mahdisafsafi / univdisasm Goto Github PK

Why in the GUI version of UnivDisasm can only 64-bit programs be loaded in the GUI 64-bit version and vice versa? Please make a GUI version where both 32-bit and 64-bit programs can be loaded in the 64-bit GUI version.

66 0F 7E D0 66 0F 73 D2 20 66 0F 7E D1

hello, sorry for my bad English.
I wanted to ask if you had planned to add support for specifying the type of the Argument access and support for specifying the read-write Implicit registers ,Very useful in the analysis of the detailed code.

These features are present in the capstone-next library.
In my local copy in your library I have added support to the type of access only for general purpose instructions

EFlags is error

used UnivDisasm-master\GUI\ [1]. is right, [2]. is wrong
[1]. 8B 0D 00 02 46 00 mov ecx,dword ds:[0x00460200] // this is Right

[2]. A1 14 01 46 00 mov eax, ds:0x0046014 //this is error
This should mov eax, dword ds:[0x0046014]

Hi!

Can you make a demo something like this for both 32&64?

http://i.imgur.com/gNhiwAo.png

Helo

Is possible to disassembler DCU file using UnivDisasm?

Your disassembly engine (UnivDisasm) developed very well, but if it can support ARM better

Hello,
I realized that all of the all constant definitions related to the category of Istruction are set to 0.

Thank you ;)

INST_CATEGORY_ARITHMETIC = 0; INST_CATEGORY_FLOATING_POINT = 0; INST_CATEGORY_X87_FPU = 0; INST_CATEGORY_COMPARE = 0; INST_CATEGORY_DATA_TRANSFER = 0; INST_CATEGORY_LOAD = 0; INST_CATEGORY_CONVERT = 0; INST_CATEGORY_INTEGER = 0; INST_CATEGORY_STORE = 0; ....... ..... etc..

An access violation can occur in the Disasm function on the following line: TABLE_1[PInst^.Addr^](PInst);
This happens because an invalid address escapes from UnivDisasm.Internal.Common.DecodeJ.
The access violation in Disasm causes memory allocated to TInstruction.Mnem to be leaked.

I can see that addresses used to be tested, but this was then made optional (effectively disabled). I don't have enough background knowledge to say whether or not there's a problem with the way the address is calculated in DecodeJ.

Testing and setting invalid addresses to nil in DecodeJ fixes the memory leak, but raises several access violations. This is problematic if you're using UnivDisasm as part of the DebugEngine library, because the debugger will hook a bunch of access violations every time a stacktrace is generated.

00000000007250D0: 48 8B 05 A0 26 05 77
x64dbg show
mov rax, qword ptr [0x77777777]

you show
mov rax,qword [rip 0x770526A0]

How can I display the real address?
USO_SHOW_DST_ADDR cannot control display 'mov' 'lea' the real address

call @00ada72f
to
call @00ADA72F

add esp,0xf0
to
add esp,0xF0

and can you add the display options for the @ symbol？

This looks more align

Thank you!

I'm testing your library and I realized that decoding incorrectly
the following sequence:

Binary in 32 bits

FFE0 JMP EAX

UnivDisasm decoding as Jmp RAX

Thanks so much

Hello,
005B5E96 D1242B SHL DWORD PTR [EBX+EBP],1
005B5E99 D1641D 00 SHL DWORD PTR [EBP+EBX],1

univDisAsm Decoding this instructions with:

shl dword ds:[ebx+ebp],00
shl dword ds:[ebx+ebp+0x00],00

Shr is the same.

Thanks so much ;)

the first_version is only required, if you released a version before adding delphinus. As you have no releases which do not support delphinus, you can remove it.

The file has one additional comma at the end, which must be removed. For easier validating i suggest using
http://jsonlint.com/

for example

used UnivDisasm-master\Examples\Demo1
/* testfun /
0067B508 call @0x401004
0067B50E jmp @0x401004
0067B514 ret
/------------------------------------------------*/
I just need the original instruction

What should I do? thank you!

In addition to this problem:
#10

In X64 pointers are 8-bytes, so the current layout of TInstruction wastes a lot of space.
It'd be better to rearrange the record to waste less memory.

I'll submit a pull request as soon as I'm able to test the changes.

db $48, $A1, $88, $88, $88, $88, $77, $77, $77, $77
Delphi Show
mov rax,[qword $7777777788888888]

x64dbg show
movabs rax, qword ptr [0x7777777788888888]

UnivDisasm show Missing[]
mov rax,0x7777777788888888

55 push ebp
8B EC mov ebp,esp
83 C4 F8 add esp,0xfffffffffffffff8 <-----error
53 push ebx
56 push esi

The previous version does not have this error

Hi iam wondering if its possible to detect opcodes and display output offset as wildcard bytes eg ??
just like PEiD signatures.

I noticed the code:
if (ins.InstID = INST_ID_MOV) and ((ins.Arg1.Reg = REG_EAX) and (ins.Arg2.Flags > 0)) then
so is it possible to change the offsets bytes to ?? then display the opcode bytes ? :)

Currently, only the includefiles are copied. For the source_folder, simply remove the include subdirectory. (Base only states that the base-directory is removed from the targetpath, which means instead of creating the structure Source\Includes at the destination, it will create \Includes)

same goes for the search- and browsing-paths. You told the setup to copy all files relative to the path after Source. The Search- and Browsing-Pathes are relative to the components source-folder. In your case this would result in something like:

\Source\Source
\Source\Source\Include

You can simply remove the source folder from the Search- and Browsing-Pathes