This change set is based upon PR #12 , that PR should be merged first.
Changes:
avoid retracing an already identified SWITCH type region
only mark switch region entries with _case labels if the address does not specify its own other label type
stop adding new case/lut/vtable entries when an entry is invalid (outside of image boundaries)
if a case/lut/vtable entry points into the .data segment, then printer creates a _data label for it instead of a _case
opcode FF could be jmp, call, push, inc or dec. Actual opcode depends on the register field of the opcode. Previous implementation assumed that anything that is not a jump should be a call but that is not true. New implementation decodes the register field of the opcode and only reacts on jmp and call types.
opcodes marked by libopcodes with text (8087 only) are skipped. Some references indicate that there could be further opcodes still similar to 8087 and 287 only
add support to load a map file. Currently the map file can distinguish CODE, SWITCH/CASE and DATA symbols. For now the symbol name is used for categorization, but there is also a type field that could be used for categorization after custom names become supported by the printer. The map file symbols get processed after the Analyzer finished tracing EIP. As of now named CLI arguments are not supported by the tool so all optional CLI arguments need to be passed in as the last one is the map file path.
Example: ./le_disasm GAME.LE GAME.BIN GAME.map 2>output.log >output.S
where GAME.LE is an unbound linear executable image, GAME.BIN is the path to the output file where the tool will dump a flat image of the executable and GAME.map is the path to the user map file that needs to be loaded.
Map file format:
<symbol name with prefix data_* for .data section entires, lut_* for switch::case entires, sub_* for functions (code16/32)><\t white space><type of symbol. Currently unsed, but type is one of data, code32 or code16><\t white space><address of symbol , virtual address in linear address space><\t white space><size of data in bytes following the symbol>
Example map file contents:
symbol_name type start_address region_sizedata_109E96 data 0000000000109E96 00000036data_140135 data 0000000000140135 00000036lut_10870 code32 0000000000010870 00000010lut_1202C code32 000000000001202C 00000014sub_13D410 code32 000000000013D410 00000058sub_140000 code16 0000000000140000 0000005C
This change set is based upon PR #12 , that PR should be merged first. Changes:
FFcould be jmp, call, push, inc or dec. Actual opcode depends on the register field of the opcode. Previous implementation assumed that anything that is not a jump should be a call but that is not true. New implementation decodes the register field of the opcode and only reacts on jmp and call types.Example: ./le_disasm GAME.LE GAME.BIN GAME.map 2>output.log >output.S where GAME.LE is an unbound linear executable image, GAME.BIN is the path to the output file where the tool will dump a flat image of the executable and GAME.map is the path to the user map file that needs to be loaded.
Map file format:
<symbol name with prefix data_* for .data section entires, lut_* for switch::case entires, sub_* for functions (code16/32)><\t white space><type of symbol. Currently unsed, but type is one of data, code32 or code16><\t white space><address of symbol , virtual address in linear address space><\t white space><size of data in bytes following the symbol>Example map file contents:
symbol_name type start_address region_sizedata_109E96 data 0000000000109E96 00000036data_140135 data 0000000000140135 00000036lut_10870 code32 0000000000010870 00000010lut_1202C code32 000000000001202C 00000014sub_13D410 code32 000000000013D410 00000058sub_140000 code16 0000000000140000 0000005C