VX Heavens

Hacker Disassembler Engine

Author: Patkov, Veacheslav

Author's notes

1. Description.

hde32 is a small disassembler engine, intended for analysis of x86-32 code. It gets length of command, prefixes, ModR/M, SIB, opcode, etc. For example, you can use hde32 when writing unpackers of executables, viruses, because most other disassemblers too big, get only assembler listing and are not intended for analysis of code, but most simple length disassemblers get too little info. hde32 gets enough info for analysis, but it has very small size.

• support FPU, MMX, SSE, SSE2, SSE3, 3DNow! instructions
• high-speed and small size (628 bytes)
• position independent code
• operating system independent code
• doesn't use commands of processor higher than i386

2. Notes.

Alignment of structure `hde32s' is 1 byte (no alignment). Be careful, check settings of your compiler or use headers from this package.

hde32 doesn't check invalid instructions. If instruction is invalid, hde32 will disassemble it using the general disassembly rules.

3. How to use.

To disassemble instruction should call `hde32_disasm' function. First argument is pointer to code, second - pointer to `hde32s' structure:

unsigned int __cdecl hde32_disasm(const void *code, hde32s *hs);

This function return length of command and fill `hde32s' structure:

   typedef struct {
       uint8_t len;        // length of command
       uint8_t p_rep;      // rep/repz (0xf3) & repnz (0xf2) prefix
       uint8_t p_lock;     // lock prefix: 0xf0
       uint8_t p_seg;      // segment prefix: 0x26,0x2e,0x36,0x3e,0x64,0x65
       uint8_t p_66;       // operand-size override prefix: 0x66
       uint8_t p_67;       // address-size override prefix: 0x67
       uint8_t opcode;     // opcode
       uint8_t opcode2;    // second opcode (if first opcode is 0x0f)
       uint8_t modrm;      // ModR/M byte
       uint8_t modrm_mod;  //   mod field of ModR/M
       uint8_t modrm_reg;  //   reg field of ModR/M
       uint8_t modrm_rm;   //   r/m field of ModR/M
       uint8_t sib;        // SIB byte
       uint8_t sib_scale;  //   scale field of SIB
       uint8_t sib_index;  //   index field of SIB
       uint8_t sib_base;   //   base field of SIB
       uint8_t imm8;       // immediate value imm8
       uint16_t imm16;     // immediate value imm16
       uint32_t imm32;     // immediate value imm32
       uint8_t disp8;      // displacement disp8
       uint16_t disp16;    // displacement disp16
       uint32_t disp32;    // displacement disp32
       uint8_t rel8;       // relative address rel8
       uint16_t rel16;     // relative address rel16
       uint32_t rel32;     // relative address rel32
   } hde32s;

Fields `opcode' and `len' are filled always, others are optional and depend of instruction. If field's value is zero, then it is not existing.

HDE32C is the C version of the engine, versions 0.01,0.02 correspond to HDE32 0.14