1

I need to write something like a "disassembler", I need to read RAM memory (code section) and show it formatted like

ADD rax, rbx
MOV rcx, rax

Where can I find a comprehensive guide/paper on how to translate an opcode to the correspective operation/operands? I'm targeting x64 assembly

Marco A.
  • 43,032
  • 26
  • 132
  • 246
  • I would suggest you either find an existing x64 disassembler or write your own. The "comprehensive guide" would be the "principles of operation" of the processor, and it's assembly language coding rules. – Hot Licks Dec 30 '12 at 16:34
  • Debuggers often do this for you. – Matthew Lundberg Dec 30 '12 at 16:37
  • Which processor(s)? Assembly language is processor dependent. For example, the ARM processors have different assembly language than the Intel Pentium series. – Thomas Matthews Dec 30 '12 at 23:19

5 Answers5

3

You can have a look at this library - you can use it "as it is" or just learn from its source (which is released under BSD license).

Matteo Italia
  • 123,740
  • 17
  • 206
  • 299
2

I'd really recommend you just use the BSD licensed udis86 library instead of writing yet another x86 disassembler:

#include <stdio.h>
#include <udis86.h>

enum {
    /* Controls whether to disassemble for x86 or x64 */
    UDIS86_MODE = 64 /* 16, 32, or 64 */
};

int main()
{
    ud_t ud_obj;

    ud_init(&ud_obj);

    ud_set_input_file(&ud_obj, stdin);
    ud_set_mode(&ud_obj, UDIS86_MODE);
    ud_set_syntax(&ud_obj, UD_SYN_INTEL);

    while (ud_disassemble(&ud_obj)) {
        printf("\t%s\n", ud_insn_asm(&ud_obj));
    }

    return 0;
}

The version of Udis86 on github even supports the latest Intel AVX instructions.

Udis86 is quite easy to build for x86 or x64 Windows with the MinGW64 / MSYS toolchain. Just in case you're not familiar with GCC and the GNU autotools build system, I've built:

  1. http://scottt.tw/mingw32-udis86.tar.gz
  2. http://scottt.tw/mingw64-udis86.tar.gz

for your convenience. The archives contain the DLL and header files. (Whether it's wise to download and run DLLs from random strangers who answer questions on Stackoverflow is another matter ;).

scottt
  • 7,008
  • 27
  • 37
0

This is my go-to list for opcodes, sorted numerically:

http://ref.x86asm.net/geek64.html

That site also has many other lists. However, as you can see, there's quite a lot of opcodes on x86/64, so writing a disassembler by hand will take a while.

I'd suggest you feed the code to an existing disassembler. For example, see this question:

How do I disassemble raw x86 code?

Community
  • 1
  • 1
Matti Virkkunen
  • 63,558
  • 9
  • 127
  • 159
0

  1. For Intel, you can find it at http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html - particularly, you may have been interested in Volume 2.

  2. For AMD processors, it must be here: http://developer.amd.com/resources/documentation-articles/developer-guides-manuals/#manuals . Seems like you'll need volume 3.

Still, they have a lot in common.

AlexErofeev
  • 161
  • 6
0

If you are creating your own disassembler, it is imperative that you download the instruction set guide (Volume 2) from ...

http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html

The notes and tables in the appendices are invaluable. You will likely note that many of the instructions follow a similar pattern. As a result, you can build your own tables of function pointers to decode the instructions. Populating the tables can be time consuming.

Hope this helps.

Sparky
  • 13,505
  • 4
  • 26
  • 27