;
}
if (args.Length > 1)
{
if (args[1].ToLower() == "resolverip")
{
SharpDisasm.Disassembler.Translator.ResolveRip = true;
}
}
}
// Allow input >256 chars
Console.SetIn(new StreamReader(Console.OpenStandardInput(8192)));
StringBuilder input = new StringBuilder();
while (Console.In.Peek() != -1)
{
input.Append(Console.In.ReadLine());
}
// Configure the translator to output instruction addresses and instruction binary as hex
SharpDisasm.Disassembler.Translator.IncludeAddress = true;
SharpDisasm.Disassembler.Translator.IncludeBinary = true;
// Create the disassembler
var disasm = new SharpDisasm.Disassembler(
HexStringToByteArray(input.ToString().Replace(" ", "")),
mode, 0, true);
// Disassemble each instruction and output to console
foreach (var insn in disasm.Disassemble())
{
Console.Out.WriteLine(insn.ToString());
}
}
static void Main(string[] args)
{
SharpDisasm.ArchitectureMode mode = SharpDisasm.ArchitectureMode.x86_32;
if (args.Length == 2)
{
switch (args[0])
{
case "16": { mode = SharpDisasm.ArchitectureMode.x86_16; break; }
case "32": { mode = SharpDisasm.ArchitectureMode.x86_32; break; }
case "64": { mode = SharpDisasm.ArchitectureMode.x86_64; break; }
default:
break;
}
}
else
{
Console.Write("Must use arguments: <bit-length[16|32|64]> <target file path>");
return;
}
string filePath = args[1];
BinaryReader reader = new BinaryReader(File.Open(filePath, FileMode.Open));
var fileSize = Convert.ToInt32(new FileInfo(filePath).Length);
var codeBytes = reader.ReadBytes(fileSize);
var sw = Stopwatch.StartNew();
SharpDisasm.Disassembler.Translator.IncludeAddress = true;
var disasm = new SharpDisasm.Disassembler(codeBytes, mode, 0, true);
foreach (var insn in disasm.Disassemble())
{
Console.Out.WriteLine(insn.ToString());
}
sw.Stop();
Console.Error.WriteLine("Total dump time: {0:F} sec.", sw.Elapsed.TotalSeconds);
}
private static void OutputAssembly(byte[] codeBuffer, string fileName)
{
SharpDisasm.ArchitectureMode mode = SharpDisasm.ArchitectureMode.x86_32;
// Configure the translator to output instruction addresses and instruction binary as hex
SharpDisasm.Disassembler.Translator.IncludeAddress = true;
SharpDisasm.Disassembler.Translator.IncludeBinary = true;
// Create the disassembler
var disasm = new SharpDisasm.Disassembler(
codeBuffer,
mode, 0, true);
int instructions = 0;
using (System.IO.StreamWriter file = new System.IO.StreamWriter(fileName))
{
List <string> jumpInstructions = new List <string>();
// Disassemble each instruction and output to console
foreach (var insn in disasm.Disassemble())
{
file.WriteLine(insn.ToString());
instructions++;
}
}
}
private byte[] OriginalInstructionsAt(IntPtr address)
{
SharpDisasm.ArchitectureMode mode = SharpDisasm.ArchitectureMode.x86_32;
var found = false;
var bytesRead = 0;
var i = JUMP_INSTRUCTION_SIZE;
byte[] originalBytes = new byte[] { };
while (i < MAX_INSTRUCTION_SIZE && !found)
{
byte[] byteArray = ReadBytes(address, i, ref bytesRead);
var instructions = (new SharpDisasm.Disassembler(byteArray, mode)).Disassemble();
var invalidInstructionsCount = instructions.Where((SharpDisasm.Instruction inst) => inst.Error).ToList().Count;
if (invalidInstructionsCount == 0)
{
originalBytes = byteArray;
found = true;
}
i++;
}
return(originalBytes);
}
