S.a. distorm3 ile aşağıdaki kodu oluşturdum fakat buradaki buff'un ne işe yarıyor. buff değiştimi kodda değişiyor ama neye göre oluşturulacak buff anlayamadım.
Kendi açıklamasında şöyle diyordu:
/* distorm_decode
* Input:
* offset - Origin of the given code (virtual address that is), NOT an offset in code.
* code - Pointer to the code buffer to be disassembled.
* length - Amount of bytes that should be decoded from the code buffer.
* dt - Decoding mode, 16 bits (Decode16Bits), 32 bits (Decode32Bits) or AMD64 (Decode64Bits).
* result - Array of type _DecodeInst which will be used by this function in order to return the disassembled instructions.
* maxInstructions - The maximum number of entries in the result array that you pass to this function, so it won't exceed its bound.
* usedInstructionsCount - Number of the instruction that successfully were disassembled and written to the result array.
Kendi açıklamasında şöyle diyordu:
/* distorm_decode
* Input:
* offset - Origin of the given code (virtual address that is), NOT an offset in code.
* code - Pointer to the code buffer to be disassembled.
* length - Amount of bytes that should be decoded from the code buffer.
* dt - Decoding mode, 16 bits (Decode16Bits), 32 bits (Decode32Bits) or AMD64 (Decode64Bits).
* result - Array of type _DecodeInst which will be used by this function in order to return the disassembled instructions.
* maxInstructions - The maximum number of entries in the result array that you pass to this function, so it won't exceed its bound.
* usedInstructionsCount - Number of the instruction that successfully were disassembled and written to the result array.
Kod:
hlib = LoadLibraryA(lib);
fadrr= (unsigned char *)GetProcAddress(hlib, func);
unsigned char buf[] = "\x90\x90\x90\x33\xc0\xcc\x00\xc3\xc2\xe8\x0f\xff\x80\x8F\x66\xb8\x34\x12\x50\x40\xc3\2\3\4\5";
#define MAX_INSTRUCTIONS 32 // How many instructions to allocate on stack.
_DecodeResult res; // Holds the result of the decoding.
_OffsetType offset = (_OffsetType)fadrr; // Default offset for buffer is 0.
_DecodedInst decodedInstructions[MAX_INSTRUCTIONS]; // Decoded instruction information - the Decode will write the results here.
unsigned int decodedInstructionsCount = 0; // decodedInstructionsCount indicates how many instructions were written to the result array.
_DecodeType dt = Decode32Bits; // Default decoding mode is 32 bits.
res = distorm_decode(offset, (const unsigned char*)buf, 41, dt, decodedInstructions, MAX_INSTRUCTIONS, &decodedInstructionsCount);
Son düzenleme:
