Tuesday, July 12 2005 @ 10:14 AM CEST Contributed by: c4 Views: 8999
Level : beginner
OS : all Language : C
diStorm is a binary stream disassembler. It's capable of disassembling 80x86 instructions both in 16 and 32 bits.
In addition, it disassembles FPU, MMX, SSE, SSE2, SSE3 and 3DNow! (w/ extensions) instruction sets.
diStorm was written to decode every instruction as accurately as possible.
Robust decoding, while taking special care for valid or unused prefixes, is what makes this disassembler powerful, especially for research.
Another benefit that might come in handy is that the module was written as multi-threaded,
which means you could disassemble several streams or more simultaneously.
For rapidly use, diStorm is compiled for Python.
The output consists of a few fields:
1)Offset of the disassembled instruction.
2)Size of the disassembled instruction.
3)Hex dump of the disassembled instruction in little-endian format (seperated repectively to operands).
4)Textual reprensentation of the disassembled instruction in Intel format.
More details about the decoding phase:
Unused/extra prefixes are dropped (AKA output as DB'ed).
Lock prefix works only on lockable instructions if the first operand is in the form of memory indirection.
REPn/z prefix works only on repeatable string instructions as well as I/O instructions.
Segment Override prefixes are possible where memory indirection address is being used (and specially treated with string and I/O instructions).
Some SSE2 instructions support pseudo opcodes (CMP family).
Waitable instructions are supported (FINIT etc.).
"Native" instructions, those which have the same mnemonic in different decoding modes, unless there's an operand size prefix, which then a suffix letter is concatenated to the mnemonic in order to indicate the operation size (instructions like: PUSHA, IRET, etc.).
XLAT instruction is treated specially when prefixed.
Some instructions which has two mnemonics according to the decoding modes are supported.
Truncates instructions when reaches end of stream.
Drops invalid instructions when their operands are invalid.
Won't decode instructions which are longer than 15 bytes.