Disasm uses this structure to report disassembly results. Which fields of the structure are filled depends on the disassembling mode:
| DISASM_SIZE | Only error is valid |
| DISASM_DATA | Only members of t_disasm marked with asterisk (*) are valid |
| DISASM_TRACE | Only members marked with asterisk (*) and minus (-) are valid |
| DISASM_FILE | Complete disassembly, but Disasm assumes that registers are undefined and does not decode symbolic names. Members marked with minus (-) are invalid |
| DISASM_CODE | Complete disassembly, but Disasm assumes that registers are undefined. Members marked with minus (-) are invalid |
| DISASM_ALL | Complete disassembly. Members marked with minus (-) are invalid |
typedef struct t_disasm { // Results of disassembling
ulong ip; // (*) Instrucion pointer
char dump[TEXTLEN]; // Hexadecimal dump of the command
char result[TEXTLEN]; // Disassembled command
char comment[TEXTLEN]; // Brief comment
char opinfo[3][TEXTLEN]; // Comments to command's operands
int cmdtype; // (*) One of C_xxx
int memtype; // (*) Type of addressed variable in memory
int nprefix; // (*) Number of prefixes
int indexed; // Address contains register(s)
ulong jmpconst; // (*) Constant jump address
ulong jmptable; // (*) Possible address of switch table
ulong adrconst; // (*) Constant part of address
ulong immconst; // (*) Immediate constant
int zeroconst; // (*) Whether contains zero constant
int fixupoffset; // (*) Possible offset of 32-bit fixups
int fixupsize; // (*) Possible total size of fixups or 0
ulong jmpaddr; // Destination of jump/call/return
int condition; // 0xFF:unconditional, 0:false, 1:true
int error; // (*) Error while disassembling command
int warnings; // (*) Combination of DAW_xxx
int optype[3]; // Type of operand (extended set DEC_xxx)
int opsize[3]; // Size of operand, bytes
int opgood[3]; // Whether address and data valid
ulong opaddr[3]; // Address if memory, index if register
ulong opdata[3]; // Actual value (only integer operands)
t_operand op[3]; // Full description of operand
ulong regdata[8]; // Registers after command is executed
int regstatus[8]; // Status of registers, one of RST_xxx
ulong addrdata; // Traced memory address
int addrstatus; // Status of addrdata, one of RST_xxx
ulong regstack[NREGSTACK]; // Stack tracing buffer
int rststatus[NREGSTACK]; // Status of stack items
int nregstack; // Number of items in stack trace buffer
ulong reserved[29]; // Reserved for plugin compatibility
} t_disasm;
Members:
ip - address of the disassembled command;
dump - ASCII string, formatted hexadecimal dump of the command;
result - ASCII string, disassembled command itself;
comment - ASCII string, brief comment that applies to the whole command;
opinfo - array of ASCII strings, comments to individual operands (explicit or implicit, like ESP, EBP and ECX in MOVSB);
cmdtype - type of the disassembled command, one of C_xxx possibly ORed with C_RARE to indicate that command is seldom in ordinary Win32 applications. Commands of type C_MMX additionally contain size of MMX data in the 3 least significant bits (0 means 8-byte operands). Non-MMX commands may have C_EXPL bit set which means that some memory operand has size which is not conform with standard 80x86 rules;
memtype - type of memory operand, one of DEC_xxx, or DEC_UNKNOWN if operand is non-standard or command does not access memory;
nprefix - number of prefixes that this command contains;
indexed - if memory address contains index register, set to scale, otherwise 0;
jmpconst - address of jump destination if this address is a constant, and 0 otherwise;
jmptable - if indirect jump can be interpreted as switch, base address of switch table and 0 otherwise;
adrconst - constant part of memory address;
immconst - immediate constant or 0 if command contains no immediate constant. The only command that contains two immediate constants is ENTER. Disasm ignores second constant which is anyway 0 in most cases;
zeroconst - nonzero if command contains immediate zero constant;
fixupoffset - possible start of 32-bit fixup within the command, or 0 if command can't contain fixups;
fixupsize - possible total size of fixups (0, 4 or 8). If command contains both immediate constant and immediate address, they are always adjacent on 80x86 processors;
jmpaddr - destination of jump, call or return. If jump address contains undefined register, jmpaddr is 0;
condition - whether condition in command is met: 0 - condition is false, 1 - true, -1 - command is unconditional or EFL is undefined;
error - Disasm was unable to disassemble command (for example, command does not exist or crosses end of memory block), one of DAE_xxx;
warnings - command is suspicious or meaningless (for example, far jump or MOV EAX,EAX preceded with segment prefix), combination of DAW_xxx bits;
optype - array of operand types, DEC_xxx or DECR_xxx;
opsize - array of operand sizes in bytes;
opgood - array of flags indicating opaddr and opdata are valid;
opaddr - array containing memory addresses of memory operands and register indexes for register operands. Valid only if corresponding opgood is set;
opdata - array of actual operand's values (integer operands only), valid only if corresponding opgood is set;
op - full descriptions of operands.
Register tracing is still relatively raw and is not described.