私人文档 订阅所有私人文档的日志

SizeOfCode SizeOfProc IsRelativeCmd

作者:JiaJia 日期:2008-01-27

字体大小:
from: http://bbs.vbstreets.ru/viewtopic.php?t=28909&view=previous&sid=28327093fa946068f6c6df2a8302c1a6

引用内容 引用内容

'Opcode Length Disassembler.
'Coded by GPcH
'Email: admin@dotfix.net
'Icq: 1195723
'Original version Coded By Ms-Rem ( Ms-Rem@yandex.ru ) ICQ 286370715


Const OP_NONE = &H0
Const OP_MODRM = &H1
Const OP_DATA_I8 = &H2
Const OP_DATA_I16 = &H4
Const OP_DATA_I32 = &H8
Const OP_DATA_PRE66_67 = &H10
Const OP_WORD = &H20
Const OP_REL32 = &H40

Public OpcodeFlags
Public OpcodeFlagsExt

Public Sub DisasmInitialize()
OpcodeFlags = Array(OP_MODRM, OP_MODRM, _
    OP_MODRM, OP_MODRM, OP_DATA_I8, OP_DATA_PRE66_67, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_DATA_I8, OP_DATA_PRE66_67, _
    OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_DATA_I8, OP_DATA_PRE66_67, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_DATA_I8, OP_DATA_PRE66_67, _
    OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_DATA_I8, OP_DATA_PRE66_67, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_DATA_I8, OP_DATA_PRE66_67, _
    OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_DATA_I8, OP_DATA_PRE66_67, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_DATA_I8, OP_DATA_PRE66_67, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_NONE, OP_NONE, _
    OP_NONE, OP_NONE, OP_DATA_PRE66_67, OP_MODRM or OP_DATA_PRE66_67, OP_DATA_I8, OP_MODRM or OP_DATA_I8, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, _
    OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_MODRM or OP_DATA_I8, OP_MODRM or OP_DATA_PRE66_67, _
    OP_MODRM or OP_DATA_I8, OP_MODRM or OP_DATA_I8, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, _
    OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_DATA_I32 or OP_DATA_I16, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_DATA_PRE66_67, OP_DATA_PRE66_67, OP_DATA_PRE66_67, OP_DATA_PRE66_67, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_DATA_I8, OP_DATA_PRE66_67, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_PRE66_67, OP_DATA_PRE66_67, OP_DATA_PRE66_67, _
    OP_DATA_PRE66_67, OP_DATA_PRE66_67, OP_DATA_PRE66_67, OP_DATA_PRE66_67, OP_DATA_PRE66_67, OP_MODRM or OP_DATA_I8, OP_MODRM or OP_DATA_I8, OP_DATA_I16, OP_NONE, OP_MODRM, _
    OP_MODRM, OP_MODRM or OP_DATA_I8, OP_MODRM or OP_DATA_PRE66_67, OP_DATA_I8 or OP_DATA_I16, OP_NONE, OP_DATA_I16, OP_NONE, OP_NONE, OP_DATA_I8, OP_NONE, OP_NONE, OP_MODRM, _
    OP_MODRM, OP_MODRM, OP_MODRM, OP_DATA_I8, OP_DATA_I8, OP_NONE, OP_NONE, OP_WORD, OP_WORD, OP_WORD, _
    OP_WORD, OP_WORD, OP_WORD, OP_WORD, OP_WORD, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, _
    OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_I8, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_I16 or OP_DATA_I32, OP_DATA_I8, OP_NONE, OP_NONE, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM or OP_REL32)

OpcodeFlagsExt = Array(OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, _
    OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_MODRM, OP_NONE, OP_NONE, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, _
    OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, _
    OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, _
    OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_NONE, _
    OP_MODRM or OP_DATA_I8, OP_MODRM or OP_DATA_I8, OP_MODRM or OP_DATA_I8, OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_NONE, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, _
    OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, _
    OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, _
    OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, OP_DATA_PRE66_67 or OP_REL32, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, _
    OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, _
    OP_NONE, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM or OP_DATA_I8, OP_MODRM, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, _
    OP_MODRM, OP_MODRM or OP_DATA_I8, OP_MODRM, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, _
    OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, OP_MODRM, _
    OP_MODRM, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_MODRM, OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_NONE, _
    OP_NONE, OP_NONE, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_MODRM, OP_NONE, OP_NONE, OP_MODRM, _
    OP_MODRM, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_MODRM, OP_NONE, OP_MODRM, OP_MODRM, OP_NONE, OP_NONE, _
    OP_MODRM, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_MODRM, OP_NONE, _
    OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_MODRM, OP_NONE, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE, OP_MODRM, OP_MODRM, OP_MODRM, OP_NONE)

End Sub

'Получение полного размера машинной комманды по указателю на нее
Public Function SizeOfCode(Code() As Byte, ByRef pOpcode As Byte) As Long

    Dim PFX66 As Boolean, PFX67 As Boolean, SibPresent As Boolean
    Dim OffsetSize As Byte, Add As Byte, iMod As Byte, iRM As Byte, cPtr As Byte, Flags As Byte

    OffsetSize = 0
    PFX66 = False
    PFX67 = False
    cPtr = 0
    'определяем размер преффиксов
    While ((Code(cPtr) = &H2E) or (Code(cPtr) = &H3E) or (Code(cPtr) = &H36) or (Code(cPtr) = &H26) or (Code(cPtr) = &H64) or (Code(cPtr) = &H65) or (Code(cPtr) = &HF0) or (Code(cPtr) = &HF2) or (Code(cPtr) = &HF3) or (Code(cPtr) = &H66) or (Code(cPtr) = &H67))
      If (Code(cPtr) = &H66) Then PFX66 = True
      If (Code(cPtr) = &H67) Then PFX67 = True
      cPtr = cPtr + 1
      If (cPtr > 16) Then SizeOfCode = 0: Exit Function
    Wend
    If pOpcode Then pOpcode = Code(cPtr)
    'определяем размер опкода и получаем флаги
    If (Code(cPtr) = &HF) Then
      cPtr = cPtr + 1
      Flags = OpcodeFlagsExt(Code(cPtr))
    Else
      Flags = OpcodeFlags(Code(cPtr))
    End If
    cPtr = cPtr + 1
    If (Flags And OP_WORD) Then cPtr = cPtr + 1
    'обрабатываем MOD r/m
    If (Flags And OP_MODRM) Then
      iMod = Int(Code(cPtr) / (2 ^ 6))
      iRM = Code(cPtr) And 7
      cPtr = cPtr + 1
      'обрабатываем SIB и Offset
      SibPresent = (Not PFX67) And (iRM = 4)
      Select Case iMod
        Case 0:
          If (PFX67 And (iRM = 6)) Then OffsetSize = 2
          If ((Not PFX67) And (iRM = 5)) Then OffsetSize = 4
        Case 1: OffsetSize = 1
        Case 2: If (PFX67) Then OffsetSize = 2 Else OffsetSize = 4
        Case 3: SibPresent = False
      End Select
      If (SibPresent) Then
        If (((Code(cPtr) And 7) = 5) And ((Not iMod) or (iMod = 2))) Then OffsetSize = 4
        cPtr = cPtr + 1
      End If
      cPtr = cPtr + OffsetSize
    End If
    'обрабатываем IMM значения
    If (Flags And OP_DATA_I8) Then cPtr = cPtr + 1
    If (Flags And OP_DATA_I16) Then cPtr = cPtr + 2
    If (Flags And OP_DATA_I32) Then cPtr = cPtr + 4
    If (PFX66) Then Add = 2 Else Add = 4
    If (Flags And OP_DATA_PRE66_67) Then cPtr = cPtr + Add
    SizeOfCode = cPtr '- Code
End Function


'Получение размера функции по указател на нее (размер до первой комманды RET)
Public Function SizeOfProc(Proc() As Byte) As Long
    Dim Length As Long, pOpcode As Byte, Result As Long
    pOpcode = 1
    Do
        Length = SizeOfCode(Proc, pOpcode)
        Result = Result + Length
        If ((Length = 1) And (pOpcode = &HC3)) Then Exit Do
        If ((Length = 3) And (pOpcode = &HC2)) Then Exit Do
        sProc = StrConv(Proc, vbUnicode)
        sProc = Right$(sProc, Len(sProc) - Length)
        Proc = StrConv(sProc, vbFromUnicode)
    Loop Until (Length < 1)
    SizeOfProc = Result
End Function


'определение того, имеет ли комманда rel32 offset
Public Function IsRelativeCmd(pOpcode As Byte) As Byte
Dim Flags As Byte
If (pOpcode = &HF) Then Flags = OpcodeFlagsExt(pOpcode + 1) Else Flags = OpcodeFlags(pOpcode)
IsRelativeCmd = (Flags And OP_REL32)
End Function



[本日志由 JiaJia 于 2008-01-27 00:27 AM 编辑]
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags: VB
评论: 0 | 引用: 0 | 查看次数: -
发表评论
昵 称:
密 码: 游客发言不需要密码.
内 容:
验证码: 验证码
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.