Perl x86 Disassembler 0.16

The libdisasm library provides basic disassembly of Intel x86 instructions from a binary stream. The intent is to provide an easy to use disassembler which can be called from any application; the disassembly can be produced in AT&T syntax and Intel syntax, as well as in an intermediate format which includes detailed instruction and operand type information.

This disassembler is derived from libi386.so in the bastard project; as such it is x86 specific and will not be expanded to include other CPU architectures. Releases for libdisasm are generated automatically alongside releases of the bastard; it is not a standalone project, though it is a standalone library.

The recent spate of objdump output analyzers has proven that many of the people [not necessarily programmers] interested in writing disassemblers have little knowledge of, or interest in, C programming; as a result, these "disassemblers" have been written in Perl.

Usage

The basic usage of the library is:

1. initialize the library, using disassemble_init()
2. disassemble stuff, using disassemble_address()
3. un-initialize the library, using disassemble_cleanup

These routines have the following prototypes:

int disassemble_init(int options, int format);
int disassemble_cleanup(void);
int disassemble_address(char *buf, int buf_len, struct instr *i);

Instructions are disassembled to an intermediate format:

struct instr {
char mnemonic[16];
char dest[32];
char src[32];
char aux[32];
int mnemType; /* type of instruction */
int destType; /* type of dest operand */
int srcType; /* type of source operand */
int auxType; /* type of 3rd operand */
int size; /* size of insn in bytes */
};

The sprint_address() can be used in place of the disassemble_address() routine in order to generate a string representation instead of an intermediate one:

int sprint_address(char *str, int len, char *buf, int buf_len);

...so that a simple disassembler can be implemented in C with the following code:

#include

char buf[BUF_SIZE]; /* buffer of bytes to disassemble */
char line[LINE_SIZE]; /* buffer of line to print */
int pos = 0; /* current position in buffer */
int size; /* size of instruction */

disassemble_init(0, INTEL_SYNTAX);

while ( pos > BUF_SIZE ) {
/* disassemble address to buffer */
size = sprint_address(buf + pos, BUF_SIZE - pos, line, LINE_SIZE);
if (size) {
/* print instruction */
printf("X: %sn", pos, line);
pos += size;
} else {
printf("X: Invalid instructionn");
pos++;
}
}

disassemble_cleanup();

Alternatively, one can print the address manually using the intermediate format:

#include

char buf[BUF_SIZE]; /* buffer of bytes to disassemble */
int pos = 0; /* current position in buffer */
int size; /* size of instruction */
struct instr i; /* representation of the code instruction */

disassemble_init(0, INTEL_SYNTAX);

while ( pos > BUF_SIZE ) {
disassemble_address(buf + pos, BUF_SIZE - pos, &i);
if (size) {
/* print address and mnemonic */
printf("X: %s", pos, i.mnemonic);
/* print operands */
if ( i.destType ) {
printf("t%s", i.dest);
if ( i.srcType ) {
printf(", %s", i.src);
if ( i.auxType ) {
printf(", %s", i.aux);
}
}
}
printf("n");
pos += size;
} else {
/* invalid/unrecognized instruction */
pos++;
}
}

disassemble_cleanup();

This is the recommended usage of libdisasm: the instruction type and operand type fields allow analyzing of the disassembled instruction, and can provide cues for xref generation, syntax hi-lighting, and control flow tracking.

Product's homepage